使用'AADSTS50079登录Azure Web应用程序失败:用户需要使用多重身份验证'

Question

我们有一个Azure网络应用程序,通过Azure Multifactor身份验证进行身份验证,并访问Graph API和Power BI.我们已在Azure App注册上设置了所需的权限.我们使用Redis缓存在NaiveSessionCache中存储令牌详细信息.对于少数用户,当用户尝试登录时,我们收到以下错误.

AADSTS50079:用户需要使用多重身份验证

"AADSTS50079:用户需要使用多重身份验证.\ r \nTrace ID:63c180a9-6951-4a8a-96ca-e1ff38fc4400\r \n相关ID:3f12d4b1-d401-4d99-be30-36bf972d74a5\r \n时间戳:2017 -08-21 14:21:59Z","parsedStack":[{"assembly":"Microsoft.IdentityModel.Clients.ActiveDirectory,Version = 3.13.9.1126,Culture = neutral,PublicKeyToken = 31bf3856ad364e35","method":" Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient + d__21 1.MoveNext","level":0,"line":0},{"assembly":"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess","level":1,"line":0},{"assembly":"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification","level":2,"line":0},{"assembly":"Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.13.9.1126, Culture=neutral, PublicKeyToken=31bf3856ad364e35","method":"Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient+<GetResponseAsync>d__201.MoveNext","level":3,"line":0},{"assembly":"mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089 ","方法":"System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess","level":4,"line":0},{"assembly":"mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification","level":5,"line":0},{"assembly":"Microsoft.IdentityModel.Clients.ActiveDirectory,Version = 3.13 .9.1126,Culture = neutral,PublicKeyToken = 31bf3856ad364e35","metho d":"Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase + d__67.MoveNext","level":6,"line":0},{"assembly":"mscorlib,Version = 4.0.0.0,Culture = neutral, PublicKeyToken = b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess","level":7,"line":0},{"assembly":"mscorlib,Version = 4.0.0.0,Culture =中性,PublicKeyToken = b77a5c561934e089","方法":"System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification","level":8,"line":0},{"assembly":"Microsoft.IdentityModel.Clients.ActiveDirectory, Version = 3.13.9.1126,Culture = neutral,PublicKeyToken = 31bf3856ad364e35","method":"Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase + d__64.MoveNext","level":9,"line":0},{" assembly":"mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess","level":10,"line":0}, {"assembly":"mscorlib,Version = 4.0.0.0,Culture = neutral,Public KeyToken = b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification","level":11,"line":0},{"assembly":"mscorlib,Version = 4.0.0.0,Culture =中性,PublicKeyToken = b77a5c561934e089","方法":"System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd","level":12,"line":0},{"assembly":"Microsoft.IdentityModel.Clients.ActiveDirectory, Version = 3.13.9.1126,Culture = neutral,PublicKeyToken = 31bf3856ad364e35","method":"Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase + d__55.MoveNext","level":13,"line":0},{" assembly":"mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess","level":14,"line":0}, {"assembly":"mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification","level":15,"line":0 },{ "组件":"Microsoft.IdentityModel .Clients.ActiveDirectory,Version = 3.13.9.1126,Culture = neutral,PublicKeyToken = 31bf3856ad364e35","method":"Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext + d__48.MoveNext","level":16,"line": 0},{"assembly":"mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess","level":17,"line" ":0},{"assembly":"mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification","level":18, "line":0},{"assembly":"Microsoft.IdentityModel.Clients.ActiveDirectory,Version = 3.13.9.1126,Culture = neutral,PublicKeyToken = 31bf3856ad364e35","method":"Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext + d__30.MoveNext","level":19,"line":0},{"assembly":"mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089","method":"System.Runtime .CompilerServices.TaskAwaiter.T hrowForNonSuccess","level":20,"line":0},{"assembly":"mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089","method":"System.Runtime.CompilerServices. TaskAwaiter.HandleNonSuccessAndDebuggerNotification","level":21,"line":0},{"assembly":"Assembly,Version = 1.0.0.0,Culture = neutral,PublicKeyToken = null","method":"Startup + <> c + <b__8_0> d.MoveNext " "水平":22, "线":68, "文件名": "App_Start\Startup.Auth.cs"}], "类型":" Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException ", "ID": "52129856"

这是用于接收授权代码的startup.cs文件.

public void ConfigureAuth(IAppBuilder app){try {

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = Authority,
                    PostLogoutRedirectUri = postLogoutRedirectUri,
                    AuthenticationMode = AuthenticationMode.Active,
                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    {
                        // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
                        AuthorizationCodeReceived = async (context) =>
                        {
                            try {
                                IConnectionString _connectionString = new RedisConnectionString(ConfigurationReader.RedisCacheConfig as string);

                                ICacheManager cacheManager = new RedisCacheManager(_connectionString);
                                var code = context.Code;
                                ClientCredential credential = new ClientCredential(clientId, appKey);
                                string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(Constants.OBJECT_IDENTIFIER).Value;

                                AuthenticationContext authContext = new AuthenticationContext(Authority, new NaiveSessionCache(signedInUserID));
                                //Getting Power BI token
                                AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
                                    code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, pbiResourceID);

                                //Getting Graph token
                                AuthenticationResult graphResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
                                    code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
                                UserTokenCache cache = new UserTokenCache
                                {
                                    GraphAccessToken = graphResult.AccessToken,
                                    PBIAccessToken = result.AccessToken,
                                    PBITokenExpires = result.ExpiresOn,
                                    GraphTokenExpires = graphResult.ExpiresOn
                                };

                                string encryptedCache = CryptographyUtility.Encrypt(JsonConvert.SerializeObject(cache));

                                cacheManager.set(signedInUserID, encryptedCache);
                            } catch (Exception ex)
                            {
                                ExceptionLogger.LogInApplicationInsight(ex);
                            }
                        },
                        AuthenticationFailed = async (context) =>
                        {
                            ExceptionLogger.LogInApplicationInsight(context.Exception);
                            await Task.FromResult(0);
                        }

                    }
                });
        }
        catch (SystemException sx)
        {
            ExceptionLogger.LogInApplicationInsight(sx);
        }
        catch (ApplicationException ax)
        {
            ExceptionLogger.LogInApplicationInsight(ax);
        }
        catch (Exception ex)
        {
            ExceptionLogger.LogInApplicationInsight(ex);
        }
    }

我在这里错过了什么吗？由于此原因,很少有用户无法获取令牌,并且未加载嵌入式Power BI报告

Answer 1

此错误表示用户需要注册或执行多重身份验证.

500079:注册MFA

500076:用户必须执行MFA

要解决这两个问题,它是相同的协议.您的应用需要执行指定失败资源的交互式请求.

假设您尝试获取需要MFA的Microsoft Graph令牌.您可能已经为其他资源授予了刷新令牌(或者已经登录而未请求资源),然后您向Azure AD请求Microsoft Graph的新令牌.此请求位于/token端点上,该端点是POST,无法执行MFA.然后,您的应用程序应捕获此错误,并执行新请求(使用AcquireToken或OWIN OpenId Connect挑战)请求resource=https://graph.microsoft.com或任何资源失败.