Skip to content

az network bastion rdp fails if member of too many Entra groups #28307

Description

@shil-patel

Describe the bug

"az network bastion rdp" fails for users who are a member of a large number of groups.

Looking at the debug logs, the token retrieved cannot be used to download the rDP file from bastion

Related command

	az network bastion rdp `
	--name "<BastionName>" `
	--resource-group "<BastianResourceGroupName>" `
	--target-resource-id "<VMResourceId>" `
	--enable-mfa

Errors

File "C: \Users<User>.azure\cliextensions\bastion\azext_bastion\tunnel.py", line 112, in _get_auth_token
self. last_token = response_json["authToken"]
KeyError: "authToken'

Issue script & Debug output

Working Example (entra user with 20 groups):

cli.azext_bastion.custom: Response
urllib3.connectionpool: Starting new HTTPS connection (1): .bastion.azure.com:443
urllib3.connectionpool: https://.bastion.azure.com:443 "GET /api/rdpfile?resourceId=/subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachines/&format=rdp&rdpport=3389&enablerdsaad=True HTTP/1.1" 200 None

Failing example (entra user 135 groups):

cli.azext_bastion.custom: Response
urllib3.connectionpool: Starting new HTTPS connection (1): .bastion.azure.com:443
urllib3.connectionpool: https://.bastion.azure.com:443 "GET /api/rdpfile?resourceId=/subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachines/&format=rdp&rdpport=3389&enablerdsaad=True HTTP/1.1" 400 435
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "C:\Users<User>.azure\cliextensions\bastion\azext_bastion\custom.py", line 304, in rdp_bastion_host
errorMessage = json.loads(response.content).get('message', None)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "json_init
.py", line 346, in loads
File "json\decoder.py", line 337, in decode
File "json\decoder.py", line 355, in raw_decode
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Expected behavior

RDP file downloads and opens

Environment Summary

azure-cli 2.57.0
bastion extension 0.3.0

Windows 11

Additional context

No response

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botNetworkaz network vnet/lb/nic/dns/etc...Network - BastionService AttentionThis issue is responsible by Azure service team.act-quality-productivity-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions