Skip to content

How to fix Azure AD authenication errors when upgrading to new graph endpoint in Rancher v2.6.7+

This document (000020917) is provided subject to the disclaimer at the end of this document.

Environment

If you are using Rancher v2.6.7 and above and wish to set up Azure AD initially, please review our documentation here and enable Azure AD as your primary authentication method.

For those using Rancher version(s) v2.6.6 and below, please refer to the following messages under the v2.6.0-v2.6.6 section on our documentation page here.

Situation

Disclaimer:

There are a few issues that you may encounter when upgrading to the latest Microsoft Graph endpoint when using Azure AD. This KB Article aims to address these particular errors and provide the best solution for each scenario.

If you are experiencing one of the following error messages, please continue to the corresponding numerical value.

  1. server error while authenticating: missing required permissions from Microsoft Graph: need Group.Read.All, User.Read.All
  2. "refusing to set principal on user that is already bound to another user"
  3. ``` Error:AADSTS9000411: The request is not properly formatted.
4. ```
Error during login "AADSTS901002: The 'resource' request parameter is not supported"

Resolution

  1. If you are receiving this error, you likely have the incorrect type of permissions in the Azure console. When setting up Azure AD, you will need Application Permissions, NOT Delegated Permissions. For more information, please review our documentation here.

  2. If you are receiving this error in the Rancher UI, likely, you are using a different user that initially set up Azure AD to make modifications. For example, suppose you are logged in as an Azure AD user and try to disable/re-enable the authorization provider. In that case, it is likely, the local Rancher admin had initially set up the authentication provider and is bound to that admin user. So when trying to re-enable Azure AD as a local user and missing the correct permissions, you'll likely run into this error. Rancher will be aware of this user, and there is a link between the Azure Ad user and the Rancher user. There are a few solutions to this:

  3. In the Users & Authentication section in the Rancher UI, as a local admin, you can grant the Azure AD user Configure Authentication and Manage Users permissions. Doing this should allow the Azure AD user to make changes to the authentication provider and should be able to re-enable it.

  4. Another way you can fix this issue is by enabling Azure AD with an Azure AD user unknown to Rancher.

  5. If you are receiving this Error: AADSTS9000411: The request is not properly formatted. The parameter 'response_type' is duplicated; Rancher is likely trying to send multiple requests simultaneously. You will want to verify that you are logging into Rancher with the correct URL; the URL will be https://rancher_url/dashboard.

  6. If you are receiving this error Error during login "AADSTS901002: The 'resource' request parameter is not supported" and are running on Rancher 2.6.10 or below, the error is likely due to Conditional access policies set up in your organization. To fix this issue, upgrade to Rancher 2.6.11 or above in the 2.6.x version, or to 2.7.0 or above in the 2.7.x versions. You will also need to change the Azure AD application permissions from user.read.all and group.read.all permissions to directory.read.all.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.