Darrin Maidlow(1) on Tue, 20 Mar 2018 19:36:59


I've got an application that we use to encrypt files leveraging Azure Key Vault which is suddenly failing.  There has not been a change to the code or the key vault since June of 2016.  Now when attempting to use the Microsoft.Azure.KeyVault.KeyVaultClient.UnwrapKeyAsync call i get the following error:

An exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' occurred

AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.
Trace ID: <guid>
Correlation ID: <guid>
Timestamp: 2018-03-20 19:29:44Z

The inner exception is:

The remote server returned an error: (401) Unauthorized.

I cannot find any relevant information to help me troubleshoot this.  I've confirmed that the enterprise application registration is defined in my Azure AD - and that the guid defined there is being used in my application.  The key I expect this to be used, is also the only key defined in the vault and as I've mentioned has not been modified since 2016.

Any assistance would be greatly appreciated.



SeanBa - MSFT on Tue, 20 Mar 2018 20:13:31

AAD application secrets have an expiration date, typically one or two years after the secret was created. The owner of the application can add a new client secret or public key. The owner is the person who created the application (or others if they added additional owners). In the Azure Portal, go to Azure Active Directory and click on the "App registrations" link. Find your application and click on "Keys" to manage the client secrets and public keys for the application. You can set the secret to expire in one year, two years, or never (for security, you should rotate your keys periodically, even if they don't expire). The lifetime of a public key credential will match the certificate lifetime.

Application Keys

Darrin Maidlow(1) on Tue, 20 Mar 2018 20:37:15

Thank you!  That is a well nested setting ;)