"Entry point was not found" when using KeyVault modules

[MattHarrisUltima]

Version

4.1.0

Severity

High

Steps to Reproduce

Following testing of a new environment and upgrade of a container image on an existing environment, Azure connectivity does not appear to be working as expected.

The container image in question is: ironmansoftware/universal:4.1.0-modules

In a new environment, PowerShell Universal appears to be unable to connect to an Azure Tenant via Service Principal. claiming it can not find an application ID in the given tenant.

[warning] The provided service principal secret or certifcate password will be included in the 'keystore.cache' file found in the user profile ( /root/.Azure ). Please ensure that this directory has appropriate protections. 
[error] Entry point was not found.
Could not find tenant id for provided tenant domain 'xxxxxxxx-aae9-44fe-bdc4-53f76xxxxxd0'. Please ensure that the provided service principal 'xxxxxxx-4d45-4a37-be96-dfea4xxxxx71' is found in the provided tenant domain. 

In an upgraded environment, Get-AZContext returns the current subscription in a tenant however Disconnect-AZAccount returns the following error:

[ERROR] Method not found: 'Microsoft.Identity.Client.PublicClientApplicationBuilder Microsoft.Identity.Client.Broker.BrokerExtension.WithBrokerPreview(Microsoft.Identity.Client.PublicClientApplicationBuilder, Boolean)'.

A Get-AZKeyvault returns the following error:

[ERROR] Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.
Entry point was not found.

I can see there have been some version changes in the modules provided this may be the problem

:

Expected behavior

Commands like `Connect-AZAccount`, `Disconnect-AZAccount`, and `Get-AZKeyvault` work as expected.

Actual behavior

`Disconnect-AZAccount` returns the following error:

[ERROR] Method not found: 'Microsoft.Identity.Client.PublicClientApplicationBuilder Microsoft.Identity.Client.Broker.BrokerExtension.WithBrokerPreview(Microsoft.Identity.Client.PublicClientApplicationBuilder, Boolean)'.

A Get-AZKeyvault returns the following error:

[ERROR] Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.
Entry point was not found.

Reverting to 4.0.12-modules and re-running my keyvault setup commands appears to return functionality.

### Additional Environment data

_No response_

### Visuals

_No response_

[MattHarrisUltima]

Hi @adamdriscoll,

Thank you for making the change to static versions, however it appears the versions have been frozen on the faulty versions.

Are you able to modify this on the next release?

[adamdriscoll]

Hmmm. Let me double check this. I thought we pinned to the older versions.

UPDATE: It looks like both versions got in some how...

[adamdriscoll]

I found the root cause. This will be in tonight's module-preview container and next week's 4.1.2 release.

[MattHarrisUltima]

Thanks Adam, Ill run the preview container in the morning and let you know how it goes. Kind Regards, MATT​​​​ HARRIS | Cloud Automation Developer | www.ultima.com<http://www.ultima.com/> | From: Adam Driscoll ***@***.***> Sent: Wednesday, September 20, 2023 2:11 PM To: ironmansoftware/issues ***@***.***> Cc: Matt Harris ***@***.***>; Author ***@***.***> Subject: Re: [ironmansoftware/issues] "Entry point was not found" when using KeyVault modules (Issue #2681) [Attention: This email has originated from outside Ultima. Please take extra care when opening links or attachments even if you've verified the sender. If in doubt, please contact the IT service desk.] I found the root cause. This will be in tonight's module-preview container and next week's 4.1.2 release. — Reply to this email directly, view it on GitHub<#2681 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZLIKLMJNHFUDDTRHYQ3TSTX3LTOTANCNFSM6AAAAAA4ZY2OO4>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>> This e-mail, its contents and any attachments, is private and, in the absence of any other document classification markings, is confidential. It is for the intended recipient only and is property of Ultima Business Solutions Limited. If you are not the stated recipient, you must not deal with it in any way and are prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. In such case please notify us by telephone on 03330158000 and confirm that it has been deleted from your system and any copies destroyed. This e-mail has been swept for the presence of computer viruses, but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking, Ultima Business Solutions Limited do not accept liability for any loss or damage caused by computer viruses. The right to monitor e-mail communications through our networks is reserved by us. Our Privacy Policy may be reviewed on the following web page https://www.ultima.com/privacy-policy About us Ultima Business Solutions Limited is registered in England and Wales under number: 2521249. Registered Office: Gainsborough House, Manor Park, Reading, RG2 0NA. www.ultima.com

[MattHarrisUltima]

Hi @adamdriscoll,

It looks like we are still getting some errors.

After testing the preview image, ironmansoftware/universal:4.1.2-preview-modules I am still receiving the same error In 4.1.x using the same versions.

I transferred the

Connecting to Azure appears to be the problem.

I have pulled 4.1.1-ubuntu-20.04 without the modules and moved Az.Accounts into the /root modules' folder, and I am receiving exactly the same error:

[warning] The provided service principal secret or certifcate password will be included in the 'keystore.cache' file found in the user profile ( /root/.Azure ). Please ensure that this directory has appropriate protections. 
[error] Entry point was not found.
Could not find tenant id for provided tenant domain '########-####-####-####-############'. Please ensure that the provided service principal '########-####-####-####-############' is found in the provided tenant domain. 

I pulled a copy of Az.Accounts version 2.10.14 from a backup and it appears to work. Im wondering if the Az.Accounts module bundled in the home directory has been corrupted?

[adamdriscoll]

Very weird. We are using Save-Module to download that module before building the container so I don't know why it would be corrupt.

[MattHarrisUltima]

I agree, this is very weird.

Had anything else been added in 4.1.x which could disrupt module loading? I saw PowerShell 7.3.7 was included, I was wondering if anything else relating to code execution within an environment could have changed?

[MattHarrisUltima]

Hi @adamdriscoll,

I have been thinking this over. Is there a command I can use to rescan the /home/Universal/Modules/ manually?

This would allow me to monitor logs and potentially do some testing.

[MattHarrisUltima]

Hi @adamdriscoll

Please advise if there is anything you need from me on this issue.

Additionally, after today I am on annual leave until the 9th October and will be unable to reply until my return.

[adamdriscoll]

@MattHarrisUltima - I will be reviewing this tomorrow and will let you know if I need anything else. Hopefully this is resolved when you return. :)

[adamdriscoll]

Success!

After much code spelunking, I was able to determine the root cause was actually the upgrade Microsoft.Data.SqlClient. It included a reference to Azure.Identity 1.7.0. The Az cmdlets actually use a newer version of that package. Once I upgraded that, it works great.

[adamdriscoll]

While this fixed Azure Accounts integration, it broke a lot of other things. I need to push this to 4.2. We are rolling this back and releasing 4.14.

[MattHarrisUltima]

Hi @adamdriscoll,

Thanks for the update. I will wait for 4.2.

[adamdriscoll]

@MattHarrisUltima - This change will be included in tonight's nightly build and preview containers.

[MattHarrisUltima]

Thanks for the preview image @adamdriscoll

That loads up without error on my end.

Please feel free to reach out if you would like any images tested.

[adamdriscoll]

This issue has been mentioned on Ironman Software Forums. There might be relevant details there:

https://forums.ironmansoftware.com/t/can-no-longer-connect-to-azure-with-connect-azaccount/9908/3