Description
Description
using Connect-AzAccount using a service principal with code below:
_$clientSecret = '{Secret}' | ConvertTo-SecureString -AsPlainText -Force
$connectCreds = New-Object -TypeName System.Management.Automation.PSCredential `
-ArgumentList '{SPN ID}', $clientSecret
Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenant '{tenant id}'_
this works of one server, but fails of another - we are unable to diagnose why - versions:
- az = 11.5.0
- az.accounts: = 2.17.0
- Az.Resources = 6.16.1
- Az.Network = 7.4.1
- Az.Compute = 7.2.0
error message
_Connect-AzAccount : ClientSecretCredential authentication failed: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a
custom retry policy in ClientOptions.RetryPolicy.
Could not find tenant id for provided tenant domain '{tenantID}'. Please ensure that the provided service principal
'{{SPN ID}' is found in the provided tenant domain.
At line:15 char:1
- Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenan ...
-
- CategoryInfo : CloseError: (:) [Connect-AzAccount], ArgumentNullException
- FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand_
ErrorRecord : Run Connect-AzAccount to login.
Message : Run Connect-AzAccount to login.
Data : {}
InnerException :
TargetSite : Void HandleException(System.Runtime.ExceptionServices.ExceptionDispatchInfo)
StackTrace : at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.HandleException(ExceptionDispatchInfo capturedException)
at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
HelpLink :
Source : Microsoft.Azure.PowerShell.Cmdlets.ResourceManager
HResult : -2146233079
Issue script & Debug output
DEBUG: Request [31c393df-c813-4ba8-9df5-94ecde422400] exception Azure.RequestFailedException: An error occurred while sending the request. ---> System.Net.Http.HttpRequestException: An error
occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: T
he client and server cannot communicate, because they do not possess a common algorithm
at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.BeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback asyncCallback, Object asyncState)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Core.Pipeline.HttpClientTransport.<ProcessAsync>d__12.MoveNext()
--- End of inner exception stack trace ---
at Azure.Core.Pipeline.HttpClientTransport.<ProcessAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Core.Pipeline.HttpPipelineTransportPolicy.<ProcessAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Core.Pipeline.ResponseBodyPolicy.<ProcessAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Core.Pipeline.LoggingPolicy.<ProcessAsync>d__9.MoveNext()
Environment data
Name Value
---- -----
PSVersion 5.1.14393.6343
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.6343
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Module versions
az = 11.5.0
az.accounts: = 2.17.0
Az.Resources = 6.16.1
Az.Network = 7.4.1
Az.Compute = 7.2.0
Error output
Message : The client and server cannot communicate, because they do not possess a common algorithm
StackTrace : at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.BeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback asyncCallback, Object asyncState)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
Exception : System.ComponentModel.Win32Exception
InvocationInfo : {Connect-AzAccount}
Line : Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenant 'f009f285-5242-433a-9365-daa1edf145c3'
Position : At line:43 char:1
+ Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenant ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 1
TLS 1.1 and TLS 1.2 is enabled on the server
Activity
AzureStackNerd commentedon May 1, 2024
I have the same issue since this morning using an Azure Powershell tasks in Azure DevOps
re-created the service connection (with workload identity (automatic)), just to make sure. But that did not help.
It was working fine yesterday
Makzemann commentedon May 1, 2024
Exact same issue on our side, was working fine yesterday
xcITs-Xian commentedon May 1, 2024
More or less the same issue here since this morning (May 1st 2024).
For us it is happening in an Azure DevOps Power Shell task (Azure PowerShell 5.*) during deployment. Yesterday and everything was fine, the deployment was running several times without issues, since today always the same error. Nothing was changed in DevOps since yesterday.
xcITs-Xian commentedon May 1, 2024
MS is working on it: https://status.dev.azure.com/_event/499193080
AstridMalanka01 commentedon Jun 4, 2024
Good morning, any update?
JonathonAnderson commentedon Jul 17, 2024
Still having this issue
Nerigal commentedon Nov 21, 2024
Bump, Having the exact same issue
Az = 13.0.0
Az.accounts: = 4.0
Az.Compute = 9.0
smithg6 commentedon Jan 23, 2025
Bump. Having almost the same issue, but using installed cert.pfx thumbprint from our service principal along with spn ID, tenant ID, etc. Was able to work around this by forcing uninstall of Az.Accounts 4.x and enforcing 3.0.0 (for anyone out there still struggling on this one).
Fail state:
Az = 11.1.0
Az.Accounts = 4.0.2
lbouriez commentedon May 15, 2025
Hello,
We are currently experiencing this issue across all our pipelines in Azure DevOps. It is affecting multiple service connections and service principals.