问题描述
我们已经使用this documentation为现有Service Fabric集群成功设置了AAD身份验证。但是,在为应用程序分配组时会遇到一些问题:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException:AADSTS50105:登录的用户 未将“ {EmailHidden}”分配给该应用程序的角色
Connect-ServiceFabriccluster -ConnectionEndpoint xxx.westeurope.cloudapp.azure.com:19000 -
AzureActiveDirectory -ServerCertThumbprint yyy
WARNING: Failed to contact Naming Service. Attempting to contact Failover Manager Service...
WARNING: Failed to contact Failover Manager Service,Attempting to contact FMM...
False
Connect-ServiceFabriccluster : GetAccesstoken Failed:
authority=https://login.microsoftonline.com/zzz
cluster=xxx client=yyy
error=Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50105: The signed in user
'{EmailHidden}' is not assigned to a role for the application
'xxx'(myclustername).
Trace ID: <traceid>
Correlation ID: <correlationId>
Timestamp: 2020-09-01 16:03:00Z
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)
at System.Fabric.AzureActiveDirectory.Client.ClientUtility.GetAccesstoken(String authority,String audience,String
client,String redirectUri,Boolean refreshSession)
at GetAccesstoken(Char* authority,Char* audience,Char* client,Char* redirectUri,Boolean refreshSession,Char*
outBuffer,Int32 outBufferSize)
ErrorCode: access_denied
StatusCode: 0
At line:1 char:1
+ Connect-ServiceFabriccluster -ConnectionEndpoint sf2coreint.westeurop ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Connect-ServiceFabriccluster],FabricException
+ FullyQualifiedErrorId : TestClusterConnectionErrorId,Microsoft.ServiceFabric.Powershell.ConnectCluster
我同时通过Service Fabric Explorer和Powershell(Connect-ServiceFabriccluster)进行了尝试。登录后,Service Fabric Explorer只会冻结,而Powershell会出现上述错误。
我在可能的范围内达到了极限吗?或者有可能允许吗?
解决方法
基于组的分配不支持嵌套组。
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-saasapps
仅安全组支持基于组的分配。目前,基于组的应用程序分配不支持嵌套组成员身份。