[Reason - The key used is expired.,Thumbprint of key used by client: '3D****************', Found key 'Start=04/28/2024 11:10:00, End=07/28/2024 11:10:00',Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint

问题描述

在之前博文中介绍使用System Managed Identity 执行APIM备份到Storage Account的操作时,突然遇见了 Authentication Failed,详细的错误信息显示证书过期。

{
"error": {
"code": "BadRequest",
"message": "Authentication Failed : A configuration issue is preventing authentication - check the error message from the server for details.

You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.

Original exception: AADSTS700027: The certificate with identifier used to sign the client assertion is expired on application.

Thumbprint of key used by client: '3D****************', Found key 'Start=04/28/2024 11:10:00, End=07/28/2024 11:10:00',

Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.

Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as ' https://microsoftgraph.chinacloudapi.cn/beta/applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'].

Trace ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Correlation ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Timestamp: 2024-07-29 10:16:32Z ",

"details": null,
"innerError": null
}
}

但是,APIM中被没有证书啊?这个报错从何而来呢?

 

问题解答

根据错误信息中的App ID,在Azure Entira ID服务中,找到它 :这是APIM所启用的 Systemd Identity的企业注册ID。

 

只是。这个证书信息通过门户无法查看。

【Azure APIM】调用APIM的备份接口时候遇见Authentication Failed错误_microsoft

但是,通过AZ CLI指令(az ad sp show --id)可以查看到,如:

【Azure APIM】调用APIM的备份接口时候遇见Authentication Failed错误_sed_02

 

根据以上提示,是否想到可以直接通过命令来重置证书呢? 测试发现,因为这个SP是由APIM生成的System Managed Identity,尽管当前登录账号是资源的Owner,也是无权重置Credentials。

PS C:\> az ad sp credential reset --id xx-x-x-x-xxx  --create-cert  

Insufficient privileges to complete the operation.

后面,为了快速的实现APIM的备份操作成功,就通过先关闭APIM的Managed Identity,然后开启的方式重新生成一个ID,之后,证书过期问题得到解决。

【Azure APIM】调用APIM的备份接口时候遇见Authentication Failed错误_Graph_03

请注意:操作时需要非常小心,因为它会改变当前APIM访问其它Azure资源的标识,旧的ID消失后,新ID的权限需要重新配置。

 

参考资料

调用APIM的备份接口时候遇见InvalidParameters错误 :

az ad sp show : https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-show

 

当在复杂的环境中面临问题,格物之道需:浊而静之徐清,安以动之徐生。 云中,恰是如此!