none
Multi Tenant使用Graph创建用户失败 RRS feed

  • 问题

  •       我在中国的azure中创建了一个activedirectory的应用程序(程序A),这个程序的功能是获取登录用户的accesstoken,然后token使用graphapi的方式创建用户(我参照了示例代码AzureADSamples/WebApp-GraphAPI-DotNet)。

          这个程序我是发布在tanant A上的。

          我使用tanant A的管理员用户登录,使用示例代码中的代码【authenticationContext.AcquireTokenByAuthorizationCode】获取用户的accesstoken,能够获取;然后使用这个token获取SubscribedSkus【client.SubscribedSkus.ExecuteAsync().Result】也是正常的,后面添加用户【client.Users.AddUserAsync(user).Wait()】的操作也正确。

          但是我使用tenant B的管理员登录,同样使用示例代码中的代码【authenticationContext.AcquireTokenByAuthorizationCode】获取用户的accesstoken,能够获取;然后使用这个token获取SubscribedSkus【client.SubscribedSkus.ExecuteAsync().Result】就错误了,错误提示“Invalid domain name in the request url”【详细错误信息在末尾】。

          代码中的【LoginEntry】我使用了【login.chinacloudapi.cn/common】,【ResouceUrl】我使用了【https://graph.chinacloudapi.cn】。

          我已经在azure中的tenant A的那个应用程序开启了【多租户】模式,也赋予其相应的权限。

          请问各位大神遇到过这个问题吗?

    System.AggregateException: One or more errors occurred. ---> Microsoft.Data.OData.ODataErrorException: Invalid domain name in the request url. ---> System.Data.Services.Client.DataServiceQueryException: An error occurred while processing this request. ---> System.Data.Services.Client.DataServiceClientException: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"Invalid domain name in the request url."}}}   at System.Data.Services.Client.BaseAsyncResult.EndExecute[T](Object source, String method, IAsyncResult asyncResult)   at System.Data.Services.Client.QueryResult.EndExecuteQuery[TElement](Object source, String method, IAsyncResult asyncResult)   --- End of inner exception stack trace ---   at System.Data.Services.Client.QueryResult.EndExecuteQuery[TElement](Object source, String method, IAsyncResult asyncResult)   at System.Data.Services.Client.DataServiceRequest.EndExecute[TElement](Object source, DataServiceContext context, String method, IAsyncResult asyncResult)   at System.Data.Services.Client.DataServiceQuery`1.EndExecute(IAsyncResult asyncResult)   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<>c__DisplayClass4c`2.<ExecuteAsync>b__4a(IAsyncResult r)   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)--- End of stack trace from previous location where exception was thrown ---   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<ExecuteAsync>d__4e`2.MoveNext()   --- End of inner exception stack trace ---   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<ExecuteAsync>d__4e`2.MoveNext()--- End of stack trace from previous location where exception was thrown ---   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)   at Microsoft.Azure.ActiveDirectory.GraphClient.SubscribedSkuCollection.<<ExecuteAsync>b__2>d__3.MoveNext()   --- End of inner exception stack trace ---   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)   at System.Threading.Tasks.Task`1.get_Result()   at ProvisioningToolUserOper.CreateUser.btnGetSkuList_Click(Object sender, EventArgs e)---> (Inner Exception #0) Microsoft.Data.OData.ODataErrorException: Invalid domain name in the request url. ---> System.Data.Services.Client.DataServiceQueryException: An error occurred while processing this request. ---> System.Data.Services.Client.DataServiceClientException: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"Invalid domain name in the request url."}}}   at System.Data.Services.Client.BaseAsyncResult.EndExecute[T](Object source, String method, IAsyncResult asyncResult)   at System.Data.Services.Client.QueryResult.EndExecuteQuery[TElement](Object source, String method, IAsyncResult asyncResult)   --- End of inner exception stack trace ---   at System.Data.Services.Client.QueryResult.EndExecuteQuery[TElement](Object source, String method, IAsyncResult asyncResult)   at System.Data.Services.Client.DataServiceRequest.EndExecute[TElement](Object source, DataServiceContext context, String method, IAsyncResult asyncResult)   at System.Data.Services.Client.DataServiceQuery`1.EndExecute(IAsyncResult asyncResult)   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<>c__DisplayClass4c`2.<ExecuteAsync>b__4a(IAsyncResult r)   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)--- End of stack trace from previous location where exception was thrown ---   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<ExecuteAsync>d__4e`2.MoveNext()   --- End of inner exception stack trace ---   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<ExecuteAsync>d__4e`2.MoveNext()--- End of stack trace from previous location where exception was thrown ---   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)   at Microsoft.Azure.ActiveDirectory.GraphClient.SubscribedSkuCollection.<<ExecuteAsync>b__2>d__3.MoveNext()<---


    2015年8月12日 8:00

全部回复

  • 如果你想使用多租户登录的话,你可以参考这个例子: https://github.com/AzureADSamples/WebApp-WebAPI-MultiTenant-OpenIdConnect-DotNet

    2015年8月12日 9:34
  • Hi,

    从你的描述来看,你的token可能是正确的,问题可能处在请求的地址上,当你使用tenant B的管理员去获取SubscribedSkus或者在新建账号的时候,我建议你使用fiddler工具去看下你所请求的URL中tenant信息是否正确,请参考下图:

    下面两个Graph Rest API的文章能帮助你检查请求的详细情况:

    #新建用户:https://msdn.microsoft.com/zh-cn/library/azure/dn130117.aspx

    #查询SubscribedSkus:https://msdn.microsoft.com/zh-cn/library/azure/jj126255.aspx

    Best Regards,

    Jambor

    如果您想进一步了解Windows Azure, Windows Azure 官网欢迎您的访问  


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    2015年8月13日 7:38
    版主
  • 我并没有使用Rest API的方式,而是使用的ActiveDirectoryClient方式。

    使用ActiveDirectoryClient在成功获得accesstoken后,获得非发布tenant的sku信息时出现了上述错误。

    我也曾经使用rest api方式,但是我在API地址后面加入&deltaLink=【AccessToken】后,永远提示我401服务器没有授权的错误,即使传入的AccessToken已经证实是可用的,我通过其他方法测试了token确实能用。

    2015年8月14日 6:48
  • 各位:

    1楼中提到的信息是使用ActiveDirectoryClient方法执行client.SubscribedSkus.ExecuteAsync().Result时报的错误。

    后来我发现,使用同样的token,获取sku信息如果使用如下代码则可以正确获得sku信息。

    但是下述代码在命令行程序中执行是正常的,如果同样的代码放在webpage中以web形式运行(发布到azure中),则在 graphConnection.List<SubscribedSku>(null, null)处会一致等待,直到timeout为止(没有异常报错)。

    求等大神解答。

                    Guid ClientRequestId = Guid.NewGuid();
                    GraphSettings graphSettings = new GraphSettings();
                    graphSettings.ApiVersion = "2013-11-08";
                    graphSettings.GraphDomainName = "graph.chinacloudapi.cn";

                    GraphConnection graphConnection = new GraphConnection(AccessToken, ClientRequestId, graphSettings);
                    PagedResults<SubscribedSku> skus = graphConnection.List<SubscribedSku>(null, null);
                    foreach (SubscribedSku sku in skus.Results)
                    {
                        txtSkuList.Text += sku.SkuId.Value.ToString() + ";";
                    }

    2015年8月14日 6:53
  • Hi,

    Azure Active Directory是一项基于 REST的服务,在使用.net SDK来做操作的时候,我们可以使用fiddler工具去获取请求的详细信息,例如,我们在执行client.SubscribedSkus.ExecuteAsync().Result的时候,fiddler会出现我第一个回复中第一行抓取的信息,我们可以通过这种方式来检查requet url, 去查找为什么会出现"Invalid domain name in the request url"的错误,你的上一个回复中为什么控制台程序可以成功web程序确timout,你也可以通过fiddler对比看看同样的code在请求上的差异,为了更好的还原问题,你在AzureADSamples/WebApp-GraphAPI-DotNet这个demo上做了哪些具体的改动以使的tenant B的管理员可以访问,希望能提供更详细的信息,让我们更好的还原你的问题。

    Jambor

    如果您想进一步了解Windows Azure, Windows Azure 官网欢迎您的访问  


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    2015年8月18日 9:05
    版主