AADSTS50126:用户名或密码无效 [英] AADSTS50126: Invalid username or password
问题描述
我注册了一个原生应用程序(用于Power BI推送操作)并添加了必要的API权限。
全球管理员同意。但访问令牌方法失败。
I've registered a native app (for Power BI push operation) and added the necessary API permissions.
Global admin granted the consent. But the access token method fails.
用于获取访问令牌的等效PS脚本
equivalent PS script used to get access token
$ authUrl =" https://login.windows.net/common/oauth2/token"
$ body = @ {
" resource" ="https://analysis.windows.net/powerbi/api" ;;
" client_id" ="myclientid";
" grant_type" =" password";
" username" =" myuser";
" password" =" mypass";
" scope" ="openid"
}
$ authResponse = Invoke-RestMethod -Uri $ authUrl -Method POST -Body $ body
$authUrl = "https://login.windows.net/common/oauth2/token"
$body = @{
"resource" = "https://analysis.windows.net/powerbi/api";
"client_id" = "myclientid";
"grant_type" = "password";
"username" = "myuser";
"password" = "mypass";
"scope" = "openid"
}
$authResponse = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body
$ authResponse.access_token
$authResponse.access_token
但得到同样的错误:
Invoke- RestMethod:{" error":" invalid_grant"," error_description":" AADSTS50126:用户名或密码无效。
Invoke-RestMethod : {"error":"invalid_grant","error_description":"AADSTS50126: Invalid username or password.
使用的主帐户从Windows活动目录服务器同步到Azure AD。
The master account used is synchronised to Azure AD from windows active directory server.
(整个方法在Azure AD本身上创建主帐户的不同租户中工作正常。
(The whole approach works fine in a different tenant where the master account is create on Azure AD itself.
阻止此问题你有一段时间了。任何快速帮助表示赞赏。在此先感谢。
Blocked around this issue for a while. Any quick help is appreciated. Thanks in advance.
推荐答案
您好,
听起来您处于这样的情况:您可以使用Azure AD和本地AD进行混合设置。这种情况无法正常运行。
It sounds like you are in a situation where you have a hybrid setup with Azure AD and on-prem AD. And this is the scenario that doesn't work properly.
可行的方案是在云上创建帐户时。
The scenario that does work is when your account is created on the cloud.
这是因为ROPC(密码)流在某些情况下不起作用。
This is because the ROPC (password) flow doesn't work in certain situations.
来自文章: https://joonasw.net/view/ropc-grant-flow-in-azure-ad
From article : https://joonasw.net/view/ropc-grant-flow-in-azure-ad
在示例应用程序中,创建了一个自定义登录页面,该页面使用用户的凭据以及应用程序的凭据调用Azure AD的令牌端点。示例应用程序位于GitHub上: https://github.com/juunas11/7-deadly-sins-in-azure-ad-app-development/tree/master/RopcLogin 。
这种方法适用于普通的纯云用户(本地和访客)。
In the sample app a custom login page is made that calls Azure AD's token endpoint with the user's credentials as well as the app's credentials. The sample app is on GitHub: https://github.com/juunas11/7-deadly-sins-in-azure-ad-app-development/tree/master/RopcLogin. The approach there does work for regular cloud-only users (local and guest).
但是, 它不适用于:
- 具有多重身份验证的用户
- 未同意所需范围的用户
- 密码已过期的用户 < li style =""> 从内部部署AD同步的用户
- 个人Microsoft或Google帐户
这篇关于AADSTS50126:用户名或密码无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
