2

I'm having trouble adding a connection in the Kusto.Explorer desktop app 1.0.3.949. I can login via Web UI but in the desktop app it gives me this error:

This normally represents a permanent error, and retrying is unlikely to help.
Please provide the following information when contacting the Kusto team @ https://aka.ms/kustosupport :
DataSource='https://m1explorer.westus.kusto.windows.net/v1/rest/mgmt',
DatabaseName='NetDefaultDB',
ClientRequestId='KD2RunCommand;5723fa83-9dd5-48fe-a1ee-5d4ddb7f9cd9',
ActivityId='74b41f5e-be7c-46be-88f5-dae1a6d35c30,
Timestamp='2020-08-02T18:48:13.6846740Z'.

In other applications such as the Kuskus VSCode extension or even the Web UI, the problem seems to be that it uses the "common" tenant/authority id as a default. Is there a way to specify the tenant id when adding the connection? It says you can import an .xml file but I'm not sure where or how this can be generated.

Thanks,

Steven

steven hurwitt
  • 101
  • 9
  • Based on the service side traces, you tried to authenticate using your MSA account for your gmail.com identity. Does your MSA identity have access to the cluster? – Vladik Branevich Aug 03 '20 at 09:56
  • If you wanted to use your MSA's guest account on the m1neral.onmicrosoft.com tenant (which you probably specified in the Web UX by choosing the proper directory), you should expand the "Advanced" tab of the connection string and add ';Authority Id=m1neral.onmicrosoft.com' – Vladik Branevich Aug 03 '20 at 09:58
  • This question is about controlling the AAD tenant that the authentication is performed on when using desktop application Kusto.Explorer – Vladik Branevich Aug 03 '20 at 09:59
  • thanks for this! it's a little confusing, my gmail is my microsoft account which has access to the AAD tenant. however there's another email stevenhurwitt_gmail.com/#EXT#@m1neral.onmicrosoft.com that i believe is actually used under the hood – steven hurwitt Aug 03 '20 at 16:40
  • Yes, guest accounts are _very_ confusing. An MSA is a different beast than MSA that is a guest in an ordinary AAD tenant. If you use your MSA and do not explicitly specify the AAD tenant, you get a token for the MSA account; if you force the tenant you have the guest account in (that's happening in Azure UX when you select Directory), you will get the token for your guest account. – Vladik Branevich Aug 05 '20 at 12:26

1 Answers1

2

Please try approach described at: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/tools/kusto-explorer#control-the-user-identity-connecting-to-kustoexplorer

The default security model for new connections is AAD-Federated security. Authentication is done through the Azure Active Directory using the default AAD user experience.

If you need finer control over the authentication parameters, you can expand the "Advanced: Connection Strings" edit box and provide a valid Kusto connection string value.

For example, users with a presence in multiple AAD tenants sometimes need to use a particular "projection" of their identities to a specific AAD tenant. Do this by providing a connection string, such as the one below (replace words IN CAPITALS with specific values):

Data Source=https://CLUSTER_NAME.kusto.windows.net;Initial Catalog=DATABASE_NAME;AAD Federated Security=True;Authority Id=AAD_TENANT_OF_CLUSTER;User=USER_DOMAIN

Alexander Sloutsky
  • 1,770
  • 2
  • 8