Azure Government Cloud Azure App Health Check Error

[briggs-octo]

Team

• I've assigned a team label to this issue

Severity

Blocking, a workaround exists under certain scenarios

Version

Octopus Version: 2022.2.7244 , Sashimi.AzureAppService Version: 2.4.2

Latest Version

Not applicable

What happened?

When attempting to run a system health check on an Azure app deployment target in Azure government cloud the following error is thrown and the health check fails:

ClientSecretCredential authentication failed:
AADSTS900382: Confidential Client is not supported in Cross Cloud request.
Microsoft.Identity.Client.MsalServiceException

Reproduction

1. Configure Azure government cloud credentials on Octopus server.
2. Configure an Azure app deployment target in Azure government cloud.
3. Run a full health check against the previously configured deployment target.

Error and Stacktrace

ClientSecretCredential authentication failed:
AADSTS900382: Confidential Client is not supported in Cross Cloud request.
Microsoft.Identity.Client.MsalServiceException

More Information

Internal 🎫 1
Internal 🎫 2
Internal 🧵
Potentially Related Code 💻

Workaround

Add a system environment variable AZURE_AUTHORITY_HOST with the value of "https://login.microsoft.us" and restart the Octopus Server service.

** Workaround should not be used when using both Azure government and public credentials on the same Octopus instance, as AZURE_AUTHORITY_HOST is a shared variable and this will cause Azure public cloud authentication health checks to break **

[jared-koiter]

I tried testing the suggested workaround in our environment and found that setting the system environment variable AZURE_AUTHORITY_HOST to https://login.microsoftonline.us allowed us to perform a successful health check against our Azure US Government target app service. However, I can also confirm that in doing so our Azure Public cloud targets started failing their health checks on the same error. I don't believe that the workaround can be used on environments that target both Azure cloud instances.

[mjhilton]

Thanks for confirming the behaviour we'd suspected @jared-koiter. I'm sorry that the workaround isn't able to get your Health Checks for both Azure clouds working correctly.

I've developed a fix for the problem and am aiming to get it out ASAP.

Can you please confirm which version of Octopus you're running on at the moment?

[jared-koiter]

We're currently running v2022.2.6971 in our environment.

[octoreleasebot]

Release Note: Fixed an issue where Health Checks for Azure App Service targets failed for clouds other than Azure Public (eg Azure Government)

[mjhilton]

The fix for this problem has been merged to the 2022.2 Release Stream (most recent for self-hosted customers), and 2022.3 Release Stream (current for Octopus Cloud customers).

• The installer for the 2022.2 stream is being prepared and will hit the website for self-hosted customers to upgrade in the next few hours.
• The Octopus Cloud release will follow our standard release cycle times. As we've not yet had any reports of Cloud customers being affected, we'll just let that roll through as per normal.

This issue will be updated with the version numbers the fix is available from once they are released.

[mjhilton]

Some services in Azure are down at the moment which is having a flow-on effect to a few of our pipelines. This will eventually get automatically posted to this issue, but in the meantime:

The fix for this is available in Server Stream 2022.2 from version 2022.2.7388. The installer is live on the website.

(Note: the release notes on our website for this version are also not currently correct - we accidentally referenced #7544 instead of this issue in the PR to Octopus Server. I've corrected the source data, and this will automatically sort itself out once things are chugging along again.)

[Octobob]

🎉 The fix for this issue has been released in:

Release stream	Release
2022.2	2022.2.7388
2022.3	2022.3.5692
2022.4+	all releases