我们已使用 this documentation 成功为现有 Service Fabric 群集设置了 AAD 身份验证。 。但是,在向应用程序分配组时,我们遇到了一些问题:
- 与直接分配了管理员角色的用户联系 ✔
- 与直接分配给管理员角色的群组成员的用户联系 ✔
- 与直接分配给管理员角色的群组成员的用户建立联系 ❌
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50105: The signed in user '{EmailHidden}' is not assigned to a role for the application
Connect-ServiceFabricCluster -ConnectionEndpoint xxx.westeurope.cloudapp.azure.com:19000 -
AzureActiveDirectory -ServerCertThumbprint yyy
WARNING: Failed to contact Naming Service. Attempting to contact Failover Manager Service...
WARNING: Failed to contact Failover Manager Service, Attempting to contact FMM...
False
Connect-ServiceFabricCluster : GetAccessToken failed:
authority=https://login.microsoftonline.com/zzz
cluster=xxx client=yyy
error=Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50105: The signed in user
'{EmailHidden}' is not assigned to a role for the application
'xxx'(myclustername).
Trace ID: <traceid>
Correlation ID: <correlationId>
Timestamp: 2020-09-01 16:03:00Z
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)
at System.Fabric.AzureActiveDirectory.Client.ClientUtility.GetAccessToken(String authority, String audience, String
client, String redirectUri, Boolean refreshSession)
at GetAccessToken(Char* authority, Char* audience, Char* client, Char* redirectUri, Boolean refreshSession, Char*
outBuffer, Int32 outBufferSize)
ErrorCode: access_denied
StatusCode: 0
At line:1 char:1
+ Connect-ServiceFabricCluster -ConnectionEndpoint xxx.westeurop ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Connect-ServiceFabricCluster], FabricException
+ FullyQualifiedErrorId : TestClusterConnectionErrorId,Microsoft.ServiceFabric.Powershell.ConnectCluster
我通过 Service Fabric Explorer 和 Powershell (Connect-ServiceFabricCluster
) 进行了尝试。 Service Fabric Explorer 在登录后就卡住了,而 Powershell 则给出了上述错误。
我是否达到了可能的极限,或者是否可以允许这种情况发生?
最佳答案
基于组的分配不支持嵌套组。
https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-saasapps
Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time.
关于azure - 如果用户所在的组又是另一个组的成员,则会出现错误 AADSTS50105,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63691485/