Cant Add Account 1.41.1 and 1.41.2

[ncapito]

I was having issues this morning with my Active Directory Universal MFA so i "removed the account." It now wont let me add it back. I've tried newer versions of ADS, I've restarted, i've cleared out he Library/Application Support/azuredatastudio directory. Nothing seems to work.

Version info:
Version: 1.41.2 (Universal)
Commit: 0f0960d
Date: 2023-02-08T20:15:24.215Z (3 wks ago)
VS Code: 1.67.0
Electron: 19.1.8
Chromium: 102.0.5005.167
Node.js: 16.14.2
V8: 10.2.154.15-electron.0
OS: Darwin x64 22.3.0

When i go to Linked Accounts -> Add an account i get errors with: "TypeError: Cannot read properties of undefined (reading 'authLibrary')"

notificationsAlerts.ts:42 error
onDidChangeNotification @ notificationsAlerts.ts:42
(anonymous) @ notificationsAlerts.ts:28
invoke @ event.ts:575
deliver @ event.ts:779
fire @ event.ts:740
addNotification @ notifications.ts:206
notify @ notificationService.ts:137
(anonymous) @ mainThreadMessageService.ts:86
ZoneAwarePromise @ /Applications/Azure Data Studio.app/Contents/Resources/app/node_modules.asar/zone.js/dist/zone.js:1351
_showMessage @ mainThreadMessageService.ts:44
$showMessage @ mainThreadMessageService.ts:38
_doInvokeHandler @ rpcProtocol.ts:475
_invokeHandler @ rpcProtocol.ts:460
_receiveRequest @ rpcProtocol.ts:374
_receiveOneMessage @ rpcProtocol.ts:296
(anonymous) @ rpcProtocol.ts:161
invoke @ event.ts:575
deliver @ event.ts:779
fire @ event.ts:740
fire @ ipc.net.ts:638
_receiveMessage @ ipc.net.ts:958
(anonymous) @ ipc.net.ts:831
invoke @ event.ts:575
deliver @ event.ts:779
fire @ event.ts:740
acceptChunk @ ipc.net.ts:382
(anonymous) @ ipc.net.ts:338
L @ ipc.net.ts:60
emit @ node:events:526
addChunk @ node:internal/streams/readable:315
readableAddChunk @ node:internal/streams/readable:289
Readable.push @ node:internal/streams/readable:228
onStreamRead @ node:internal/stream_base_commons:190
Show 3 more frames
log.ts:313 ERR TypeError: Cannot read properties of undefined (reading 'providerId')
at Pi.findAccountByKey (accountStore.ts:105:15)
at accountStore.ts:31:63
at Array.findIndex ()
at accountStore.ts:31:29
at _ZoneDelegate.invoke (/Applications/Azure Data Studio.app/Contents/Resources/app/node_modules.asar/zone.js/dist/zone.js:409:30)
at Zone.run (/Applications/Azure Data Studio.app/Contents/Resources/app/node_modules.asar/zone.js/dist/zone.js:169:47)
at /Applications/Azure Data Studio.app/Contents/Resources/app/node_modules.asar/zone.js/dist/zone.js:1326:38
at _ZoneDelegate.invokeTask (/Applications/Azure Data Studio.app/Contents/Resources/app/node_modules.asar/zone.js/dist/zone.js:443:35)
at Zone.runTask (/Applications/Azure Data Studio.app/Contents/Resources/app/node_modules.asar/zone.js/dist/zone.js:214:51)
at drainMicroTaskQueue (/Applications/Azure Data Studio.app/Contents/Resources/app/node_modules.asar/zone.js/dist/zone.js:632:39)
at process.processTicksAndRejections (node:internal/process/task_queues:96:5)
log.ts:313 ERR adding account failed
log.ts:313 ERR Error while adding account: Error: Adding account failed, check Azure Accounts log for more info.

[cheenamalhotra]

This looks related to the recent bug we fixed here: #22140

@ncapito

Can you add this setting in settings.json and try again?

    "azure.authenticationLibrary": "MSAL"

[ncapito]

@cheenamalhotra It's currently set to MSAL (when i try with this setting i get the error above). When i toggled to ADAP it opened chrome and then locked up waiting https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&response_mode=query&client_id=removed&redirect_uri=http%3A%2F%2Flocalhost%3A49783%2Fredirect&state=49783%2CcGt742e0w%252BjfKr2Owo619Q%253D%253D&prompt=select_account&code_challenge_method=S256&code_challenge=removed&resource=https%3A%2F%2Fmanagement.core.windows.net%2F

In case its useful this is what those settings look like:

[cheenamalhotra]

It may not be set in the settings.json as it's default. Please try adding explicitly by opening settings.json:

1. Open command pallete (Ctrl+Shift+P)
2. Run command: Preferences: Open Default Settings (JSON) (workbench.action.openRawDefaultSettings)

When i toggled to ADAL it opened chrome and then locked up waiting...

Are you in proxy enabled env by any chance? If yes, you may want to configure proxy in http.proxy setting:

"http.proxy": "https://userName@fqdn:[email protected]:8080"

[ncapito]

@cheenamalhotra I'm not in a proxy enabled environment.

I edited

1. settings.json and added "azure.authenticationLibrary": "MSAL"
2. restarted ADS
3. tried to connect account and got an error but the message was different.
   

I did check with my colleagues. They are all on 141.2 but dont have an issue because they did not remove the account.

[ncapito]

@cheenamalhotra I have an update on this one. I was able to get ADAL returning and throwing the same error now. My firewall was blocking access to Azure Data Studio (since i removed the app and reinstalled it). Once I allowed connections i now get the same error:

the console had this in it:

[cpirtea-bun]

I have the same problem. Went as far as remove all traces of Azure Data Studio and reinstalled clean. Nothing works. MSAL or ADAL both end up in the same 2 errors:
"TypeError: Cannot read properties of undefined (reading 'authLibrary')"
"Error: Adding account failed, check Azure Accounts log for more info."

[github-actions]

We need more info to debug your Azure Active Directory issue. If you could attach your logs to the issue (ensure no private data is in them), it would help us fix the issue much faster.

• In the settings menu, find the setting titled Azure: Logging Level and select the Verbose option
• Run the process that produces your error
• Open command palette (Click View -> Command Palette)
• Run the command: Developer: Open Logs Folder
• Follow this path to find the Azure Accounts log file: [default log folder]/exthost1/output_logging_[earliest timestamp]/#-Azure Acounts.log
• Please attach the Azure-Accounts.log file to the issue.

[cheenamalhotra]

@ncapito

Can you please fetch Azure account logs as per above comment?

@cpirtea-bun

Please verify if you've added this in settings.json (as I mentioned above: #22227 (comment), #22227 (comment))
If that's done and issue persists, please enable detailed logs and upload logs here.

[cpirtea-bun]

@cheenamalhotra will upload logs.
Just wanted to mention I installed the insider build and same outcome, however if I switch back to ADAL I get:
"Error: certificate has expired"

[cheenamalhotra]

Please upload for both ADAL and MSAL, so I can help for both.

[eduardofontes]

Hi Everyone!

Same problem here!

Two logs for you.

renderer2.log
1-Azure Accounts.log

[eduardofontes]

[Error]: MSAL: Error requesting auth code - [{"errorCode":"endpoints_resolution_error","errorMessage":"Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://undefined/organizations/v2.0/.well-known/openid-configuration","subError":"","name":"ClientAuthError"}]

[cpirtea-bun]

$onExtensionRuntimeError @ mainThreadExtensionService.ts:79
mainThreadExtensionService.ts:80 SyntaxError: Unexpected token < in JSON at position 0
at JSON.parse ()
at IncomingMessage. (c:\Users\cpirtea\AppData\Local\Programs\Azure Data Studio - Insiders\resources\app\extensions\azurecore\node_modules@azure\msal-node\dist\msal-node.cjs.development.js:321:22)
at IncomingMessage.emit (node:events:538:35)
at endReadableNT (node:internal/streams/readable:1345:12)
at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
$onExtensionRuntimeError @ mainThreadExtensionService.ts:80

[cheenamalhotra]

Thank you for the logs.

[Error]: MSAL: Error requesting auth code - 
[{
    "errorCode":"endpoints_resolution_error",
    "errorMessage":"Error: could not resolve endpoints. Please check network and try again. 
        Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. 
        Attempted to retrieve endpoints from: https://undefined/organizations/v2.0/.well-known/openid-configuration",
    "subError":"",
    "name":"ClientAuthError"
}]

About this error, I recall seeing that when I was implementing MSAL support in vscode-mssql extension, that I also reported here: AzureAD/microsoft-authentication-library-for-js#4879 but hadn't seen that in ADS yet. Now it makes me think if it's related to some other factors too. I'm going to try updating to latest MSAL.js v1.16.0 if that helps resolve this issue, as it seems to contain a proper fix.

onExtensionRuntimeError @ mainThreadExtensionService.ts:79
mainThreadExtensionService.ts:80 SyntaxError: Unexpected token < in JSON at position 0
  at JSON.parse ()
  at IncomingMessage. (c:\Users\cpirtea\AppData\Local\Programs\Azure Data Studio - Insiders\resources\app\extensions\azurecore\node_modules@azure\msal-node\dist\msal-node.cjs.development.js:321:22)
  at IncomingMessage.emit (node:events:538:35)
  at endReadableNT (node:internal/streams/readable:1345:12)
  at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
  $onExtensionRuntimeError @ mainThreadExtensionService.ts:80

This seems related to a corrupted cache file leading to runtime error in MSAL, can you please try deleting cache file:

C:\Users\~\AppData\Roaming\azuredatastudio\Azure Accounts\azureTokenCacheMsal-azure_publicCloud (Windows)
or /Users/~/Library/Application Support/azuredatastudio/Azure Accounts/azureTokenCacheMsal-azure_publicCloud (Mac OS)

[cpirtea-bun]

I deleted the cache and same error appeared

[cpirtea-bun]

Just looking at the code the error comes from parsing the response so it should not have anything to do with the cache.

[cpirtea-bun]

After you update to latest MSAL do I wait for next insider build?

[cheenamalhotra]

Yes, it'll be available in the next update.

[ncapito]

We need more info to debug your Azure Active Directory issue. If you could attach your logs to the issue (ensure no private data is in them), it would help us fix the issue much faster.

In case this is still needed. Logs are below. I'm using this with Azure Active Directory + Azure SQL.

Here was the first log from adding account using ADAL.
2-Azure Accounts.log

Here is the log from the MSAL
2-Azure Accounts.log

[StacyCMay]

I am also seeing this behaviour using Azure Data Studio v1.41.2.

[cheenamalhotra]

Yes, it'll be available in the next update.

Just FYI, MSAL-Node update needs more work in insiders and has been postponed, but we're actively investigating on issues with the stable release.

[StacyCMay]

Yes, it'll be available in the next update.

Hotfix or May release?

[ncapito]

Quick update. I did file a ticket with Azure Support. I will let you know once i hear back from them.

I'm using visual studio code versions are below but both failed for me (MSAL and ADAL). It looks like the same error.

=

VS Code Version:

Version: 1.76.1
Commit: 5e805b79fcb6ba4c2d23712967df89a089da575b
Date: 2023-03-08T16:32:09.831Z (2 days ago)
Electron: 19.1.11
Chromium: 102.0.5005.196
Node.js: 16.14.2
V8: 10.2.154.26-electron.0
OS: Darwin x64 22.3.0
Sandboxed: No

[cpirtea-bun]

Hi everyone,
I've learned from an internal thread, v1.39.1 of ADS seems to work in this use-case, can someone who's affected confirm the same? Also please try with v1.40.2 as that would be useful for us to diagnose the problem. If it does, you may use the same to stay unblocked, while we continue with investigations.

1.39.1 works, but 1.40.2 does not. The error logs from 1.40.2 are:

Same thing here. 1.39.1 works, 1.40.2 does not.

[ncapito]

@cheenamalhotra i found another work around. I disabled this setting "System Certificates".

Once i did that i was able to authorize using ADAL and MSL.

To verify it actually fixed the error i then turned that setting back on, removed my account, and tried to add it again (and it did fail).

Please let me know if this info helps in any way or if there is anything you would like me to check on myside. The good news is i have a workaround.

[cheenamalhotra]

Interesting! Could you also test with the latest insiders build and let us know if that helps in this case?

[PhilHannent]

Good morning, I can confirm that unticking the system certificates solved the issue in both Production and the latest Insider build. Reticking the box causes the issue to come back.

Version: 1.43.0-insider
Commit: ef99e67
Date: 2023-03-14T05:34:10.238Z
VS Code: 1.67.0
Electron: 19.1.8
Chromium: 102.0.5005.167
Node.js: 16.14.2
V8: 10.2.154.15-electron.0
OS: Darwin arm64 22.3.0

and

Version: 1.41.2
Commit: 0f0960d
Date: 2023-02-08T20:15:24.215Z
VS Code: 1.67.0
Electron: 19.1.8
Chromium: 102.0.5005.167
Node.js: 16.14.2
V8: 10.2.154.15-electron.0
OS: Darwin x64 22.3.0

[StacyCMay]

Confirmed here as well. Unchecking System Certificates setting works in 1.41.2

[ncapito]

@ncapito if possible, it would be helpful to have an Azure Support case for this, so we can get details on the user identities and times of the auth attempts (to try to correlate with errors in the service telemetry). And to be able to request more detailed logs that we can't collect over GitHub due to potential for PII data.

What would you like me to ask Azure to do? They are asking me to do some random stuff, i would like to help guide the convo.

[cheenamalhotra]

Hi @ncapito

It does seem like a certificate is involved when this error occurs, if you could investigate which certificate is contributing to this error with Azure support that would be helpful.

[johnborges]

Unchecking Http: System Certs and switching to ADAL default connection works for me.

[cheenamalhotra]

@johnborges

Unchecking Http: System Certs and switching to ADAL default connection works for me.

What error do you get when using MSAL and "Http: System Certificates" unchecked?

[johnborges]

Same error as @ncapito above. Error adding account. I was also unable to edit my previous connections.

[cheenamalhotra]

It's strange, since others were able to unblock with MSAL too..

Could you also test adding account with VSCode-MSSQL extension in VS Code as well? You can find Azure related logs in the bottom Output pane: Azure Logs when using extension.

Please open a new issue and attach any errors that you notice when adding account.

[cheenamalhotra]

Hi Everyone,

We were able to find the expired Trusted Root Certificate Authority that caused this issue with one of the affected customers.

1. You can navigate to: "Manage Computer Certificates" > Trusted Root Certification Authorities > Certificates
2. Find the DigiCert certificate expired on March 8, 2023, e.g. "DigiCert SHA2 Secure Server CA"

It's likely that due to organization policies this certificate wasn't updated in your case. You can find more info in the article from DigiCert: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html (March 8, 2023, ICA/Root Replacements) - that explains how the issue started on March 8, 2023.

You would likely need to install the updated DigiCert Trusted Root CA Certificates. Please contact your organization or DigiCert support for official guidance on the same.

[cheenamalhotra]

I will proceed to close the issue as external.

[ncapito]

@cheenamalhotra I work somewhere where we have relatively loose controls around this. I've experienced this in Azure Data Studio and VS code (today). I'm not understanding how this is an organizational issue. Do you have instructions or guidance on how i can check this on a mac?

[cheenamalhotra]

@ncapito

Do you see an expired/not trusted DigiCert certificate in Keychain Access?
ref: https://support.apple.com/en-ca/guide/keychain-access/kyca2794/11.0/mac/13.0