none
401 error when using AAD for RemoteLogin RRS feed

  • Question

  • Hi,

    We have Single Sign On using ADFS setup within the org for logging in to Azure environment. - so I am trying to setup authentication to remoteLogin to the Machine Learning server via AAD. But am having issues.

    I ran the Remote Login command below using Rstudio

    > remoteLoginAAD( "https://rserver.contoso.com:12800", authuri = "https://login.windows.net", tenantid = "my tenantid", clientid = "00000000-0000-0000-0000-000000000000", resource = "00000000-0000-0000-0000-000000000000", session = TRUE )

    I get the following error after selecting my AAD acccount. 

    Error: 

    <Error>

     ----------------------------------------------------------------

       success: FALSE

       url: http://serverip:12800/sessions

       method: GET

       status_code: 401

       content: 

       ----------------------------------------------------------------

    I have not set up encryption for the credentials - Do  I need to do that first?

    Otherwise I am not sure where I am going wrong.

    Please assist. Many Thanks.

    Regards

    DRN
    Wednesday, January 24, 2018 9:51 PM

All replies

  • Hi Ron,

    No, you do not need to set encryption to use AAD.

    Please make sure you followed all instructions here: 

    https://docs.microsoft.com/en-us/machine-learning-server/operationalize/configure-authentication#azure-active-directory

    then try to use  session = FALSE in remoteLoginAAD in order to isolate the call to login only.

    The parameters that you use in remoteLoginAAD should match your configuration in appsettings.json of the web node. 

    See also more information here:

    https://docs.microsoft.com/en-us/machine-learning-server/operationalize/how-to-connect-log-in-with-mrsdeploy#authentication

    Thursday, January 25, 2018 12:04 AM
  • Hi Efrat,

    Thank you for the reply.

    This is my first attempt configure a Machine Learning Server (v 9.2.1.1364) and unfortunately I am still not able to login using AAD.

    Your reference to the article "https://docs.microsoft.com/en-us/machine-learning-server/operationalize/configure-authentication#azure-active-directory " shows the steps in Azure Classic. We use Azure ARM within the org. I created the web/api and native apps and followed the steps as best as i can. Is there a similar step by step doc for ARM environment?

    I also tried to run a diagnostics test using the Administration Utility which ends abruptly after i enter my credentials to the Native apps 

    Error message - We received a bad request

    Additional technical information:
    Correlation ID: e629f668-9753-4b9f-b0fa-f7399b2c3d86
    Timestamp: 2018-01-25 10:19:21Z

    AADSTS51004: To sign into this application the account hhqKFWAvA0OGgEKZ45u/Vw== must be added to the xxx.com directory.

    I have not done any RBAC on the ML server either. Do i have to do that first?

    Hope this helps to understand the issue.

    Regards

    Ron

    Thursday, January 25, 2018 10:25 AM
  • Hi Ron,

    I work for Microsoft on the team that supports ML Server/Operationalization.

    Thanks for pointing out that our documentation needs to be updated. I have created new documentation for the new Azure portal and submitted it... it will be updated soon.

    In the meantime, I've copy/pasted what I have ran through and verified that this works. I can't include the screenshots on this post, and the formatting may not have transferred perfectly, but the content is there. Can you run through these so we can compare apples-to-apples, and then if you still have issues, we can address them then?

    These instructions do not include the part you put in your appsettings.json - the existing documentation is still correct on that.

    1.        Sign in Azure Portal ( portal.azure.com )
    2.        Select your directory in the top right of your screen. If the Azure Active Directory has not been set up yet, contact your system administrator.
    1.        Select “App registrations” tab on the left.

    Step 2. Create a web application

    Now, create a web app that is tied to the Azure Active Directory as follows:

    1.        In the App registrations tab, click New application registration at the top.
    2.        In the wizard, enter a Name for your application, such as Machine Learning Server Web app.
    3.        For the Type, select Web app / API.
    4.        In the Sign-on URL box, use http://localhost:12800.
    5.        Click Create.
    1.        After the application has been added, if you were not redirected to it automatically, select the newly created Machine Learning Server Web app to go to the application info. 
    2.        Copy the Application ID for the web app. Later, you configure your Native application and Machine Learning Server with this ID.
    3.        Click Settings at the top.
    4.        Click Keys on the right.
    1.        Add a client key by supplying a Description and selecting a key duration.
    1.        Save the key. Copy the key.
    1.        Also, take note of the application’s tenant id. The tenant ID is the domain of the Azure Active Directory account, for example, myMRServer.contoso.com.

    Step 3: Create a native application

    Now, create a native app. This app links the web app to the Machine Learning Server web node.

    1.        In the App registrations tab, click New application registration at the top.
    2.        In the wizard, enter a Name for your application, such as Machine Learning Server Native app.
    3.        For the Type, select Native.
    1.        In the Redirect URI field, enter urn:ietf:wg:oauth:2.0:oob .
    2.        Click Create.
    3.        After the application has been added, if you were not redirected to it automatically, select the newly created Machine Learning Server Native app to go to the application info.
    4.        Copy the Application ID for the native app. Later, you use this ID to enable AAD in Machine Learning Server
    5.        Click on Settings at the top.
    6.        Click Required permissions.
    7.        Click Add at the top.
    8.        Click Select an API.
    9.        In the search field at the top, type the name of the web app you created, such as Machine Learning Server Web app. Select the web app, and click Select at the bottom.
    10.    On the Select permissions tab, click the checkmark next Access <name of web app>, and click Select at the bottom.
    11.    Click Done at the bottom to add the permissions.

    Once you have this set up, you _must_ run the diagnostic tests at least once to authorize this machine to connect to AAD.

    • Proposed as answer by jsomers (MSFT) Monday, February 26, 2018 4:42 PM
    Monday, February 5, 2018 4:44 PM