Skip to content
This repository has been archived by the owner on Oct 12, 2023. It is now read-only.

azure login can't handle bad credentials #1709

Closed
ahmetb opened this issue Apr 21, 2015 · 5 comments
Closed

azure login can't handle bad credentials #1709

ahmetb opened this issue Apr 21, 2015 · 5 comments
Labels
Team

Comments

@ahmetb
Copy link
Contributor

ahmetb commented Apr 21, 2015

Apparently the AD API the azure login command is hitting returns a HTTP 500 Internal Server Error (bad choice for responding to the bad credentials 🐱) and cli just spits out nasty XHTML output

$ azure login
info:    Executing command login
warn:    Please note that currently you can login only via Microsoft organizational account or service principal. For instructions on how to set them up, please read http://aka.ms/Dhf67j.
Username: foo@microsoft.com
Password: *********
+ Authenticating...
error:   WS-Trust RST request returned http error: 500 and server response: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header><a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><u:Timestamp u:Id="_0">
<u:Created>2015-04-21T20:54:18.491Z</u:Created><u:Expires>2015-04-21T20:59:18.491Z</u:Expires></u:Timestamp></o:Security></s:Header>
<s:Body><s:Fault><s:Code><s:Value>s:Sender</s:Value><s:Subcode><s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:FailedAuthentication</s:Value></s:Subcode>
</s:Code><s:Reason><s:Text xml:lang="en-US">ID3242: The security token could not be authenticated or authorized.</s:Text></s:Reason>
</s:Fault></s:Body></s:Envelope>
info:    Error information has been recorded to /Users/alp/.azure/azure.err
error:   login command failed
@devigned
Copy link
Member

I just repro'd and I received a 500. That shouldn't be the response code. We'll take a look at this.

@devigned
Copy link
Member

Ok, so I've confirmed that the 500 response is the expected response in this case and we need to handle this gracefully.

Let's add parsing code to look for this specific case and tell the user a more friendly message. “The credentials you provided appear to be incorrect or insufficient to access the requested resource.”

@devigned devigned added the Team label Apr 23, 2015
@matt-gibbs
Copy link
Contributor

passed along to ADAL team for improving the error test. Trying to custom parse it in the consumer is prone to break when they make updates so punting on that patch proposal.

@ahmetb
Copy link
Contributor Author

ahmetb commented Jun 19, 2015

Can we close once it's fixed in public? Somebody else might end up reporting this again.
cc: @devigned

@pablolibo
Copy link

Hi, I have the same issue, but it works or doesn't depend public ip, Anybody know if azure use ban for ip?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ahmetb @devigned @pablolibo @matt-gibbs