Azure Account adding not working

[waldyd]

• Azure Data Studio Version:
  

Steps to Reproduce:

1.Try to Sign in to Azure

2. Click Add an Account:

3. Supposedly account added:
   
4. No account added:

[adsbot]

Thanks for submitting this issue. Please also check if it is already covered by an existing one, like:

• Connection dialog "Add an account" option doesn't select the added account (#4451)
• Stuck in loop: "Error: Failed to get credential for account . Please refresh the account" (#8829)
• cannot remove a Azure Linked account since the account email is too long (#6698)
• Cannot Connect to Azure DB using Personal Microsoft Account (#5956)

[aaomidi]

Hey @waldyd, could you please see if adding an account works on the latest insiders build?

https://github.com/microsoft/azuredatastudio#try-out-the-latest-insiders-build-from-master

[waldyd]

Yes @aaomidi . It is working for the Latest Windows User Insider version.

[aaomidi]

Thanks! Then this problem should be fixed for next release.

[waldyd]

@aaomidi but when trying to connect. This was prompted:

[aaomidi]

Hmm, that's weird. Does it repro 100% of the time?

Any errors in the developer console?

Help -> Toggle Developer Tools

[waldyd]

Yes. It was reproduced several times.

Here the developer console errors are:

Getting key failed: Error: A specified logon session does not exist. It may already have been terminated.
 (at t.SimpleTokenCache.<anonymous> (c:\Users\nalvarez\AppData\Local\Programs\Azure Data Studio - Insiders\resources\app\extensions\azurecore\dist\extension.js:166:23670))
2c:\Users\nalvarez\AppData\Local\Programs\Azure Data Studio - Insiders\resources\app\node_modules.asar\zone.js\dist\zone-node.js:2280 

[Extension Host] (node:17540) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead. (at writeOut (internal/process/warning.js:27:3))

Adding key failed: Error: A specified logon session does not exist. It may already have been terminated.
 (at t.SimpleTokenCache.<anonymous> (c:\Users\nalvarez\AppData\Local\Programs\Azure Data Studio - Insiders\resources\app\extensions\azurecore\dist\extension.js:166:23460))
2c:\Users\nalvarez\AppData\Local\Programs\Azure Data Studio - Insiders\resources\app\node_modules.asar\zone.js\dist\zone-node.js:2280 

[Extension Host] Getting key failed: Error: A specified logon session does not exist. It may already have been terminated.
 (at t.SimpleTokenCache.<anonymous> (c:\Users\nalvarez\AppData\Local\Programs\Azure Data Studio - Insiders\resources\app\extensions\azurecore\dist\extension.js:166:23670))
c:\Users\nalvarez\AppData\Local\Programs\Azure Data Studio - Insiders\resources\app\node_modules.asar\zone.js\dist\zone-node.js:2280 
  
ERR Error: Failed to get Azure account token for connection
    at e.connectWithOptions (workbench.desktop.main.js:5617) [<root>]
    at processTicksAndRejections (internal/process/task_queues.js:85) [<root>]
    at async e.handleDefaultOnConnect (workbench.desktop.main.js:7773) [<root>]

[Extension Host] Shutting off webserver... (at Timeout._onTimeout (c:\Users\nalvarez\AppData\Local\Programs\Azure Data Studio - Insiders\resources\app\extensions\azurecore\dist\extension.js:166:68580))

Then while trying to refresh the credentials:

c:\Users\nalvarez\AppData\Local\Programs\Azure Data Studio - Insiders\resources\app\node_modules.asar\zone.js\dist\zone-node.js:2280 ERR Error while refreshing account: TypeError: Cannot read property '2c94bed6-d675-4d3d-a53b-7b461fd6acc2' of undefined

[magnusbratt]

I am getting the sate issue in insiders build on Mac OSX.

After adding the account I get the following error message, and no account is added

In the console I get

[aaomidi]

Thank you this is extremely useful to investigate.

[aaomidi]

@waldyd It seems like your issue is something to do with how your windows is setup. Azure Data Studio uses Windows Credential Manager to store authentication tokens.

This is technically the expected/secure way for us to store authentication tokens.

I think there is an argument to be made for us to enable flat-file storage for users like yourself that may have a stricter domain configuration, but I'm not entirely sure if that's wise as these tokens essentially identify you to the Azure service.

I recommend looking up the error you've received "A specified logon session does not exist. It may already have been terminated & Credential Manager", and you'll find a few threads that talk about that same issue.

If you look at your Local Group Policy Editor (Win+R, gpedit.msc) the following setting might be switched on to "Enabled":

This is likely blocking ADS to store credentials there.

[waldyd]

Hi @aaomidi . That policy was disabled in my case:

Also, in my case, the browser is managed by my organization

[aaomidi]

@waldyd If it's enabled it wouldn't work I think. Can you try to use ADS on another device and see if you can repro this?

[aaomidi]

@magnusbratt We've published a new insiders build with more debug output, can you try to add your account on the latest version of ADS insiders?

The developer logs should contain a lot more info.

[magnusbratt]

OK. I updated to the lastest Insider version. I added my Azure account, and get the web page sign in. Then I get this error message in ADS:

and this in the developer tools console

[magnusbratt]

I now also installed the Insiders build on a Windows PC. When signing into Azure, I got

I then get the same

and in the developer tools console

[aaomidi]

So it seems you belong to a tenant where you don't actually have permissions to do resource management on it.

I'll make a PR that silently ignores tenants where you don't have permissions to do operations on them. Hopefully that fixes your problem.

It'll also contain some more debug information giving you information on why that's failing.

Can you check on azure portal to see if you have permissions to the tenant described by:

[magnusbratt]

My account does belong to a few directories where I do not have permissions. However, for the directory referenced, I am "global administrator".

However, I removed "left the organization" for another tenant that I know I do not have permissions to. After this, I was able to expand my subscriptions and access resources. But when I try to expand a database to view it, it does not expand. The spinner never stops, se screenshot. There are no additional messages in the developer tools console.

[aaomidi]

Whoops didn't mean to close this issue. Let's wait for the insiders build tomorrow and go over this. Thank you so much for helping me debug this @magnusbratt :)

[magnusbratt]

Just FYI. I just updated to the latest Insider build and the issue persists.

I get no new messages in developer tools console.

[aaomidi]

Could you please share your console either way? Would still be helpful :)

[magnusbratt]

Here is a screenshot, including developer tools console

[aaomidi]

Oh so it lists the databases, just doesn't connect to them right?

[magnusbratt]

Correct. That's a new behavior since after I left the tenant for which I did not have permissions. That is, I can expand the account, the subscription, "SQL database", but not view the database.

I can also expand the account, the subscription, "SQL server", but not view/expand the server.

[aaomidi]

@magnusbratt Alright that's a whole different issue. Could you try making yourself the admin on that server on azure portal.

Open the SQL Database on Azure Portal, and add your account as the Active Directory admin.

[magnusbratt]

@aaomidi Is it OK to continue in this thread, or do you want me to create a new issue?

I am already a member of the Active Directory group that is admin of the server.

[magnusbratt]

@aaomidi FYI: Today I updated ADZ Insiders on my Mac and it now works to sign in with my AAD account and access the database servers and databases I have access to.

It still does not work with the non-insider build, but I assume that is a matter of time.

I have also tested the latest insiders build on my PC and it works just as well.

Thanks for developing great software!

[chriskinsman]

This is still an issue for me with Azure Insiders 1.18.0 build.

Trying to connect to postgres.

ERR Error: Failed to get Azure account token for connection
at e.connectWithOptions (workbench.desktop.main.js:5724) []
at async e.handleDefaultOnConnect (workbench.desktop.main.js:7901) []

[aaomidi]

Insiders is unfortunately a little broken at the moment. I would suggest sticking to the release branch.

If this issue is specific to PostgreSQL, I would recommend opening another issue.

[chriskinsman]

Wasn't working in release which is why I tried insiders.

[aaomidi]

So since the original issue is fixed, I'll be closing this issue.

Please definitely open a new issue if you are seeing any issues with AzureMFA.

[tcoldiron]

Azure Data Studio is not providing much detailed feedback, it just fails.

Using Azure Data Studio Version: 1.42.0 (Universal) on MacBook Pro with MacOS Ventura Version 13.2.1 (22D68)

We recently changed from SQL Server login, to Azure Active Directory authentication, and I haven't been able to log in since, whether by "Connection" or "Add Account" or any way.

I even uninstalled & reinstalled, cleared settings.json down to just the two brackets and restarted Azure Data Studio - nothing works.

[cheenamalhotra]

@tcoldiron

Please find this related issue and recommendation: #22227 (comment)
If disabling 'HTTP: System Certificates' doesn't resolve, please open a new issue with logs attached, as per #22227 (comment)

[tcoldiron]

That recommendation got me going! Thanks!