question

chiyao avatar image
0 Votes"
chiyao asked prmanhas-MSFT commented

Why do we need "curl https://login.microsoftonline.com/<TenantID>/ -D" to toubleshooting AADLoginForWindows

In following document, we use "curl https://login.microsoftonline.com/<TenantID>;/ -D" to trouble shoot issues.

https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

However, this command always returns 404.
If we want to check network connectivity, "curl https://login.microsoftonline.com/ -D" is enough isn't it?

Thank you.

azure-virtual-machines-extension
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@chiyao Apologies for the delay in response and all the inconvenience caused because of the issue!!!

I did reproduce the issue on my end so I am reaching out to our internal team to get more inputs

Thanks

0 Votes 0 ·

1 Answer

prmanhas-MSFT avatar image
0 Votes"
prmanhas-MSFT answered prmanhas-MSFT commented

@chiyao Thank you for your patience over the matter!!!

I had discussion internally and below are the inputs I got:

curl is used to connect and authenticate with HTTP and HTTPS to Azure services. Here authentication used the OAuth2 protocol, and this means that we have to obtain a token in order to authenticate all subsequent request which will need you to provide the tenant details, subscription details and other required details accordingly.

So the mentioned 404 is an expected behavior as there is nothing on /tenant ID to be shown.404 here usually signifies that the website is reachable but there is nothing to be shown on Tenant. If there was any network issue then it would give different error and that we would need to think about. Request do not directly goes to Tenant but it always is redirected first to login.microsoftonline.com so what you are seeing is expected.

Service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Now the mentioned endpoint are not specifically to check the network connectivity but it is also around if these endpoints are accessible or not as such if you want to check the authentication part on Azure VM you would definitely need to check if the authentication request and service connectivity between VM and tenant is working properly or not so that is why we do check if these are accessible or not.

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@prmanhas-MSFT Thank you for discussing this.

I still have questions about using "curl https://login.microsoftonline.com/<TenantID>;/ -D".

So you are saying that if we run with /<TenantID> then we can check if the website is reachable but there is nothing to be shown.
However, we have got the same result we run the command to a existing tenant and an not existing tenant.
So it seems the endpoint is reachable not matter if the tenant exists or not.
* 72f988bf-86f1-41af-91ab-2d7cd011db47 is the tenant ID of microsoft.com.


PS C:\> curl https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/ -D
curl : The remote server returned an error: (404) Not Found.
At line:1 char:1
+ curl https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd0 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand



Since the message exceed limit, comment continue on the next comment.

0 Votes 0 ·

Here is a result to a not existing tenant.


PS C:\> curl https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/ -D
curl : The remote server returned an error: (404) Not Found.
At line:1 char:1
+ curl https://login.microsoftonline.com/00000000-0000-0000-0000-000000 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand



I do not see if we can differentiate if a authentication request is received to a tenant or not.
Or a tenant is able to authenticate because the results of an existing tenant and an non existing tenant are the same.

Do I miss any point here?
Any comment would be appreciated.

Thank you.
-chiyao-

0 Votes 0 ·

@chiyao Thank you for your detailed response. Let me confirm the same user case with our internal team and will keep you posted on same.

Thanks

0 Votes 0 ·