Azure Key Vault Connected Service Visual Studio SharedTokenCacheCredential authentication failed

Question

We have a ASP.NET MVC .NET 4.7.2 project that I want to migrate standard web.config settings (appSettings and ConnectionStrings) into Azure Key Vault.

Following these sites as reference,

https://peterbozso.com/2019/03/18/key-vault-asp-net.html

https://www.taithienbo.com/how-to-retrieve-connection-strings-in-azure-key-vault-from-asp-net-using-configuration-builders-xml-transformation-and-azure-devops/

https://www.c-sharpcorner.com/article/integrating-azure-key-vaults-with-classic-asp-net-applications/

all seemed reasonably straight forward using configBuilders.

I first implemented just the standard Secrets file configBuilder, and all worked tickey boo.

Tring to get the Azure Config Builder working is where the issues began.

The main issue is getting Visual Studio for local debugging connected to the Key Vault. Documentation seemed to indicate adding Azure Key Vault as a Connected Service, which I have done.

So given the following in the web config

 <configSections>
    <section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
</configSections>
<configBuilders>
    <builders>
        <add name="AS_AzureKeyVault" prefix="AppSetting-" stripPrefix="true" vaultName="${KEY_VAULT_NAME}" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        <add name="CS_AzureKeyVault" prefix="ConnStr-" stripPrefix="true" vaultName="${KEY_VAULT_NAME}" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </builders>
</configBuilders>
<appSettings configBuilders="AS_AzureKeyVault">
    <add key="KEY_VAULT_NAME" value="nameofvault" />
    <!-- ... -->
</appSettings>
<connectionStrings configBuilders="CS_AzureKeyVault">
    <add name="DBConn" connectionString="from key vault" />
    <!-- ... -->
</connectionStrings>

Just throws error of The configBuilder 'AS_AzureKeyVault' failed while processing the configuration section 'appSettings'.: Error in Configuration Builder 'AS_AzureKeyVault'::GetValue(KEY_VAULT_NAME)

with additional information on the stack trace of MsalServiceException: AADSTS70002: The client does not exist or is not enabled for consumers. and further down of [AuthenticationFailedException: SharedTokenCacheCredential authentication failed.] and [AuthenticationFailedException: DefaultAzureCredential authentication failed.]

Which just seems to be an error connecting. From my understanding , the Visual Studio Connected Services uses my credentials from Visual Studio to connect to the Azure Key Vault. I have confirmed these credentials are correct, and the Connected Service dialog lists the key vault correctly with the correct subscription and account. I have no other Azure accounts on the machine (although I did have, and have since all deleted, thinking it may have been using the wrong account).

I additional tried connecting via AZ CLI, just in case it was trying those credentials, and confirmed connected via CLI with the correct user and Subscription, but still no luck through Visual Studio.

I am stumped. The reference website I used seem to make this trivial.

Packages and Versions involved

I created a new project in Visual Studio, ASP.NET MVC .NET Framework 4.7.2 Project, with no changes, was only trying to prove the concept of connecting to Azure Key Vault for local debugging.

<package id="Antlr" version="3.5.0.2" targetFramework="net472" />
  <package id="Azure.Core" version="1.0.2" targetFramework="net472" />
  <package id="Azure.Identity" version="1.1.1" targetFramework="net472" />
  <package id="Azure.Security.KeyVault.Keys" version="4.0.0" targetFramework="net472" />
  <package id="Azure.Security.KeyVault.Secrets" version="4.0.0" targetFramework="net472" />
  <package id="bootstrap" version="3.4.1" targetFramework="net472" />
  <package id="EntityFramework" version="6.4.4" targetFramework="net472" />
  <package id="jQuery" version="3.4.1" targetFramework="net472" />
  <package id="jQuery.Validation" version="1.17.0" targetFramework="net472" />
  <package id="Microsoft.AspNet.Mvc" version="5.2.7" targetFramework="net472" />
  <package id="Microsoft.AspNet.Razor" version="3.2.7" targetFramework="net472" />
  <package id="Microsoft.AspNet.Web.Optimization" version="1.1.3" targetFramework="net472" />
  <package id="Microsoft.AspNet.WebPages" version="3.2.7" targetFramework="net472" />
  <package id="Microsoft.Bcl.AsyncInterfaces" version="1.0.0" targetFramework="net472" />
  <package id="Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="2.0.1" targetFramework="net472" />
  <package id="Microsoft.Configuration.ConfigurationBuilders.Azure" version="2.0.0" targetFramework="net472" />
  <package id="Microsoft.Configuration.ConfigurationBuilders.Base" version="2.0.0" targetFramework="net472" />
  <package id="Microsoft.Configuration.ConfigurationBuilders.UserSecrets" version="2.0.0" targetFramework="net472" />
  <package id="Microsoft.Identity.Client" version="4.1.0" targetFramework="net472" />
  <package id="Microsoft.jQuery.Unobtrusive.Validation" version="3.2.11" targetFramework="net472" />
  <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net472" />
  <package id="Modernizr" version="2.8.3" targetFramework="net472" />
  <package id="Newtonsoft.Json" version="12.0.2" targetFramework="net472" />
  <package id="System.Buffers" version="4.5.0" targetFramework="net472" />
  <package id="System.Diagnostics.DiagnosticSource" version="4.6.0" targetFramework="net472" />
  <package id="System.Memory" version="4.5.3" targetFramework="net472" />
  <package id="System.Numerics.Vectors" version="4.5.0" targetFramework="net472" />
  <package id="System.Runtime.CompilerServices.Unsafe" version="4.6.0" targetFramework="net472" />
  <package id="System.Security.Cryptography.ProtectedData" version="4.5.0" targetFramework="net472" />
  <package id="System.Text.Encodings.Web" version="4.6.0" targetFramework="net472" />
  <package id="System.Text.Json" version="4.6.0" targetFramework="net472" />
  <package id="System.Threading.Tasks.Extensions" version="4.5.2" targetFramework="net472" />
  <package id="System.ValueTuple" version="4.5.0" targetFramework="net472" />
  <package id="WebGrease" version="1.6.0" targetFramework="net472" />

Leaning Towards this solely being a Visual Studio issue, have logged a Ticket with the Visual Studio Team [here](https://developercommunity2.visualstudio.com/t/Visual-Studio-Connected-Services-Azure-K/1295407?entry=problem), please Vote if you too have hit this issue — OJay, Jan 07 '21 at 21:10
I'm having the same issue. I need to add Azure Key Value to a .Net Framework 4.7.2 website and can't get it to work. My other .Net Core 6 sites work, but not these older ones. Have you found a solution? I see in your VS post it's not a "priority" for them. — RoLYroLLs, Feb 14 '23 at 14:21
@RoLYroLLs all I ended up doing was adding some logic to Excluede the SharedToken Cache and explicity set the TenantId when the Debugger isAttached. Something like: `var credOptions = new DefaultAzureCredentialOptions(); if (System.Diagnostics.Debugger.IsAttached) { credOptions.ExcludeSharedTokenCacheCredential = true; credOptions.VisualStudioTenantId = "{{yourtenantId}"; } var client = new SecretClient(new Uri($"https://{VaultName}.vault.azure.net/"), new DefaultAzureCredential(credOptions));` But it meant a manual keyvault implementation — OJay, Feb 14 '23 at 19:14
Thanks! Was hoping it was purely fixed by now. It used to work years ago, bit not anymore. — RoLYroLLs, Feb 14 '23 at 22:53

Azure Key Vault Connected Service Visual Studio SharedTokenCacheCredential authentication failed

0 Answers0