locked
Failed to obtain the Json Web Token(JWT) for Service Principal RRS feed

  • Question

  • Hi there,

    These past couple of weeks I had been experiencing the following error in VSTS: 

    ##[error]AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.


    Upon checking the Service Endpoint and verifying the connection, this is the error message:

    Failed to obtain the Json Web Token(JWT) for service principal id '<SP ID Omitted>'. Exception Message: AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided. Trace ID: 885a1c05-9fb1-417e-a0b4-47cd75f9f6e0 Correlation ID: 06be4f96-191a-4b46-b050-dbf7789cd472 Timestamp: 2017-03-05 23:00:08Z 

    As a temporary solution I had to create a new service principal and update the service endpoint's service configuration. Also had to reconfigure access policy in the Key Vault to point to this new service principal. This is not ideal as we have multiple team projects and a whole heap of key vaults.

    If it's of any help, I am using an on-premise agent.

    I would be very keen to understand the root cause and hopefully find a way to avoid this in the future.  

    Thanks.

    Sunday, March 5, 2017 11:18 PM

All replies

  • We are suspecting that the spn key got expired for you.

    Try the below workarounds.

    Run the following PowerShell script from Agent machine or any machine with Azure PowerShell installed. (find azure PowerShell v1.3.2)

                           $azureSubscriptionId = "{subscriptionId}"

                          $azureSubscriptionName = "{subscriptionName}"

                          $tenantId = "{tenantId}"

                          $servicePrincipalId = "{spnId}"

                          $servicePrincipalKey = “{SPNKey}”

                         $securePassword = ConvertTo-SecureString $servicePrincipalKey -AsPlainText -Force

                         $psCredential = New-Object System.Management.Automation.PSCredential ($servicePrincipalId, $securePassword)

                         $azureRMAccount = Add-AzureRMAccount -ServicePrincipal -Tenant $tenantId -Credential $psCredential

    It should fail and probably give more meaningful error saying invalid secret provided.

    Also, Update the SPN key to use existing SPN

    Thursday, March 9, 2017 8:24 AM
  • Were you able to resolve? We are running into the same issue. Suspecting it is the result of an expired management certificate associated with the subscription but am having trouble connecting the dots.
    Wednesday, May 31, 2017 6:21 PM
  • I would suggest you execute the series of PowerShell cmdlets that have been already mentioned on the forum if you are using an ARM endpoint. If you are using a classic endpoint, you can go to the classic azure portal and see if the certificate has expired, and if it has, you can renew it from the classic portal itself.

    ------------------------------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members
    Tuesday, June 6, 2017 11:22 AM
  • Hi Sheethal,

    Thanks for the suggestion.

    The issue is indeed because the SPN key has expired.

    Since I am using ARM, what I have done as a one-off solution is to generate a key that doesn't expire via the portal (AAD > App Registrations > [select the app registration]).

    The app registration's settings, select Keys from the menu and populate the description field and expires is set to "Never expires". Save it and a key will be generated.

    The generated key is what I have then used to update the Service Configuration in my ARM service endpoint in VSTS.

    Tuesday, June 6, 2017 9:50 PM
  • Hi pstricker9117,

    I'm not sure if it's of any use to you but yes I was able to resolve, please see my reply to Sheethal below (not the most elegant solution but at least I can guarantee I won't run into the same key expired issue).

    Because I had created the service principal (New-AzureRMADApplication) via PowerShell, I believe by default the expiry was set to one year from the date it was created.

    Tuesday, June 6, 2017 9:58 PM
  • @JMTyrek Thanks for Confirming .

    @pstricker try the above steps and let us know how it goes .

    Wednesday, June 7, 2017 6:00 AM
  • @Sheethal @JMTyrek Thanks for the followup. We were using a classic endpoint and it was indeed an expired certificate. Since it appears we were using a slightly deprecated solution we went ahead and created a new Azure Service Principal for our subscription and are using that with success.
    Wednesday, June 7, 2017 4:16 PM