“AADSTS500021: Access to ‘Bot Framework’ tenant is denied”

huangapple go评论76阅读模式
英文:

AADSTS500021: Access to 'Bot Framework' tenant is denied

问题

当使用 F5 测试我的机器人时,我能够接收请求,但在身份验证方面出现问题,因为我收到以下错误:AADSTS500021:拒绝访问“Bot Framework”租户。

  • 我正在使用C#,所以我已安装了Visual Studio的Teams Toolkit。
  • 我使用模板创建了一个新的命令机器人。
  • 我运行了“准备Teams应用依赖项”并登录了Microsoft 365。
  • 我已启动了我的ngrok http隧道。

我尝试按照此处的故障排除指南操作:

  • 当我删除应用程序ID和密码时,机器人可以正常工作。
  • 我从步骤2中的curl语句中获得相同的错误:https://login.microsoftonline.com/error?code=500021
    "error":"invalid_grant" "AADSTS500021: 拒绝访问“Bot Framework”租户"

我理解我不需要将我的应用程序部署到Azure即可开始本地测试,并且模板解决方案应为我生成应用程序ID和密码。我的理解是否正确?

如果是这样,是否需要在我的Azure AD租户中进行某些配置?我的IT部门向我保证我们没有租户限制。

完整的日志如下:

info: NetTeamsApp.Commands.HelloWorldCommandHandler[0]
      机器人接收到消息:helloworld

fail: Microsoft.Bot.Builder.Integration.AspNet.Core.CloudAdapter[0]
      [OnTurnError] 未处理的错误:无法获取客户端凭据的令牌。 (AADSTS500021: 拒绝访问“Bot Framework”租户。
      跟踪ID:88c0cb6e-cdf7-4dc3-bf93-da0799613a00
      相关性ID:35e7aead-412b-415e-8428-17029c5e97e6
      时间戳:2023-05-17 14:49:23Z)
      System.AggregateException: 未能获取客户端凭据的令牌。 (AADSTS500021: 拒绝访问“Bot Framework”租户。
      跟踪ID:88c0cb6e-cdf7-4dc3-bf93-da0799613a00
      相关性ID:35e7aead-412b-415e-8428-17029c5e97e6
      时间戳:2023-05-17 14:49:23Z)
       ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS500021: 拒绝访问“Bot Framework”租户。
      跟踪ID:88c0cb6e-cdf7-4dc3-bf93-da0799613a00
      相关性ID:35e7aead-412b-415e-8428-17029c5e97e6
      时间戳:2023-05-17 14:49:23Z
       ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: 响应状态代码未指示成功:400 (BadRequest)。
         at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T](Boolean respondToDeviceAuthChallenge)
        错误代码:BadRequest
        状态代码:400
         --- 内部异常堆栈跟踪的结尾 ---
         at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T](Boolean respondToDeviceAuthChallenge)
         at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T]()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.SendHttpMessageAsync(IRequestParameters requestParameters)
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.SendTokenRequestAsync()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.CheckAndAcquireTokenUsingBrokerAsync()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.RunAsync()
         at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenForClientCommonAsync(String resource, ClientKey clientKey)
         at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenAsync(String resource, ClientCredential clientCredential)
         at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.AcquireTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.Retry.Run[TResult](Func`1 task, Func`3 retryExceptionHandler)
        错误代码:invalid_request
        状态代码:400
         --- 内部异常堆栈跟踪的结尾 ---
         at Microsoft.Bot.Connector.Authentication.Retry.Run[TResult](Func`1 task, Func`3 retryExceptionHandler)
         at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.GetTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.Microsoft.Bot.Connector.Authentication.IAuthenticator.GetTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.AppCredentials.GetTokenAsync(Boolean forceRefresh)
         at Microsoft.Bot.Connector.Authentication.AppCredentials.ProcessHttpRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
         at Microsoft.Bot.Connector.Conversations.ReplyToActivityWithHttpMessagesAsync(String conversationId, String activityId, Activity activity, Dictionary`2 customHeaders, CancellationToken cancellationToken)
         at Microsoft.Bot.Connector.ConversationsExtensions.ReplyToActivityAsync(IConversations operations, String conversationId, String activityId, Activity activity, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.CloudAdapterBase.SendActivitiesAsync(ITurnContext turnContext, Activity[] activities, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.TurnContext.<>c__DisplayClass31_0.<<SendActivitiesAsync>g__SendActivitiesThroughAdapter|1>d.MoveNext()
      --- 前一个位置的堆栈跟踪的结尾 ---
         at Microsoft.Bot.Builder.TurnContext.SendActivityAsync(IActivity activity, CancellationToken cancellationToken)         at Microsoft.TeamsFx.Conversation.ActivityCommandResponse.SendResponseAsync(ITurnContext turnContext, CancellationToken cancellationToken)
         at Microsoft.TeamsFx.Conversation.CommandResponseMiddleware.OnTurnAsync(ITurnContext turnContext, NextDelegate next, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.MiddlewareSet.ReceiveActivityWithStatusAsync(ITurnContext turnContext, BotCallbackHandler callback, CancellationToken cancellationToken)
         at Microsoft.Bot.Builder.BotAdapter.RunPipelineAsync(ITurnContext turnContext, BotCallbackHandler callback, CancellationToken cancellationToken)

fail: Microsoft.AspNetCore.Diagnostics.Developer
英文:

When testing my bot with F5 I am able to receive requests but something goes wrong with the Authentication as I get the following error: AADSTS500021: Access to 'Bot Framework' tenant is denied.

  • I am using C# so I have installed Teams Toolkit for Visual Studio.
  • I have created a new command bot using the template.
  • I have ran "Prepare Teams App Dependencies" and logged into Microsoft 365.
  • I have started my ngrok http tunnel.

I have tried to follow the troubleshooting guide here:

I am of the understanding I do not need to deploy my app to azure to begin testing locally and that the template solution should generate App ID and password for me. Is my understanding correct?

If so, is there something I need to configure in my Azure AD tenant? My IT department assure me that we have no tenant restrictions.

Full logs below:

info: NetTeamsApp.Commands.HelloWorldCommandHandler[0]
Bot received message: helloworld
fail: Microsoft.Bot.Builder.Integration.AspNet.Core.CloudAdapter[0]
[OnTurnError] unhandled error : Failed to acquire token for client credentials. (AADSTS500021: Access to 'Bot Framework' tenant is denied.
Trace ID: 88c0cb6e-cdf7-4dc3-bf93-da0799613a00
Correlation ID: 35e7aead-412b-415e-8428-17029c5e97e6
Timestamp: 2023-05-17 14:49:23Z)
System.AggregateException: Failed to acquire token for client credentials. (AADSTS500021: Access to 'Bot Framework' tenant is denied.
Trace ID: 88c0cb6e-cdf7-4dc3-bf93-da0799613a00
Correlation ID: 35e7aead-412b-415e-8428-17029c5e97e6
Timestamp: 2023-05-17 14:49:23Z)
---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS500021: Access to 'Bot Framework' tenant is denied.
Trace ID: 88c0cb6e-cdf7-4dc3-bf93-da0799613a00
Correlation ID: 35e7aead-412b-415e-8428-17029c5e97e6
Timestamp: 2023-05-17 14:49:23Z
---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Response status code does not indicate success: 400 (BadRequest).
at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T](Boolean respondToDeviceAuthChallenge)
ErrorCode: BadRequest
StatusCode: 400
--- End of inner exception stack trace ---
at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T](Boolean respondToDeviceAuthChallenge)
at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T]()
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.SendHttpMessageAsync(IRequestParameters requestParameters)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.SendTokenRequestAsync()
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.CheckAndAcquireTokenUsingBrokerAsync()
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.RunAsync()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenForClientCommonAsync(String resource, ClientKey clientKey)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenAsync(String resource, ClientCredential clientCredential)
at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.AcquireTokenAsync(Boolean forceRefresh)
at Microsoft.Bot.Connector.Authentication.Retry.Run[TResult](Func`1 task, Func`3 retryExceptionHandler)
ErrorCode: invalid_request
StatusCode: 400
--- End of inner exception stack trace ---
at Microsoft.Bot.Connector.Authentication.Retry.Run[TResult](Func`1 task, Func`3 retryExceptionHandler)
at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.GetTokenAsync(Boolean forceRefresh)
at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.Microsoft.Bot.Connector.Authentication.IAuthenticator.GetTokenAsync(Boolean forceRefresh)
at Microsoft.Bot.Connector.Authentication.AppCredentials.GetTokenAsync(Boolean forceRefresh)
at Microsoft.Bot.Connector.Authentication.AppCredentials.ProcessHttpRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at Microsoft.Bot.Connector.Conversations.ReplyToActivityWithHttpMessagesAsync(String conversationId, String activityId, Activity activity, Dictionary`2 customHeaders, CancellationToken cancellationToken)
at Microsoft.Bot.Connector.ConversationsExtensions.ReplyToActivityAsync(IConversations operations, String conversationId, String activityId, Activity activity, CancellationToken cancellationToken)
at Microsoft.Bot.Builder.CloudAdapterBase.SendActivitiesAsync(ITurnContext turnContext, Activity[] activities, CancellationToken cancellationToken)
at Microsoft.Bot.Builder.TurnContext.<>c__DisplayClass31_0.<<SendActivitiesAsync>g__SendActivitiesThroughAdapter|1>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.Bot.Builder.TurnContext.SendActivityAsync(IActivity activity, CancellationToken cancellationToken)         at Microsoft.TeamsFx.Conversation.ActivityCommandResponse.SendResponseAsync(ITurnContext turnContext, CancellationToken cancellationToken)
at Microsoft.TeamsFx.Conversation.CommandResponseMiddleware.OnTurnAsync(ITurnContext turnContext, NextDelegate next, CancellationToken cancellationToken)
at Microsoft.Bot.Builder.MiddlewareSet.ReceiveActivityWithStatusAsync(ITurnContext turnContext, BotCallbackHandler callback, CancellationToken cancellationToken)
at Microsoft.Bot.Builder.BotAdapter.RunPipelineAsync(ITurnContext turnContext, BotCallbackHandler callback, CancellationToken cancellationToken)
fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
An unhandled exception has occurred while executing the request.
System.AggregateException: Failed to acquire token for client credentials. (AADSTS500021: Access to 'Bot Framework' tenant is denied.
Trace ID: 88c0cb6e-cdf7-4dc3-bf93-da07a7613a00
Correlation ID: e8367844-44b8-42ae-8f07-be1db3d15c8c
Timestamp: 2023-05-17 14:49:23Z)
---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS500021: Access to 'Bot Framework' tenant is denied.
Trace ID: 88c0cb6e-cdf7-4dc3-bf93-da07a7613a00
Correlation ID: e8367844-44b8-42ae-8f07-be1db3d15c8c
Timestamp: 2023-05-17 14:49:23Z
---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Response status code does not indicate success: 400 (BadRequest).
at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T](Boolean respondToDeviceAuthChallenge)
ErrorCode: BadRequest
StatusCode: 400
--- End of inner exception stack trace ---
at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T](Boolean respondToDeviceAuthChallenge)
at Microsoft.Identity.Core.OAuth2.OAuthClient.GetResponseAsync[T]()
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.SendHttpMessageAsync(IRequestParameters requestParameters)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.SendTokenRequestAsync()
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.CheckAndAcquireTokenUsingBrokerAsync()
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.RunAsync()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenForClientCommonAsync(String resource, ClientKey clientKey)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenAsync(String resource, ClientCredential clientCredential)
at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.AcquireTokenAsync(Boolean forceRefresh)
at Microsoft.Bot.Connector.Authentication.Retry.Run[TResult](Func`1 task, Func`3 retryExceptionHandler)
ErrorCode: invalid_request
StatusCode: 400
--- End of inner exception stack trace ---
at Microsoft.Bot.Connector.Authentication.Retry.Run[TResult](Func`1 task, Func`3 retryExceptionHandler)
at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.GetTokenAsync(Boolean forceRefresh)
at Microsoft.Bot.Connector.Authentication.AdalAuthenticator.Microsoft.Bot.Connector.Authentication.IAuthenticator.GetTokenAsync(Boolean forceRefresh)
at Microsoft.Bot.Connector.Authentication.AppCredentials.GetTokenAsync(Boolean forceRefresh)
at Microsoft.Bot.Connector.Authentication.AppCredentials.ProcessHttpRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at Microsoft.Bot.Connector.Conversations.ReplyToActivityWithHttpMessagesAsync(String conversationId, String activityId, Activity activity, Dictionary`2 customHeaders, CancellationToken cancellationToken)
at Microsoft.Bot.Connector.ConversationsExtensions.ReplyToActivityAsync(IConversations operations, String conversationId, String activityId, Activity activity, CancellationToken cancellationToken)
at Microsoft.Bot.Builder.CloudAdapterBase.SendActivitiesAsync(ITurnContext turnContext, Activity[] activities, CancellationToken cancellationToken)
at Microsoft.Bot.Builder.TurnContext.<>c__DisplayClass31_0.<<SendActivitiesAsync>g__SendActivitiesThroughAdapter|1>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.Bot.Builder.TurnContext.SendActivityAsync(IActivity activity, CancellationToken cancellationToken)         at Microsoft.Bot.Builder.TurnContext.SendActivityAsync(String textReplyToSend, String speak, String inputHint, CancellationToken cancellationToken)
at NetTeamsApp.AdapterWithErrorHandler.<>c__DisplayClass0_0.<<-ctor>b__0>d.MoveNext() in C:\Users\tomlinss\dev\NetTeamsApp\AdapterWithErrorHandler.cs:line 21
--- End of stack trace from previous location ---
at Microsoft.Bot.Builder.BotAdapter.RunPipelineAsync(ITurnContext turnContext, BotCallbackHandler callback, CancellationToken cancellationToken)
at Microsoft.Bot.Builder.CloudAdapterBase.ProcessActivityAsync(AuthenticateRequestResult authenticateRequestResult, Activity activity, BotCallbackHandler callback, CancellationToken cancellationToken)
at Microsoft.Bot.Builder.CloudAdapterBase.ProcessActivityAsync(String authHeader, Activity activity, BotCallbackHandler callback, CancellationToken cancellationToken)
at Microsoft.Bot.Builder.Integration.AspNet.Core.CloudAdapter.ProcessAsync(HttpRequest httpRequest, HttpResponse httpResponse, IBot bot, CancellationToken cancellationToken)
at NetTeamsApp.Controllers.BotController.PostAsync(CancellationToken cancellationToken) in C:\Users\tomlinss\dev\NetTeamsApp\Controllers\BotController.cs:line 24
at lambda_method4(Closure , Object )
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)         at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

答案1

得分: 0

根据此文档(https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions#microsoft-365-support),我认为您的M365租户可能存在一些限制。

AADSTS500021: 拒绝访问租户'{tenant}'。AADSTS500021表示已配置租户限制功能,并且用户尝试访问未在标题Restrict-Access-To-Tenant中指定的允许租户列表中的租户。有关更多信息,请参阅使用租户限制管理对SaaS云应用程序的访问。

如果您发现很难删除Bot Framework的限制,您可以创建一个M365测试帐户以在本地进行测试。您将完全控制此帐户。请参阅https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/build-and-test/prepare-your-o365-tenant#create-your-development-environment。

英文:

I think there may be some restrictions in your M365 tenant according to this doc(https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions#microsoft-365-support)

AADSTS500021: Access to '{tenant}' tenant is denied. AADSTS500021 indicates that the tenant restriction feature is configured and that the user is trying to access a tenant that isn't in the list of allowed tenants specified in the header Restrict-Access-To-Tenant. For more information, see Use tenant restrictions to manage access to SaaS cloud applications.

If you find it hard to remove restriction of Bot Framework, you can create a M365 test account to test locally. You will have full control of this account. https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/build-and-test/prepare-your-o365-tenant#create-your-development-environment

huangapple
  • 本文由 发表于 2023年5月17日 20:32:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/76272141.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定