Proxy connectivity errors with Azure Data Studio connection to Azure Portal #24471
Comments
cheenamalhotra
added
Bug
Area - Azure
Triage: Done
and removed
Area - Connection
labels
|
Hi @emhansonoh
We have not heard of the 407 errors from other customers who also run ADS regularly in proxy-enabled environments so it may be related with lifetime of proxy authentication tokens. Has customer tried providing username/password combination in http.proxy setting in ADS in format described here: https://learn.microsoft.com/en-us/azure-data-studio/azure-connectivity?view=sql-server-ver16#supported-environment-variables-for-proxy Also please request them to try with the latest insiders build as we've brought new changes from VS Code which may improve user experience. |
|
I will look at the link and see if there is anything there that will help.
I do have the insider build. When I opened the issue I had the same behavior. Yesterday I was going to use it for a different purpose but have a new / different connectivity issue with the Azure connection. The driver has been updated / changed over to now reflect the Microsoft Entra naming. With the Azure “explorer” piece – even after removing the azure account and re-adding the azure account – the 2 factor fails to connect / update.
Steps to repro - Add azure account --> browser is opened to log in to the Microsoft account --> the validation page never loads / never allows connectivity.
Not able to manually connect to any of our Azure resources.
Uninstalled the insider build / re-installed the current build and everything is working correctly (aside from the multiple refreshes to get past the 407 in the Azure “explorer” section). Once you connect to a managed instance – you can continue to work without any issue at all. Did a reverse engineer with the SQL Compare to a Database Project and had no issues. Put the insider build back on and unable to connect to any azure resources.
From: Cheena Malhotra ***@***.***>
Sent: Wednesday, October 25, 2023 7:15 PM
To: microsoft/azuredatastudio ***@***.***>
Cc: Eric Hanson ***@***.***>; Mention ***@***.***>
Subject: [EXTERNAL] Re: [microsoft/azuredatastudio] Proxy connectivity errors with Azure Data Studio connection to Azure Portal (Issue #24471)
Hi @emhansonoh<https://github.com/emhansonoh>
The initial add of the account is done and may take a retry or 2 - receiving 407 errors along the way until it's succesful. The inventory is then displayed in the Azure section of the tool. As you drill down to the resources at almost every layer a 407 will happen requiring several refresh attempts to be made so it works.
We have not heard of the 407 errors from other customers who also run ADS regularly in proxy-enabled environments so it may be related with lifetime of proxy authentication tokens.
Has customer tried providing username/password combination in http.proxy setting in ADS in format described here: https://learn.microsoft.com/en-us/azure-data-studio/azure-connectivity?view=sql-server-ver16#supported-environment-variables-for-proxy
Also please request them to try with the latest insiders build as we've brought new changes from VS Code which may improve user experience.
—
Reply to this email directly, view it on GitHub<#24471 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AYEDBGLJN3AI6GD3VUH2WTLYBGMQZAVCNFSM6AAAAAA46QTDACVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBQGE4DGOJXGY>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
We've identified the issue that contributed to this (#24839), and fix is underway. I'll update again when fix is available in insiders so we can continue testing for 407 errors. |
|
That sounds good. Thank you. I did look at the link you had provided. I can try this solution to see if the behavior is any better / different. But - we will not be providing our username / password in clear text in a config file at volume. If this was a couple of people temporarily getting around an issue - that would be a possibility. But, in a large environment this will not be a workable solution. |
|
This primarily depends on VS Code's missing proxy support for extensions: ref. microsoft/vscode#12588 |
|
The latest insiders build is out that contains the fix to this issue: #24839 |
|
So, partially working, partially not. I have the insider build - 1.48 / 4 days old. I'm able to connect / browse through our subscriptions. I still get periodic proxy errors (BlueCoat timeouts) but refresh and it's good. It does seem to be more response than it had been, but - still there periodically. Likely unrelated - I am not able to connect to our managed instances still. That appeared with that other bug which was fixed and allowed the Azure piece to work. Whenever we try to connect to any of our SQL resources using Microsoft Entra ID - Universal with MFA support - we get "User credentials received in invalid format" I'll keep trying things to see if something sticks out but looks like that will still be problematic. And - it does start off with "Proxy" so that is a bit concerning. More to come though if I find something. Microsoft.Data.SqlClient.SqlException (0x80131904): User credentials received in invalid format. |
|
Received the update yesterday on the release product - 1.47.0 / 2023-11-07. This appears to have the new connectivity in it as the driver is now labeled Microsoft Entra ID. The Azure window seems to behave / able to browse through. There do not appear to be as frequent of issues requiring retry as we had previously seen. But, this has introduced a new issue which has resulted in the tool being unusable. Unknown if this is proxy related or if this is a new / different issue. Please advise if a new bug should be logged specific to this issue. Microsoft.Data.SqlClient.SqlException (0x80131904): The SSL connection could not be established, see inner exception. |
|
Hi @emhansonoh The fixes we're making for proxy environments will arrive in Insiders build. You could try disabling the setting |
|
Thanks @cheenamalhotra ! That disablement resolved the connectivity issue in 1.47. Much appreciated! |
|
closing as connectivity issue confirmed resolved above |
Steps to Reproduce:
Does this issue occur when all extensions are disabled?: Yes/No - YES
This issue is very specific to use of the tool at a large corporation which utilizes Proxy devices to access the internet. The condition appears both on Windows machines as well as Mac. And, this condition isn't limited to just this piece of the tool but is significantly more impactful.
In a large environment which utilizes proxy appliances for external connectivity, the users find the tool to be unusable for one of the primary features - connecting to their Azure tenant to provide the inventory of the many different assets (SQL Database / SQL Managed Instance). The initial add of the account is done and may take a retry or 2 - receiving 407 errors along the way until it's succesful. The inventory is then displayed in the Azure section of the tool. As you drill down to the resources at almost every layer a 407 will happen requiring several refresh attempts to be made so it works.
If the tool is not used for a day or 2, the credentials need to be refreshed and often will get an error saying there are multiple files in the \AppData\Roaming\azuredatastudio\AzureAccounts folder. Those end up needing to be deleted, the account removed within Azure Data Studio and then start the process over.
Example -
Your credentials could not be authenticated: "Credentials are missing.". You will not be permitted access until your credentials can be verified.
This is typically caused by an incorrect username and/or password, but could also be caused by network problems.
[Error]: Failed to acquireTokenSilent - [{"errorCode":"client_error","errorMessage":"undefined - [undefined]: A client error occured.\nHttp status code: 407\nHttp status message: Proxy Authentication Required\nHeaders: {"proxy-authenticate":"NEGOTIATE, NTLM, BASIC realm=\"Prod\"","cache-control":"no-cache","x-xss-protection":"1","connection":"close","content-type":"text/html; charset=utf-8","content-length":"1120","pragma":"no-cache"} - Correlation ID: undefined - Trace ID: undefined","subError":"","name":"ServerError"}]
[Error]: MSAL: getToken call failed: [object Object] - []
[Error]: Error: client_error occurred when acquiring token.
undefined - [undefined]: A client error occured.
Http status code: 407
Http status message: Proxy Authentication Required
Headers: {"proxy-authenticate":"NEGOTIATE, NTLM, BASIC realm="Prod"","cache-control":"no-cache","x-xss-protection":"1","connection":"close","content-type":"text/html; charset=utf-8","content-length":"1120","pragma":"no-cache"} - Correlation ID: undefined - Trace ID: undefined - []
The text was updated successfully, but these errors were encountered: