azure中torus系统如何使用aad authentication或managed identity访问资源?
[英]How to use aad authentication or managed identity to access resources with torus system in azure?
问题描述
We previously used keyvault and connectionstring to access resources in azure. However it will generate many parameters needed.
我们之前使用keyvault和connectionstring访问azure中的资源,但是会生成很多需要的参数。 We want to simplify the process.我们想简化这个过程。
We wanted to use aad authentication.我们想使用 aad 身份验证。
Firstly, we tried certificate-based aad authentication https://learn.microsoft.com/en-us/azure/cosmos-db/sql/certificate-based-authentication first, it works.首先,我们首先尝试了基于证书的 aad 身份验证https://learn.microsoft.com/en-us/azure/cosmos-db/sql/certificate-based-authentication ,它有效。 But the thing is, in keyvault the certificates are set auto-rotation, but in aad app, we can only manually upload new certificate each time (I know there are methods like VM extension or extra software can do auto renewal, but it's complicated. We just want change configs in azure portal and change service code to access.) In this situation, when certificates becomes more and more, it's not suitable to manually renew each cert in each aad app.但问题是,在 keyvault 中,证书设置为自动轮换,但在 aad 应用程序中,我们只能每次手动上传新证书(我知道有 VM 扩展或额外软件等方法可以自动更新,但它很复杂。我们只是想在 azure 门户中更改配置并更改服务代码以访问。)在这种情况下,当证书越来越多时,不适合在每个 aad 应用程序中手动更新每个证书。 I notice in some places it says setting tls/ssl settings which makes auto-renewal, but currently in azure portal, it just can manually upload certificates.我注意到有些地方说setting tls/ssl settings会自动更新,但目前在azure portal中,它只能手动上传证书。 Only in function app can do tls/ssl settings.只有function app可以做tls/ssl设置。
Secondly, then we notice another one as managed identity.其次,然后我们注意到另一个作为托管身份。 It simply says azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/");它只是说azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/"); to get token.获得令牌。 But the thing is, current login tenantid is microsoft.onmicrosoft.com, but the resources and the subscriptions are all in prdtrs01.onmicrosoft.com through torus account.但问题是,当前登录的tenantid是microsoft.onmicrosoft.com,但是资源和订阅都在prdtrs01.onmicrosoft.com中,通过torus账号。 Even I try with string accessToken = azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/", prdtrs01tenantid) still does not work, saying AADSTS50020: User account '{EmailHidden}' from identity provider '...' does not exist in tenant 'PRDTRS01' and cannot access the application '...'.即使我尝试使用string accessToken = azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/", prdtrs01tenantid)仍然不起作用,说 AADSTS50020: User account '{EmailHidden}' from identity provider '...' does租户“PRDTRS01”中不存在,无法访问应用程序“...”。 It seems just cannot get token from prdtrs01 tenantid.似乎无法从 prdtrs01 tenantid 获取令牌。
Also, I tried to replace the aad app used in first method with the function app used in second method to do certificate-based authentication.此外,我尝试用第二种方法中使用的 function 应用程序替换第一种方法中使用的 aad 应用程序,以进行基于证书的身份验证。 However the function app does not have a clientid, just principalId and user managed identity's clientid.但是,function 应用程序没有 clientid,只有 principalId 和用户管理身份的 clientid。 Both ids fail with ClientAssertionCertificate credential = new ClientAssertionCertificate(clientId, cert);两个 id 都失败了, ClientAssertionCertificate credential = new ClientAssertionCertificate(clientId, cert); in certificate-based authentication.在基于证书的身份验证中。 It finally says "Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client".它最后说“客户端断言包含无效签名。[原因 - 未找到密钥。客户端使用的密钥指纹”。
In all, I described several ways we tried, but all failed.总之,我描述了我们尝试过的几种方法,但都失败了。 Can anyone help?谁能帮忙? Thanks谢谢
1 个解决方案
解决方案1
0 2022-02-21 12:40:53
AADSTS50020: User account '{EmailHidden}' from identity provider '...' does not exist in tenant 'PRDTRS01' and cannot access the application
As per this first error, it means that the account you are using to access the application is not a part of the tenant that the application is hosted on.根据第一个错误,这意味着您用于访问该应用程序的帐户不是托管该应用程序的租户的一部分。
- Make the application as a Multi-Tenant Application: You can convert the application to accept users from multiple tenants.使应用程序成为多租户应用程序:您可以将应用程序转换为接受来自多个租户的用户。 In this way you can give access to users who are not in your tenant without having to add them to the tenant where the application is in.通过这种方式,您可以向不在您的租户中的用户授予访问权限,而无需将他们添加到应用程序所在的租户中。
Maybe account type is set to Accounts in this organizational directory only.也许帐户类型仅在此组织目录中设置为帐户。 You may have to change it to Accounts in any organizational directory.您可能必须将其更改为任何组织目录中的帐户。
Go to Azure portal -> Azure Active Directory -> Manage -> App Registrations --> your app name -> Supported Account Types Go 到 Azure 门户 -> Azure Active Directory -> 管理 -> 应用注册 --> 您的应用名称 -> 支持的帐户类型
(or) (或者)
- Add the user to the tenant as guest: You may need to add the user to the tenant that the application is hosted in. You can follow this document to add the user with your domain as a Guest User to the tenant.将用户作为来宾添加到租户:您可能需要将用户添加到托管应用程序的租户。您可以按照此文档将具有您的域的用户作为来宾用户添加到租户。 And grant access to the application for the said user.并授予该用户访问应用程序的权限。
However, if your authentication call is for specific tenant ie, https://login.microsoftonline.com/yourtenantname or_id, users from other organizations won't be able to access the application and are required to be added as guests in the tenant specified in the request.但是,如果您的身份验证调用是针对特定租户的,即https://login.microsoftonline.com/yourtenantname or_id,则来自其他组织的用户将无法访问该应用程序,并且需要添加为指定租户中的来宾在请求中。 In your case, try to authenticate request like https://login.microsoftonline.com/organizations or https://login.microsoftonline.com/common在您的情况下,尝试验证请求,例如https://login.microsoftonline.com/organizations或https://login.microsoftonline.com/common
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.