The challenge resource does not match the requested domain #30352
Description
Describe the bug
I am using the edge or dev build (https://aka.ms/InstallAzureCliWindowsEdge) of Azure CLI. I am running on an Azure Stack Hub on-premises environment and constantly getting the following error after running az keyvault secret set --name $secretName --vault-name $keyVaultName --value $secretValue or az keyvault secret list --vault-name $keyVaultName:
az : ERROR: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your client's constructor to disable
this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.
At line:1 char:1
+ az keyvault secret set --name $kvSecretName --vault-name $keyVaultNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (ERROR: The chal...re information.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
The error provides a guidance link for using Key Vault library:
https://devblogs.microsoft.com/azure-sdk/guidance-for-applications-using-the-key-vault-libraries/
It seems the Python SDK that Azure CLI is using needs to be reconfigured with verify_challenge_resource=False.
@evelyn-ys The verify_challenge_resource=False seems to be removed from a recent commit by you:
7506f6a#diff-43e8fd41c5f3cf4adf60013c63cf281be32af25ceadfde705d279fa917017dc6L257****
Related command
az keyvault secret set --name $secretName --vault-name $keyVaultName --value $secretValue
az keyvault secret list --vault-name $keyVaultName
...etc
Errors
az : ERROR: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your client's constructor to disable
this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.
At line:1 char:1
+ az keyvault secret set --name $kvSecretName --vault-name $keyVaultNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (ERROR: The chal...re information.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Issue script & Debug output
az : DEBUG: cli.knack.log: File logging enabled - writing logs to 'C:\CloudDeployment\BVTs\Output\AZSDKTOOLSCTQ\CLITestLogs'.
At line:1 char:1
+ az keyvault secret list --vault-name $keyVaultName --debug
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (DEBUG: cli.knac...Q\CLITestLogs'.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
DEBUG: cli.knack.cli: Command arguments: ['keyvault', 'secret', 'list', '--vault-name', 'clicanurgkv', '--debug']
DEBUG: cli.knack.cli: __init__ debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x01F02A78>, <function OutputProducer.on_global_arguments at 0x02142618>, <function
CLIQuery.on_global_arguments at 0x02149118>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands
DEBUG: cli.azure.cli.core: keyvault 0.010 11 71
DEBUG: cli.azure.cli.core: Total (1) 0.010 11 71
DEBUG: cli.azure.cli.core: Loaded 11 groups, 71 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command : keyvault secret list
DEBUG: cli.azure.cli.core: Command table: keyvault secret list
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x040E9528>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\Administrator.N42R1103-DVM\.azure\commands\2024-11-14.08-35-36.keyvault_secret_list.2940.log'.
INFO: az_command_data_logger: command args: keyvault secret list --vault-name {} --debug
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x0410D258>]
DEBUG: cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 656, in _get_attr
AttributeError: module 'azure.mgmt.keyvault.v2016_10_01.models' has no attribute 'NetworkRuleBypassOptions'
DEBUG: cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 656, in _get_attr
AttributeError: module 'azure.mgmt.keyvault.v2016_10_01.models' has no attribute 'NetworkRuleAction'
DEBUG: cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 656, in _get_attr
AttributeError: module 'azure.mgmt.keyvault.v2016_10_01.models' has no attribute 'PublicNetworkAccess'
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x041392F8>, <function
register_cache_arguments.<locals>.add_cache_arguments at 0x04139398>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x041393E8>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x02142668>, <function CLIQuery.handle_query_parameter at 0x02149168>, <function
register_ids_argument.<locals>.parse_ids_arguments at 0x04139348>]
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\Administrator.N42R1103-DVM\\.azure\\msal_token_cache.bin', encrypt=True
DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\Users\Administrator.N42R1103-DVM\.azure\msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs
DEBUG: msal.authority: openid_config("https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/.well-known/openid-configuration") = {'issuer':
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/bdda779d-3231-4e05-b026-f4d5989a92be/', 'authorization_endpoint':
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/oauth2/authorize/', 'token_endpoint': 'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/oauth2/token/', 'jwks_uri':
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/discovery/keys', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic', 'private_key_jwt',
'windows_client_authentication'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token', 'code token', 'code id_token token'], 'response_modes_supported': ['query',
'fragment', 'form_post'], 'grant_types_supported': ['authorization_code', 'refresh_token', 'client_credentials', 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'implicit', 'password', 'srv_challenge',
'urn:ietf:params:oauth:grant-type:device_code', 'device_code'], 'subject_types_supported': ['pairwise'], 'scopes_supported': ['email', 'openid', 'vpn_cert', 'user_impersonation', 'winhello_cert',
'allatclaims', 'logon_cert', '.default', 'profile', 'aza'], 'id_token_signing_alg_values_supported': ['RS256'], 'token_endpoint_auth_signing_alg_values_supported': ['RS256'], 'access_token_issuer':
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/bdda779d-3231-4e05-b026-f4d5989a92be/', 'claims_supported': ['aud', 'iss', 'iat', 'exp', 'auth_time', 'nonce', 'at_hash', 'c_hash',
'sub', 'upn', 'unique_name', 'pwd_url', 'pwd_exp', 'mfa_auth_time', 'sid', 'nbf'], 'microsoft_multi_refresh_token': True, 'userinfo_endpoint':
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/userinfo', 'capabilities': ['kdf_ver2'], 'end_session_endpoint':
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/oauth2/logout', 'as_access_token_token_binding_supported': False, 'as_refresh_token_token_binding_supported': False,
'resource_access_token_token_binding_supported': False, 'op_id_token_token_binding_supported': False, 'rp_id_token_token_binding_supported': False, 'frontchannel_logout_supported': True,
'frontchannel_logout_session_supported': True, 'device_authorization_endpoint': 'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/oauth2/devicecode'}
DEBUG: msal.application: Broker enabled? False
DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://clicanurgkv.vault.redmond.ext-n42r1103.masd.stbtest.microsoft.com/secrets?api-version=2016-10-01'
DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'GET'
DEBUG: cli.azure.cli.core.sdk.policies: Request headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '6bc52e2c-a263-11ef-919b-00155d747ebe'
DEBUG: cli.azure.cli.core.sdk.policies: 'CommandName': 'keyvault secret list'
DEBUG: cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--vault-name --debug'
DEBUG: cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.67.0 (MSI) azsdk-python-core/1.31.0 Python/3.12.7 (Windows-2022Server-10.0.20348-SP0)'
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: This request has no body
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): clicanurgkv.vault.redmond.ext-n42r1103.masd.stbtest.microsoft.com:443
DEBUG: urllib3.connectionpool: https://clicanurgkv.vault.redmond.ext-n42r1103.masd.stbtest.microsoft.com:443 "GET /secrets?api-version=2016-10-01 HTTP/1.1" 401 87
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 401
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '87'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
DEBUG: cli.azure.cli.core.sdk.policies: 'Server': 'Microsoft-HTTPAPI/2.0'
DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000;includeSubDomains'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-keyvault-region': 'redmond'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '6bc52e2c-a263-11ef-919b-00155d747ebe'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'cf29485a-cb96-4ca4-9e68-70e0afa7b568'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-keyvault-service-version': '1.4.02047.584'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-keyvault-network-info': 'conn_type=Ipv4;addr=100.83.116.123;act_addr_fam=InterNetwork;'
DEBUG: cli.azure.cli.core.sdk.policies: 'WWW-Authenticate': 'Bearer authorization="https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/bdda779d-3231-4e05-b026-f4d5989a92be",
resource="https://vault.adfs.n42r1103.masd.stbtest.microsoft.com/bdda779d-3231-4e05-b026-f4d5989a92be"'
DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 14 Nov 2024 08:35:37 GMT'
DEBUG: cli.azure.cli.core.sdk.policies: Response content:
DEBUG: cli.azure.cli.core.sdk.policies: {"error":{"code":"Unauthorized","message":"Request is missing a Bearer or PoP token."}}
DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 113, in keyvault_command_handler
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_transformers.py", line 12, in _multi_transformers
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_transformers.py", line 29, in filter_out_managed_resources
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 123, in __next__
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 75, in __next__
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/secrets/_generated/v2016_10_01/operations/_key_vault_client_operations.py", line 4591, in get_next
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 229, in run
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 86, in send
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 86, in send
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 86, in send
[Previous line repeated 2 more times]
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_redirect.py", line 197, in send
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_retry.py", line 532, in send
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_authentication.py", line 156, in send
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 104, in on_challenge
ValueError: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your client's constructor to disable
this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 666, in execute
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 733, in _run_jobs_serially
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 703, in _run_job
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 336, in __call__
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 135, in keyvault_command_handler
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 49, in keyvault_exception_handler
knack.util.CLIError: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your client's constructor to
disable this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.
ERROR: cli.azure.cli.core.azclierror: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your
client's constructor to disable this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.
ERROR: az_command_data_logger: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your client's
constructor to disable this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x040E9668>]
INFO: az_command_data_logger: exit code: 1
INFO: cli.__main__: Command ran in 1.377 seconds (init: 0.353, invoke: 1.024)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 4086 in cache file under C:\Users\Administrator.N42R1103-DVM\.azure\telemetry\20241114083537610
INFO: telemetry.main: Begin creating telemetry upload process.
INFO: telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft
SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\Administrator.N42R1103-DVM\.azure C:\Users\Administrator.N42R1103-DVM\.azure\telemetry\20241114083537610"
INFO: telemetry.process: Return from creating process 8084
INFO: telemetry.main: Finish creating telemetry upload process.
Expected behavior
Should not throw an error on Azure Stack Hub on-premises environment with custom domains.
Environment Summary
azure-cli 2.67.0
core 2.67.0
telemetry 1.1.0
Dependencies:
msal 1.31.0
azure-mgmt-resource 23.1.1
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\Administrator.N42R1103-DVM\.azure\cliextensions'
Python (Windows) 3.12.7 (tags/v3.12.7:0b05ead, Oct 1 2024, 02:44:45) [MSC v.1941 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response