错误 AADSTS50105 如果用户是一个组的成员,而该组又是另一个组的成员
Error AADSTS50105 if the user is member of a group that is a member of another group
我们已经使用 this documentation 为现有的 Service Fabric 集群成功设置了 AAD 身份验证。但是,在将组分配给应用程序时我们遇到了一些问题:
- 与直接分配了管理员角色的用户连接✔
- 与属于直接分配给管理员角色的组成员的用户连接✔
- 与属于 组成员的用户连接,该用户属于直接分配给管理员角色的组 的成员 ❌
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50105: The signed in user
'{EmailHidden}' is not assigned to a role for the application
Connect-ServiceFabricCluster -ConnectionEndpoint xxx.westeurope.cloudapp.azure.com:19000 -
AzureActiveDirectory -ServerCertThumbprint yyy
WARNING: Failed to contact Naming Service. Attempting to contact Failover Manager Service...
WARNING: Failed to contact Failover Manager Service, Attempting to contact FMM...
False
Connect-ServiceFabricCluster : GetAccessToken failed:
authority=https://login.microsoftonline.com/zzz
cluster=xxx client=yyy
error=Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50105: The signed in user
'{EmailHidden}' is not assigned to a role for the application
'xxx'(myclustername).
Trace ID: <traceid>
Correlation ID: <correlationId>
Timestamp: 2020-09-01 16:03:00Z
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)
at System.Fabric.AzureActiveDirectory.Client.ClientUtility.GetAccessToken(String authority, String audience, String
client, String redirectUri, Boolean refreshSession)
at GetAccessToken(Char* authority, Char* audience, Char* client, Char* redirectUri, Boolean refreshSession, Char*
outBuffer, Int32 outBufferSize)
ErrorCode: access_denied
StatusCode: 0
At line:1 char:1
+ Connect-ServiceFabricCluster -ConnectionEndpoint sf2coreint.westeurop ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Connect-ServiceFabricCluster], FabricException
+ FullyQualifiedErrorId : TestClusterConnectionErrorId,Microsoft.ServiceFabric.Powershell.ConnectCluster
我尝试通过 Service Fabric Explorer 和 Powershell (Connect-ServiceFabricCluster)。 Service Fabric Explorer 只是在登录后冻结,而 Powershell 给出了上述错误。
我是否达到了可能的极限,或者是否可以允许这样做?
基于组的分配不支持嵌套组。
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-saasapps
Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time.
我们已经使用 this documentation 为现有的 Service Fabric 集群成功设置了 AAD 身份验证。但是,在将组分配给应用程序时我们遇到了一些问题:
- 与直接分配了管理员角色的用户连接✔
- 与属于直接分配给管理员角色的组成员的用户连接✔
- 与属于 组成员的用户连接,该用户属于直接分配给管理员角色的组 的成员 ❌
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50105: The signed in user '{EmailHidden}' is not assigned to a role for the application
Connect-ServiceFabricCluster -ConnectionEndpoint xxx.westeurope.cloudapp.azure.com:19000 -
AzureActiveDirectory -ServerCertThumbprint yyy
WARNING: Failed to contact Naming Service. Attempting to contact Failover Manager Service...
WARNING: Failed to contact Failover Manager Service, Attempting to contact FMM...
False
Connect-ServiceFabricCluster : GetAccessToken failed:
authority=https://login.microsoftonline.com/zzz
cluster=xxx client=yyy
error=Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50105: The signed in user
'{EmailHidden}' is not assigned to a role for the application
'xxx'(myclustername).
Trace ID: <traceid>
Correlation ID: <correlationId>
Timestamp: 2020-09-01 16:03:00Z
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)
at System.Fabric.AzureActiveDirectory.Client.ClientUtility.GetAccessToken(String authority, String audience, String
client, String redirectUri, Boolean refreshSession)
at GetAccessToken(Char* authority, Char* audience, Char* client, Char* redirectUri, Boolean refreshSession, Char*
outBuffer, Int32 outBufferSize)
ErrorCode: access_denied
StatusCode: 0
At line:1 char:1
+ Connect-ServiceFabricCluster -ConnectionEndpoint sf2coreint.westeurop ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Connect-ServiceFabricCluster], FabricException
+ FullyQualifiedErrorId : TestClusterConnectionErrorId,Microsoft.ServiceFabric.Powershell.ConnectCluster
我尝试通过 Service Fabric Explorer 和 Powershell (Connect-ServiceFabricCluster)。 Service Fabric Explorer 只是在登录后冻结,而 Powershell 给出了上述错误。
我是否达到了可能的极限,或者是否可以允许这样做?
基于组的分配不支持嵌套组。
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-saasapps
Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time.