I have made a few pipelines in Azure Data Factory, which transfer and modify data from Blob Storage (Excel Files) to Azure SQL. They were off for like 2 month and the company has implemented MFA on whole Azure Active Directory.
After that when I try to run the pipelines I have only "Failed status". For every pipeline the error is the same. They are look like this:
Operation on target Data flow1 failed: {"StatusCode":"DFExecutorUserError","Message":"Job failed due to reason: java.lang.Exception: fail to reach https://we.frontend.clouddatahub.net/subscriptions/aa2d32bf-f0d0-4656-807b-7e929da73853/entities/99264214-3071-4faa-87c2-32d9dec7e5a4/identities/00000000-0000-0000-0000-000000000000/token?api-version=2.0 with status code:403, payload:{"error":{"code":"ManagedIdentityInvalidCredential","message":"Acquire MI token from AAD failed. ErrorCode: invalid_client, Message: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700027: Client assertion failed signature validation.\r\nTrace ID: 4eef805e-a0ca-494e-bcc2-c01cd755f400\r\nCorrelation ID: f313ba30-9455-4065-90ab-a0fe28dadc99\r\nTimestamp: 2022-02-21 13:11:56Z","details":[],"additionalInfo":[]}}, CorrelationId:171b73ff-5721-45e5-bf95-2b29dc4dd1b4, RunId:887b22ec-6cae-42d3-9580-b93a98800b3c","Details":"java.lang.Exception: fail to reach https://we.frontend.clouddatahub.net/subscriptions/aa2d32bf-f0d0-4656-807b-7e929da73853/entities/99264214-3071-4faa-87c2-32d9dec7e5a4/identities/00000000-0000-0000-0000-000000000000/token?api-version=2.0 with status code:403, payload:{"error":{"code":"ManagedIdentityInvalidCredential","message":"Acquire MI token from AAD failed. ErrorCode: invalid_client, Message: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700027: Client assertion failed signature validation.\r\nTrace ID: 4eef805e-a0ca-494e-bcc2-c01cd755f400\r\nCorrelation ID: f313ba30-9455-4065-90ab-a0fe28dadc99\r\nTimestamp: 2022-02-21 13:11:56Z","details":[],"additionalInfo":[]}}, CorrelationId:171b73ff-5721-45e5-bf95-2b29dc4dd1b4, RunId:887b22ec-6cae-42d3-9580-b93a98800b3c\n\tat com.microsoft.datafactory.dat"}
Is there any way I can evade this error without deactivating MFA?
Thank you David Browne - Microsoft for your valuable suggestion. Posting your suggestion as answer to help other community members.
Use either of Managed identity or Provision a Service principle
for authentication. Switch the Authentication to SQL Auth for SQL Server and SAS/Account Key auth for Azure Storage.
Related
Currently following the instruction for loading the data from Azure. Option no 1.
https://docs.snowflake.com/en/user-guide/data-load-azure-config.html
The storage integration with a service principal.
I'm keep getting the error :
Failure using stage area. Cause: [Server failed to authenticate the request. Please refer to the
information in the www-authenticate header. (Status Code: 401; Error Code: NoAuthenticationInformation)]
I Azure I can see that there are AuthorizationErrors. Snowflake is reaching Azure but Azure thinks that it can't give access.
Anyone an idea?
Hennie
I agree that it looks like an access issue. Couple ideas:
Perhaps the token expired? Try regenerating the SAS token and then recreate the Azure external stage with it.
Do you have a firewall on your Azure storage?
If so, follow these steps: https://docs.snowflake.com/en/user-guide/data-load-azure-allow.html#allowing-the-vnet-subnet-ids
I have successfully set up a scan for an on-prem dev sql instance. However, i am trying to set up scans on multiple on-prem sql instances.
I have successfully installed the integration run time agent on a server I want to scan. When I double check the credentials to be sure the username and password are correct, it passes as successful.
When I go to set up the scan against this same db, I use the appropriate user name and secret out of the key vault. While setting up the scan, Purview sees all the tables in the db I am wanting to scan.
So, my thought it, if the username or password were incorrect, it wouldn't pass the connection test and or see the tables in the db I'm wanting to scan.
Ok, so after I start the scan, it fails.
In the logs on that server, I can see where it fails w/ the following error code: 7000215
According to https://login.microsoftonline.com/error?code=7000215, this error message is: Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.
So, I'm at a loss at why I can see the db and tables, but it continues to fail the scan.
The event viewer details show: Message:(AADSTS7000215: Invalid client secret is provided.)
Any help or recommendations would be greatly appreciated.
Here's the actual error message:
Retrieving auth token from AAD failed, exception thrown
(Type:(Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException),
Message:(AADSTS7000215: Invalid client secret is provided. Trace ID:
525bc331-5788-4d3c-a576-3570c5c92b00 Correlation ID:
acfc0ed8-c522-4e3b-8922-804df3bf2fbe Timestamp: 2021-02-22 04:06:46Z),
StackTrace:( at
Microsoft.DataTransfer.Execution.DataScan.Retry.d__1`1.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task
task) at
Microsoft.DataTransfer.Execution.DataScan.DataScanManagementServiceClient.d__22.MoveNext())
, InnerException (Type:(System.Net.Http.HttpRequestException),
Message:(Response status code does not indicate success: 401
(Unauthorized).), StackTrace:() , InnerException
(Type:(Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException),
Message:({"error":"invalid_client","error_description":"AADSTS7000215:
Invalid client secret is provided.\r\nTrace ID:
525bc331-5788-4d3c-a576-3570c5c92b00\r\nCorrelation ID:
acfc0ed8-c522-4e3b-8922-804df3bf2fbe\r\nTimestamp: 2021-02-22
04:06:46Z","error_codes":[7000215],"timestamp":"2021-02-22
04:06:46Z","trace_id":"525bc331-5788-4d3c-a576-3570c5c92b00","correlation_id":"acfc0ed8-c522-4e3b-8922-804df3bf2fbe","error_uri":"https://login.microsoftonline.com/error?code=7000215"}:
Unknown error), StackTrace:() ) ) ) Job ID:
986cf741-f4bf-4333-a51e-b9c04a15a75c Log ID: Error
I was able to address this issue.
The issue was the integration services run time client was not the most recent version.
A newer version (IntegrationRuntime_5.2.7713.1)
Once I installed this version, I was able to scan the databases previously not able to be scanned.
I created an Analysis Services Tabular Project in Visual Studio.
I tried to set the Impersonation Information to "Current User":
Unfortunately, I get the following error:
Failed to save modifications to the server. Error returned: 'The datasource, '[Datasource Name]', contains an ImpersonationMode that is not supported for processing operations.
If I instead set "Impersonation Information" to "Specific Windows user name and password" and use my personal account, it works just fine.
I got error messages for all other options (other than impersonating a specific account). For example, the "Unattended Account" option gave me the following error:
Failed to save modifications to the server. Error returned: 'An unexpected error occurred (file 'pcsspi.cpp', line 926, function 'GetImpersonationIdentity').
A connection could not be made to the data source with the Name of '[Data Source Name]'.
I do not handle the deployment myself - I move the entire solution to a shared folder and the tech lead for that particular project deploys it.
That being said, are there any security implications for impersonating my account? Any chance I could compromise my credentials?
Its totally fine to impersonate a specific Windows username and password however using your personal account is not correct. Set up a service account that has limited access to just the resources the Tabular model needs for refreshing. (Whatever data sources it uses and nothing else)
I followed the example on this website to implement a GCM server using CCS. However the code has exception when it tries to connect to the gcm server (last line in the code below):
ConnectionConfiguration config = new ConnectionConfiguration(GCM_SERVER, GCM_PORT);
config.setSecurityMode(SecurityMode.enabled);
config.setReconnectionAllowed(true);
config.setRosterLoadedAtLogin(false);
config.setSendPresence(false);
config.setSocketFactory(SSLSocketFactory.getDefault());
connection = new XMPPTCPConnection(config);
connection.connect();
I looked up online and someone said I needed to enable billing for my app on appengine in order to use GCM server. I did so but it still does not work. I keep seeing the following error:
gcm.googleapis.com:5235 Exception: Permission denied: Attempt to
access a blocked recipient without permission. (mapped-IPv4)
Am I missing something?
I am trying to setup ADFS to work with SAML 2.0 Service Provider, but I am facing an issue that can't authenticate users via ADFS webpage. This is the error I am getting:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)
System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
Any ideas what it could be? I tried many setting options, even reinstalled ADFS on the fresh windows copy.