Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dataverse Client sending authentication request to the wrong tenant #494

Open
whobday opened this issue Jan 21, 2025 · 3 comments
Open

Dataverse Client sending authentication request to the wrong tenant #494

whobday opened this issue Jan 21, 2025 · 3 comments

Comments

@whobday
Copy link

whobday commented Jan 21, 2025
edited
Loading

I'm using the client to connect to environments in separate tenants (ABC and XYZ) using an AppRegistration. I'm providing the client a connectionString that looks something like this:

AuthType=Certificate;url=https://abc.dynamics.com/;thumbprint=;ClientId=;UseUniqueConnectionInstance=True;RequireNewInstance=True"
AuthType=Certificate;url=https://xyz.dynamics.com/;thumbprint=;ClientId=;UseUniqueConnectionInstance=True;RequireNewInstance=True"

abc and xyz are different tenants

Occasionally I will see this error:

Microsoft.PowerPlatform.Dataverse.Client.Utils.DataverseConnectionException: Failed to connect to Dataverse ---> Microsoft.Identity.Client.MsalServiceException: AADSTS700016: Application with identifier '<abcAppRegistrationGuid>' was not found in the directory 'XYZ Directory'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: 2797c8fc-e8a5-4b03-b7da-06091b1e4000 Correlation ID: 54a8a6da-abb4-4f5e-a4e2-9dddd4469943 Timestamp: 2025-01-21 21:31:24Z

at Microsoft.PowerPlatform.Dataverse.Client.Auth.AuthProcessor.<ProcessMsalExecptionAsync>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.PowerPlatform.Dataverse.Client.Auth.AuthProcessor.<ExecuteAuthenticateServiceProcessAsync>d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.PowerPlatform.Dataverse.Client.ConnectionService.<ConnectAndInitServiceAsync>d__204.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.PowerPlatform.Dataverse.Client.ConnectionService.<DoDirectLoginAsync>d__185.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.PowerPlatform.Dataverse.Client.ConnectionService.<InitServiceAsync>d__184.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.PowerPlatform.Dataverse.Client.ConnectionService.GetCachedService(ConnectionService& ConnectionObject) at Microsoft.PowerPlatform.Dataverse.Client.ConnectionService.IntilizeService(ConnectionService& ConnectionObject) at Microsoft.PowerPlatform.Dataverse.Client.ServiceClient.CreateServiceConnection(Object externalOrgServiceProxy, AuthenticationType requestedAuthType, String hostName, String port, String orgName, NetworkCredential credential, String userId, SecureString password, String domain, String Geo, String claimsHomeRealm, Boolean useSsl, Boolean useUniqueInstance, OrganizationDetail orgDetail, String clientId, Uri redirectUri, PromptBehavior promptBehavior, OrganizationWebProxyClientAsync externalOrgWebProxyClient, String certificateThumbPrint, StoreName certificateStoreName, X509Certificate2 certificate, Uri instanceUrl, Boolean isCloned, Boolean useDefaultCreds, Version incomingOrgVersion, ILogger externalLogger, String tokenCacheStorePath) --- End of inner exception stack trace --- at Microsoft.PowerPlatform.Dataverse.Client.ServiceClient.CreateServiceConnection(Object externalOrgServiceProxy, AuthenticationType requestedAuthType, String hostName, String port, String orgName, NetworkCredential credential, String userId, SecureString password, String domain, String Geo, String claimsHomeRealm, Boolean useSsl, Boolean useUniqueInstance, OrganizationDetail orgDetail, String clientId, Uri redirectUri, PromptBehavior promptBehavior, OrganizationWebProxyClientAsync externalOrgWebProxyClient, String certificateThumbPrint, StoreName certificateStoreName, X509Certificate2 certificate, Uri instanceUrl, Boolean isCloned, Boolean useDefaultCreds, Version incomingOrgVersion, ILogger externalLogger, String tokenCacheStorePath) at Microsoft.PowerPlatform.Dataverse.Client.ServiceClient.ConnectToService(String connectionString, ILogger logger)

You'll notice the AppRegistrationGuid does not align with the directory it should be connecting to. I make a client, connect, do my operation, and then destroy the client. Rinse. Repeat. 95% of the time this works flawlessly - the other 5% I get the above exception. Curiously, I observed the same behavior with the older CrmSdk client (which spurred the upgrade to the Dataverse Client).

FWIW, the application is multi-threaded.
@whobday whobday changed the title Dataverse Client connecting to wrong tenant on occasion Dataverse Client attempting to connect to wrong tenant on occasion Jan 21, 2025
@whobday whobday changed the title Dataverse Client attempting to connect to wrong tenant on occasion Dataverse Client sendign authentication request to the wrong tenant Jan 22, 2025
@whobday whobday changed the title Dataverse Client sendign authentication request to the wrong tenant Dataverse Client sending authentication request to the wrong tenant Jan 22, 2025
@MattB-msft
Copy link
Member

@whobday

Interesting. could you give me a sense of the volume of requests you're running here?
How are you doing the parallel operations? are you using the shipped .net TPL bits in .net 6+ or are you using .net framework?
Do you happen to be running this in an Azure Function?

version of the DVSC Client?
I have not seen this behavior myself, and we removed the client caching logic in DVSC ( that means that the RequireNewInstance=True is not wired to anything)

In CSC ( CrmServiceClient ) this could happen if the system reused the cached client, but DVSC should not be able to do this (caching logic was removed), especially if your disposing the client.

thanks

@whobday-afs
Copy link

It's legacy WCF running as a Windows Service using .NET 4.8 and DVSC 1.2.2. The WCF service is configured PerCall. A typical method is going to create a connection to an org/environment, perform an operation, and dispose. It's bursty, but I'd call it low volume. I've been able to replicate the issue in a series of 20 or less connections.

FWIW, I was happily connecting to DV using CSC until it stopped working forcing my hand with DVSC. Using XrmToolbox you can replicate the issue by attempting to connect to DV using a ConnectionString with AuthType=Certificate. The client connection fails with an ADAL error - I think. Curiously, you can connect to DV using the certificate connection wizard using the same certificate and AppID.

@MattB-msft
Copy link
Member

Thanks,
You said it was working fine with CSC, can you tell me which version of the CSC you were using?
The major difference in this flow is the use of MSAL.net vs ADAL.net.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MattB-msft @whobday @whobday-afs