WAM broker failing in latest 2.63 release for at least ROPC flow: Error code: 3400073293

[keystroke]

Describe the bug

Azure CLI latest version 2.63 seems to have enabled WAM broker feature by default on windows, and it fails ROPC flow in private cloud (at least) with interaction required error.

Additionally, when the feature is disabled, the user realm lookup code in MSAL.py fails to honor the authority port, and defaults to 443 instead of building the URI correctly and only adjusting path.

msal.authority: Initializing with Entra authority: https://localhost:3001/redacted
...
HTTPSConnectionPool(host='localhost', port=443): Max retries exceeded with url: /common/userrealm/redacted?api-version=1.0

Related command

az login -u '[Redacted]' -p [Redacted] -t [Redacted]

Errors

ERROR: cli.azure.cli.core.azclierror: (pii). Status: Response_Status.Status_InteractionRequired, Error code: 3400073293, Tag: 527291998

Issue script & Debug output

az login -u '[Redacted]' -p [Redacted] -t [Redacted] --debug

2024-08-12 15:27:45.9590 [INFO] CLI debug:
az : DEBUG: cli.knack.cli: Command arguments: ['login', '-u', '[REDACTED]', '-p', '[REDACTED]', '-t', '[REDACTED]', '--debug']
At line:1 char:1

• az login -u '[REDACTED' -p [REDACTED ...

•   + CategoryInfo          : NotSpecified: (DEBUG: cli.knac...3f', '--debug']:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
  
  

DEBUG: cli.knack.cli: init debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at
0x00000184ED9DF7E0>, <function OutputProducer.on_global_arguments at 0x00000184EDB5E020>, <function CLIQuery.on_global_arguments at 0x00000184EDB87BA0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands
DEBUG: cli.azure.cli.core: profile 0.004 2 8
DEBUG: cli.azure.cli.core: Total (1) 0.004 2 8
DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
DEBUG: cli.azure.cli.core: Loading extensions:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands Directory
DEBUG: cli.azure.cli.core: Total (0) 0.000 0 0
DEBUG: cli.azure.cli.core: Loaded 2 groups, 8 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command : login
DEBUG: cli.azure.cli.core: Command table: login
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x00000184EFDBCD60>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\azureCli\commands\2024-08-12.15-27-45.login.4628.log'.
INFO: az_command_data_logger: command args: login -u {} -p {} -t {} --debug
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x00000184EFDF36A0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x00000184EFE3D620>, <function register_cache_arguments..add_cache_arguments at 0x00000184EFE3D760>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x00000184EDB5E0C0>, <function CLIQuery.handle_query_parameter at 0x00000184EDB87C40>, <function register_ids_argument..parse_ids_arguments at 0x00000184EFE3D6C0>]
WARNING: cli.azure.cli.command_modules.profile.custom: Authentication with username and password in the command line
is strongly discouraged. Use one of the recommended authentication methods based on your requirements. For more
details, see https://go.microsoft.com/fwlink/?linkid=2276314
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='C:\azureCli\msal_token_cache.bin',
encrypt=True
DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\azureCli\msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None,
status=None)
DEBUG: msal.authority: Initializing with Entra authority:
https://redactedEndpoint/redactedTenantId
DEBUG: msal.authority: openid_config("https://redactedEndpoint/redactedTenantId/v2.0/
.well-known/openid-configuration") = {'authorization_endpoint':
'https://redactedEndpoint/redactedTenantId/oauth2/v2.0/authorize',
'device_authorization_endpoint':
'https://redactedEndpoint/redactedTenantId/oauth2/v2.0/devicecode',
'token_endpoint': 'https://redactedEndpoint/redactedTenantId/oauth2/v2.0/token',
'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri':
'https://redactedEndpoint/redactedTenantId/discovery/v2.0/keys',
'response_modes_supported': ['query', 'fragment', 'form_post'], 'response_types_supported': ['code', 'id_token',
'token'], 'scopes_supported': ['openid', 'profile', 'email'], 'issuer':
'https://redactedEndpoint/redactedTenantId/v2.0'}
DEBUG: msal.application: Broker enabled? True
DEBUG: msal.broker: [MSAL:0001] WARNING SetAuthorityUri:78 Initializing authority from URI
'https://redactedEndpoint/redactedTenantId' without authority type, defaulting to MsSts
DEBUG: msal.broker: [MSAL:0001] INFO SetCorrelationId:258 Set correlation ID: 0d2585a7-9c69-4e51-bdb5-500f40ef73d6
DEBUG: msal.broker: [MSAL:0001] INFO EnqueueBackgroundRequest:1000 The original authority is
'https://redactedEndpoint/redactedTenantId'
DEBUG: msal.broker: [MSAL:0001] INFO ModifyAndValidateAuthParameters:219 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
DEBUG: msal.broker: [MSAL:0001] INFO ModifyAndValidateAuthParameters:243 Authority Realm: [redactedTenantId]
DEBUG: msal.broker: [MSAL:0001] WARNING TryEnqueueMsaDeviceCredentialAcquisitionAndContinue:1052
MsaDeviceOperationProvider is not available. Not attempting to register the device.
DEBUG: msal.broker: [MSAL:0002] ERROR ErrorInternalImpl:134 Created an error: 513z4,
StatusInternal::InteractionRequired, InternalEvent::None, Error Code 3400073293, Context '(pii)'
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:422 Printing Telemetry for Correlation ID:
0d2585a7-9c69-4e51-bdb5-500f40ef73d6
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: start_time, Value: 2024-08-12T15:27:45.000Z
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: api_name, Value: AcquireTokenUsernamePassword
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: was_request_throttled, Value: false
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: authority_type, Value: Unknown
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: msal_version, Value: 1.1.0+local
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: api_status_code, Value:
StatusInternal::InteractionRequired
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: client_id, Value:
04b07795-8ddb-461a-bbee-02f9e1bf7b46
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: correlation_id, Value:
0d2585a7-9c69-4e51-bdb5-500f40ef73d6
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: broker_app_used, Value: true
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: stop_time, Value: 2024-08-12T15:27:45.000Z
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: all_error_tags, Value: 513z4|513z4
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: msalruntime_version, Value: 0.16.2
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: original_authority, Value:
https://redactedEndpoint/redactedTenantId
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: request_eligible_for_broker, Value: true
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: additional_query_parameters_count, Value: 1
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: is_successful, Value: false
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: wam_telemetry, Value:
{"ui_visible":false,"scope":"https://redactedEndpoint/.default offline_access openid profile","re
direct_uri":"ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46","provider_id":"https://logi
n.windows.net","oauth_error_code":"authentication_failed","http_status":404,"http_event_count":1,"device_join":"not_joi
ned","correlation_id":"{28d28220-b29d-4b14-b5ae-01f1893cf46f}","client_id":"04b07795-8ddb-461a-bbee-02f9e1bf7b46","cach
e_event_count":0,"broker_version":"10.0.20348.2520","authority":"https://redactedEndpoint/redactedTenantId","api_error_code":-894894003,"account_join_on_start":"not_joined","account_join_on_end":"not_join
ed","silent_code":0,"silent_bi_sub_code":0,"silent_message":"","silent_status":0,"is_cached":1}
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: auth_flow, Value: Broker
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: broker_error_location, Value: 513z4
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: api_error_code, Value: 3400073293
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: api_error_tag, Value: 513z4
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: api_error_context, Value: (pii)
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: authorization_type, Value: UsernamePassword
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:430 Key: request_duration, Value: 43
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:435 Printing Execution Flow:
DEBUG: msal.broker: [MSAL:0002] INFO LogTelemetryData:443 {"t":"646u1","tid":1,"ts":0,"l":2},{"t":"4s7uc","tid":1,"t
s":0,"l":2},{"t":"4sufd","tid":1,"ts":0,"s":2,"l":2},{"t":"4swgg","tid":1,"ts":0,"s":1,"l":2},{"t":"4swgf","tid":1,"ts"
:0,"s":1,"l":2},{"t":"4swgi","tid":2,"ts":1,"s":1,"l":2},{"t":"8b2yn","tid":2,"ts":1,"l":2},{"t":"8dqkx","tid":2,"ts":1
,"l":2},{"t":"8dqik","tid":2,"ts":1,"l":2},{"t":"8b2hs","tid":2,"ts":1,"l":2},{"t":"5b8fg","tid":2,"ts":1,"l":2},{"t":"
694nj","tid":2,"ts":1,"l":2,"a":10,"ie":0},{"t":"4ygzh","tid":2,"ts":1,"l":2},{"t":"4scq4","tid":2,"ts":1,"l":2},{"t":"
4wqnh","tid":2,"ts":1,"l":2},{"t":"4vw1c","tid":2,"ts":15,"l":2},{"t":"4vw1a","tid":2,"ts":15,"l":2},{"t":"4wqnf","tid"
:2,"ts":15,"l":2},{"t":"4wqm5","tid":2,"ts":21,"l":2},{"t":"4wqm7","tid":2,"ts":21,"l":2},{"t":"4wqnf","tid":2,"ts":38,
"l":2},{"t":"58yep","tid":2,"ts":43,"l":2},{"t":"694nk","tid":2,"ts":43,"l":2,"a":10,"ie":1},{"t":"8dqk1","tid":2,"ts":
43,"l":2},{"t":"646u1","tid":2,"ts":43,"l":2}
DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 664, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 731, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 701, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 334, in call
File
"D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py",
line 121, in handler
File
"D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py",
line 165, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 175, in
login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line
183, in login_with_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 139,
in check_result
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 43, in
aad_error_handler
azure.cli.core.azclierror.AuthenticationError: (pii). Status: Response_Status.Status_InteractionRequired, Error code:
3400073293, Tag: 527291998

ERROR: cli.azure.cli.core.azclierror: (pii). Status: Response_Status.Status_InteractionRequired, Error code:
3400073293, Tag: 527291998
ERROR: az_command_data_logger: (pii). Status: Response_Status.Status_InteractionRequired, Error code: 3400073293, Tag:
527291998
Please explicitly log in with:
az login
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at
0x00000184EFDBCFE0>]
INFO: az_command_data_logger: exit code: 1
INFO: cli.main: Command ran in 1.029 seconds (init: 0.324, invoke: 0.705)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 4173 in cache
INFO: telemetry.main: Begin creating telemetry upload process.
INFO: telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program
Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init_.pyc C:\azureCli"
INFO: telemetry.process: Return from creating process
INFO: telemetry.main: Finish creating telemetry upload process.

Expected behavior

WAM should probably not be enabled by default, and perhaps there should be some fallback to regular ROPC flow? If someone is using the ROPC, maybe just let the naive rest call go through to the STS, why is WAM even being used here?

Environment Summary

C:> az --version
azure-cli 2.63.0

core 2.63.0
telemetry 1.1.0

Extensions:
azure-devops 1.0.1

Dependencies:
msal 1.30.0
azure-mgmt-resource 23.1.1

Additional context

Temporarily workaround (except for the port issue) using this:

az config set core.enable_broker_on_windows=false

[yonzhan]

Thank you for opening this issue, we will look into it.

[keystroke]

CC @rayluo as I think error is in msal.py broker logic itself, along with the wrong port used in user realm lookup

[rayluo]

[when broker is enabled (by default)], it fails ROPC flow in private cloud (at least) with interaction required error

Additionally, when the feature is disabled, the user realm lookup code in MSAL.py fails to honor the authority port, and defaults to 443 instead of building the URI correctly and only adjusting path

@keystroke, did that "in private cloud" scenario ever work before with older versions of Azure CLI and/or MSAL.py? If not, this would become a new feature request. CC @ashok672

FYI: You may want to provide a repro using MSAL.py only (such as python -c "import msal; msal.PublicClientApplication('azure_cli_client_id', authority='...', enable_broker_on_windows=True or False).acquire_token_interactive(...)), it may help MSAL team to investigate.

[jiasli]

@keystroke, did you registered this cloud with az cloud register? What does endpoint you provided to --endpoint-active-directory look like?

[keystroke]

@jiasli yes this is a custom cloud, the endpoint looks like "https://somewhere.com/" and then tenantId is provided and results in authority of https://somewhere.com/tenantId which is correct. But as noticed from stacktrace it gets broken somewhere inside msal.py trying to use this broker thing. I would expect that a user doesn't need to "set" the broker manually, and rather that whether it's used or not it can fallback to just doing a regular ROPC flow since the user / pass were provided here.

@rayluo the stacktrace and logs above show the msal.py context; as for the user realm lookup error, this occurs when I set the broker use to false and am using a non-443 port (notice authority is given with 3001 port but when it builds URI for user realm lookup it resets back to 443):

C:> az config set core.enable_broker_on_windows=false
Command group 'config' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
C:> az login -u admin@demo.asz -p [REDACTED] -t 98b8267d-e97f-426e-8b3f-7956511fd63f --debug
cli.knack.cli: Command arguments: ['login', '-u', 'admin@demo.asz', '-p', '[REDACTED]', '-t', '98b8267d-e97f-426e-8b3f-7956511fd63f', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000020E7B24B7E0>, <function OutputProducer.on_global_arguments at 0x0000020E7B3D6020>, <function CLIQuery.on_global_arguments at 0x0000020E7B403BA0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: profile 0.010 2 8
cli.azure.cli.core: Total (1) 0.010 2 8
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0000020E7D644D60>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\bryanr.azure\commands\2024-08-12.15-36-27.login.29144.log'.
az_command_data_logger: command args: login -u {} -p {} -t {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x0000020E7D6776A0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0000020E7D6FD620>, <function register_cache_arguments..add_cache_arguments at 0x0000020E7D6FD760>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0000020E7B3D60C0>, <function CLIQuery.handle_query_parameter at 0x0000020E7B403C40>, <function register_ids_argument..parse_ids_arguments at 0x0000020E7D6FD6C0>]
cli.azure.cli.command_modules.profile.custom: Authentication with username and password in the command line is strongly discouraged. Use one of the recommended authentication methods based on your requirements. For more details, see https://go.microsoft.com/fwlink/?linkid=2276314
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\bryanr\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\bryanr.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://localhost:3001/98b8267d-e97f-426e-8b3f-7956511fd63f
msal.authority: openid_config("https://localhost:3001/98b8267d-e97f-426e-8b3f-7956511fd63f/v2.0/.well-known/openid-configuration") = {'authorization_endpoint': 'https://localhost:3001/98b8267d-e97f-426e-8b3f-7956511fd63f/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://localhost:3001/98b8267d-e97f-426e-8b3f-7956511fd63f/oauth2/v2.0/devicecode', 'token_endpoint': 'https://localhost:3001/98b8267d-e97f-426e-8b3f-7956511fd63f/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://localhost:3001/98b8267d-e97f-426e-8b3f-7956511fd63f/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'response_types_supported': ['code', 'id_token', 'token'], 'scopes_supported': ['openid', 'profile', 'email'], 'issuer': 'https://localhost:3001/98b8267d-e97f-426e-8b3f-7956511fd63f/v2.0'}
msal.application: Broker enabled? None
msal.telemetry: Generate or reuse correlation_id: 2c00d7b7-3b4f-491b-99f7-73539343d81b
urllib3.connectionpool: Starting new HTTPS connection (1): localhost:443
urllib3.util.retry: Incremented Retry for (url='/common/userrealm/admin@demo.asz?api-version=1.0'): Retry(total=0, connect=None, read=None, redirect=None, status=None)
urllib3.connectionpool: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x0000020E7E702C90>: Failed to establish a new connection: [WinError 10061] No connection could be made because the target machine actively refused it')': /common/userrealm/admin@demo.asz?api-version=1.0
urllib3.connectionpool: Starting new HTTPS connection (2): localhost:443
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connection.py", line 174, in _new_conn
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/util/connection.py", line 95, in create_connection
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/util/connection.py", line 85, in create_connection
ConnectionRefusedError: [WinError 10061] No connection could be made because the target machine actively refused it