Connect-AzAccount: MacOS KeyChain authorization/authentication failed

[mgreenegit]

Description

When attempting to sign in from PowerShell 7.2.0-preview.7 and Az.Accounts 2.5.0, the following error always occurs.

PS>connect-azaccount -DeviceCode
WARNING: Unable to acquire token for tenant 'organizations' with error 'DeviceCodeCredential authentication failed: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.'
Connect-AzAccount: DeviceCodeCredential authentication failed: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.

Debug output

PS>connect-azaccount -DeviceCode -Debug
DEBUG: 12:26:32 PM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.

Confirm
Are you sure you want to perform this action?
Performing the operation "log in" on target "User account in environment 'AzureCloud'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): a
DEBUG: 12:26:33 PM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 12:26:33 PM - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 12:26:33 PM - Using Autosave scope 'CurrentUser'
DEBUG: 12:26:33 PM - [DeviceCodeAuthenticator] Calling DeviceCodeCredential.AuthenticateAsync - TenantId:'', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/'
DEBUG: DeviceCodeCredential.Authenticate invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: DeviceCodeCredential.Authenticate was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): DeviceCodeCredential authentication failed: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.
 ---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException (0x80131500): Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.
 ---> Microsoft.Identity.Extensions.InteropException (0x80131500): KeyChain authorization/authentication failed. .Error code: -25293
WARNING: Unable to acquire token for tenant 'organizations' with error 'DeviceCodeCredential authentication failed: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.'

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): a
DEBUG: 12:26:35 PM - Unable to acquire token for tenant 'organizations' with error 'Azure.Identity.AuthenticationFailedException: DeviceCodeCredential authentication failed: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.
 ---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.
 ---> Microsoft.Identity.Extensions.InteropException: KeyChain authorization/authentication failed. .Error code: -25293
   at Microsoft.Identity.Extensions.Mac.SecurityFramework.ThrowIfError(Int32 error, String defaultErrorMessage) in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000031+0x87
   at Microsoft.Identity.Client.Extensions.Msal.MacOSKeychain.Get(String service, String account) in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000081+0xfa
   at Microsoft.Identity.Client.Extensions.Msal.MacKeychainAccessor.Read() in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000049+0x26
   at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence() in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000075+0x41
   --- End of inner exception stack trace ---
   at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence() in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000075+0xac
   at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.VerifyPersistence() in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000067+0x0
   at Azure.Identity.MsalCacheHelperWrapper.VerifyPersistence() in Azure.Identity.dll:token 0x6000222+0x0
   at Azure.Identity.TokenCache.GetCacheHelperAsync(Boolean async, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x600029c+0x20b
   at Azure.Identity.TokenCache.RegisterCache(Boolean async, ITokenCache tokenCache, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000296+0x8c
   at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000231+0x1e2
   at Azure.Identity.MsalPublicClient.AcquireTokenWithDeviceCodeCoreAsync(String[] scopes, String claims, Func`2 deviceCodeCallback, Boolean async, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000247+0x86
   at Azure.Identity.MsalPublicClient.AcquireTokenWithDeviceCodeAsync(String[] scopes, String claims, Func`2 deviceCodeCallback, Boolean async, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000246+0x8e
   at Azure.Identity.DeviceCodeCredential.GetTokenViaDeviceCodeAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000162+0xc7
   at Azure.Identity.DeviceCodeCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000160+0xa7
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex) in Azure.Identity.dll:token 0x6000105+0x1c
   at Azure.Identity.DeviceCodeCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000160+0xc7
   at Azure.Identity.DeviceCodeCredential.AuthenticateAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x600015c+0x79
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(Task`1 authTask, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken) in Microsoft.Azure.PowerShell.Authenticators.dll:token 0x6000039+0x72
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId) in Microsoft.Azure.PowerShell.Authentication.dll:token 0x600018b+0x5b
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId) in Microsoft.Azure.PowerShell.Cmdlets.Accounts.dll:token 0x6000014+0x2c
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString password, String promptBehavior, Action`1 promptAction) in Microsoft.Azure.PowerShell.Cmdlets.Accounts.dll:token 0x6000016+0xd'
DEBUG: Azure.Identity.AuthenticationFailedException: DeviceCodeCredential authentication failed: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.
 ---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.
 ---> Microsoft.Identity.Extensions.InteropException: KeyChain authorization/authentication failed. .Error code: -25293
   at Microsoft.Identity.Extensions.Mac.SecurityFramework.ThrowIfError(Int32 error, String defaultErrorMessage) in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000031+0x87
   at Microsoft.Identity.Client.Extensions.Msal.MacOSKeychain.Get(String service, String account) in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000081+0xfa
   at Microsoft.Identity.Client.Extensions.Msal.MacKeychainAccessor.Read() in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000049+0x26
   at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence() in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000075+0x41
   --- End of inner exception stack trace ---
   at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence() in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000075+0xac
   at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.VerifyPersistence() in Microsoft.Identity.Client.Extensions.Msal.dll:token 0x6000067+0x0
   at Azure.Identity.MsalCacheHelperWrapper.VerifyPersistence() in Azure.Identity.dll:token 0x6000222+0x0
   at Azure.Identity.TokenCache.GetCacheHelperAsync(Boolean async, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x600029c+0x20b
   at Azure.Identity.TokenCache.RegisterCache(Boolean async, ITokenCache tokenCache, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000296+0x8c
   at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000231+0x1e2
   at Azure.Identity.MsalPublicClient.AcquireTokenWithDeviceCodeCoreAsync(String[] scopes, String claims, Func`2 deviceCodeCallback, Boolean async, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000247+0x86
   at Azure.Identity.MsalPublicClient.AcquireTokenWithDeviceCodeAsync(String[] scopes, String claims, Func`2 deviceCodeCallback, Boolean async, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000246+0x8e
   at Azure.Identity.DeviceCodeCredential.GetTokenViaDeviceCodeAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000162+0xc7
   at Azure.Identity.DeviceCodeCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000160+0xa7
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex) in Azure.Identity.dll:token 0x6000105+0x1c
   at Azure.Identity.DeviceCodeCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x6000160+0xc7
   at Azure.Identity.DeviceCodeCredential.AuthenticateAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) in Azure.Identity.dll:token 0x600015c+0x79
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(Task`1 authTask, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken) in Microsoft.Azure.PowerShell.Authenticators.dll:token 0x6000039+0x72
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId) in Microsoft.Azure.PowerShell.Authentication.dll:token 0x600018b+0x5b
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId) in Microsoft.Azure.PowerShell.Cmdlets.Accounts.dll:token 0x6000014+0x2c
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString password, String promptBehavior, Action`1 promptAction) in Microsoft.Azure.PowerShell.Cmdlets.Accounts.dll:token 0x6000016+0xd
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, Action`1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation, String authScope) in Microsoft.Azure.PowerShell.Cmdlets.Accounts.dll:token 0x6000008+0x22f
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass118_2.<ExecuteCmdlet>b__5() in Microsoft.Azure.PowerShell.Cmdlets.Accounts.dll:token 0x600042f+0x7d
   at System.Threading.Tasks.Task`1.InnerInvoke() in System.Private.CoreLib.dll:token 0x6002ba0+0xf
   at System.Threading.Tasks.Task.<>c.<.cctor>b__284_0(Object obj) in System.Private.CoreLib.dll:token 0x6002d40+0x0
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state) in System.Private.CoreLib.dll:token 0x6002915+0x15
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state) in System.Private.CoreLib.dll:token 0x6002915+0x46
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread) in System.Private.CoreLib.dll:token 0x6002c9a+0xa5
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass118_0.<ExecuteCmdlet>b__1(AzureRmProfile localProfile, RMProfileClient profileClient, String name) in Microsoft.Azure.PowerShell.Cmdlets.Accounts.dll:token 0x6000429+0x109
Connect-AzAccount: DeviceCodeCredential authentication failed: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.
DEBUG: AzureQoSEvent: CommandName - Connect-AzAccount; IsSuccess - False; Duration - 00:00:03.2701863; Exception - DeviceCodeCredential authentication failed: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.;
DEBUG: Finish sending metric.
DEBUG: 12:26:36 PM - ConnectAzureRmAccountCommand end processing.

[mgreenegit]

It looks like you are making a bad call to KeyChain when you attempt to check persistence?

This is output from the log stream.

2021-07-13 11:32:03.278 Df secd[423:119f14] [com.apple.securityd:SecError] Keychain Access[1397]/1#5 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=query missing class name}

[erich-wang]

@mgreenegit , this is duplicate issue as #14478. We're relying on MSAL team to figure out right solution.

You may run below cmdlet as workaround, the downside is you have to rerun Connect-AzAccount after restarting PowerShell:

Disable-AzContextAutosave

[mgreenegit]

That worked! Mind if I PR this to the troubleshooting page?
https://docs.microsoft.com/en-us/powershell/azure/troubleshooting

[erich-wang]

That worked! Mind if I PR this to the troubleshooting page?
https://docs.microsoft.com/en-us/powershell/azure/troubleshooting

Yes, please. We warmly welcome any contribution.

[danilo-ribas]

Hello,
This issue got resolved in my machine by uninstalling PowerShell via Brew and then installing it again on the non-admin user account. Perhaps it was caused by some sort of multiuser conflict (where PowerShell had already been used when the non-admin account had been created and taken into use).

[mgreenegit]

I only installed in the non-admin account, also using brew.