PowerShellGetv2 icon indicating copy to clipboard operation
PowerShellGetv2 copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

parsing_wstrust_response_failed when installing a module

Open cveld opened this issue 3 years ago • 3 comments

At our self-hosted Azure DevOps build agent we are hitting strange behavior of PowerShellGet.

Whereas on the virtual machine in a regular Windows account we can just hit Install-Module Az.Storage, in the context of the local system account - in which the agent is running - this results in the following exception:

PS C:\Windows\system32> install-module az.storage
   at Microsoft.Identity.Core.WsTrust.WsTrustWebRequestManager.GetWsTrustResponseAsync(WsTrustEndpoint wsTrustEndpoint, String wsTrustRequest, Re
questContext requestContext)
   at Microsoft.Identity.Core.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsT
rustEndpoint endpoint, IUsernameInput usernameInput)
   --- End of inner exception stack trace ---
   at Microsoft.Identity.Core.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsT
rustEndpoint endpoint, IUsernameInput usernameInput)
   at Microsoft.Identity.Core.WsTrust.CommonNonInteractiveHandler.PerformWsTrustMexExchangeAsync(String federationMetadataUrl, String cloudAudien
ceUrn, UserAuthType userAuthType)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenIWAHandler.PreTokenRequestAsync()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.RunAsync()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenCommonAsync(String resource, String clientId, IntegratedW
indowsAuthInput iwaInput)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions.AcquireTokenAsync(AuthenticationContext ctx,
String resource, String clientId, UserCredential userCredential)
   at NuGetCredentialProvider.CredentialProviders.Vsts.AdalTokenProvider.AcquireTokenWithWindowsIntegratedAuth(CancellationToken cancellationToke
n) in E:\A\_work\777\s\CredentialProvider.Microsoft\CredentialProviders\Vsts\AdalTokenProvider.cs:line 122
   at NuGetCredentialProvider.CredentialProviders.Vsts.WindowsIntegratedAuthBearerTokenProvider.GetTokenAsync(Uri uri, CancellationToken cancella
tionToken) in E:\A\_work\777\s\CredentialProvider.Microsoft\CredentialProviders\Vsts\BearerTokenProviders.cs:line 58
   at NuGetCredentialProvider.CredentialProviders.Vsts.VstsCredentialProvider.HandleRequestAsync(GetAuthenticationCredentialsRequest request, Can
cellationToken cancellationToken) in E:\A\_work\777\s\CredentialProvider.Microsoft\CredentialProviders\Vsts\VstsCredentialProvider.cs:line 88
        ErrorCode: parsing_wstrust_response_failed
[Minimal] [CredentialProvider]DeviceFlow: https://pkgs.dev.azure.com/ourniceorg/_packaging/ourniceproject/nuget/v2
[Minimal] [CredentialProvider]ATTENTION: User interaction required.

    **********************************************************************

    To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DT26JNEK7 to authenticate.

    **********************************************************************

Somehow the infrastructure is not able to retrieve the credentials for the extra PSRepository we have registered.

We have used the following PowerShell to get it registered:

$ArtifactsToken = "personalaccesstokenfortheuser"
$ArtifactsUsername = "[email protected]"
$password = ConvertTo-SecureString $ArtifactsToken -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $ArtifactsUsername, $password
$AzureDevopsPsArtifacts = "Our-Azure-Devops-PS-Artifacts"
$Location = 'https://pkgs.dev.azure.com/ourniceorg/_packaging/ourniceproject/nuget/v2'
Register-PSRepository `
        -Credential $credential `
        -InstallationPolicy Trusted `
        -Name $AzureDevopsPsArtifacts `
        -PackageManagementProvider 'NuGet' `
        -PublishLocation $Location `
        -SourceLocation $Location `
        -Verbose

I have read through https://github.com/PowerShell/PowerShellGet/issues/52. It looks like related.

PS C:\Windows\system32> get-module | select version,name

Version Name
------- ----
1.6.2   Az.Accounts
3.1.0.0 Microsoft.PowerShell.Management
3.0.0.0 Microsoft.PowerShell.Security
3.1.0.0 Microsoft.PowerShell.Utility
3.0.0.0 Microsoft.WSMan.Management
1.4.7   PackageManagement
2.2.4   PowerShellGet
1.2     PSReadline

PS C:\Windows\system32> $psversiontable

Name                           Value
----                           -----
PSVersion                      5.1.14393.3471
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.3471
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

cveld avatar Jul 14 '20 18:07 cveld

Issue-Label Bot is automatically applying the label bug to this issue, with a confidence of 0.93. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

issue-label-bot[bot] avatar Jul 14 '20 18:07 issue-label-bot[bot]

@cveld are you able to install the module if you also provide the credential at Install-Module time?

SydneyhSmith avatar Jul 16 '20 22:07 SydneyhSmith

@SydneyhSmith Now we are getting the error on the windows-latest agent as well when registering our Nuget feed with Register-PSRepository. Maybe this was always the case but we didn't try this until now.

I was also fiddling with a separate download of the Azure Artifact credential provider, found on https://github.com/microsoft/artifacts-credprovider#azure-artifacts-credential-provider to no avail.

$env:NUGET_PLUGIN_PATHS = "D:\Downloaded\Microsoft.NuGet.CredentialProvider\plugins\netfx\CredentialProvider.Microsoft\CredentialProvider.Microsoft.exe"

Our Azure DevOps repo is Azure Active Directory enabled. Does that make any difference? We are using a Personal Access Token (PAT) to authenticate.

After three trials the authentication is successful. We don't do an Install-Module. We do the following:

$module = Find-Module -Name $PackageConfig.Name -Repository $AzureDevopsPsArtifacts -Credential $Credential
Save-Module -InputObject $module -Path $Path -Credential $Credential

Which run fine.

Log dump:

   at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode)
   at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
   at System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate)
   at System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials)
   at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials)
   at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
   at System.Net.HttpWebRequest.CheckResubmitForAuth()
   at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
   at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Net.Http.HttpClient.<FinishSendAsyncBuffered>d__58.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Core.Http.HttpManager.<ExecuteAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Core.Http.HttpManager.<ExecuteWithRetryAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Core.Http.HttpManager.<SendPostForceResponseAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Core.WsTrust.WsTrustWebRequestManager.<GetWsTrustResponseAsync>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Core.WsTrust.CommonNonInteractiveHandler.<GetWsTrustResponseAsync>d__7.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.Identity.Core.WsTrust.CommonNonInteractiveHandler.<GetWsTrustResponseAsync>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Core.WsTrust.CommonNonInteractiveHandler.<PerformWsTrustMexExchangeAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenIWAHandler.<PreTokenRequestAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__60.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__40.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions.<AcquireTokenAsync>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at NuGetCredentialProvider.CredentialProviders.Vsts.AdalTokenProvider.<AcquireTokenWithWindowsIntegratedAuth>d__9.MoveNext() in E:\A\_work\919\s\CredentialProvider.Microsoft\CredentialProviders\Vsts\AdalTokenProvider.cs:line 122
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at NuGetCredentialProvider.CredentialProviders.Vsts.WindowsIntegratedAuthBearerTokenProvider.<GetTokenAsync>d__8.MoveNext() in E:\A\_work\919\s\CredentialProvider.Microsoft\CredentialProviders\Vsts\BearerTokenProviders.cs:line 58
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at NuGetCredentialProvider.CredentialProviders.Vsts.VstsCredentialProvider.<HandleRequestAsync>d__8.MoveNext() in E:\A\_work\919\s\CredentialProvider.Microsoft\CredentialProviders\Vsts\VstsCredentialProvider.cs:line 117
        ErrorCode: parsing_wstrust_response_failed
[Minimal] [CredentialProvider]DeviceFlow: https://pkgs.dev.azure.com/tse-enterprise/_packaging/CCC/nuget/v2
[Minimal] [CredentialProvider]ATTENTION: User interaction required.

cveld avatar Oct 08 '20 14:10 cveld