when attempting to connect to Azure Cache for Redis using Managed Identity (MSI) the connection fails with the error : System.Exception: Error: NOAUTH Authentication required. Verify if the Redis password provided is correct. Attempted command: ECHO.

Question

I am encountering a specific issue when attempting to connect to Azure Cache for Redis using Managed Identity (MSI).

If the Azure Cache for Redis instance is placed outside the Virtual Network (VNet), the connection works perfectly fine with MSI authentication. However, when I configure the Redis Cache inside the VNet, the connection fails with the following error:

System.Exception: Error: NOAUTH Authentication required. Verify if the Redis password provided is correct. Attempted command: ECHO.

• The Redis Cache and the Azure App Service are both configured to be part of the same VNet.
• Subnet delegations and access rules have been properly configured to allow communication between the App Service and the Redis Cache.
• Previously, when using the Access Key for Redis authentication, the connection worked flawlessly in all scenarios, whether the Redis Cache was inside or outside the VNet.
• After transitioning to Managed Identity (MSI) for authentication, the connection works only when the Redis Cache is outside the VNet. When the Redis Cache is within the VNet, the connection fails with the NOAUTH Authentication required error.

Could you provide guidance on what additional configurations or steps might be required to ensure MSI authentication works?

Answer 1

Based on the information provided, it seems that the issue arises when attempting to connect to Azure Cache for Redis using Managed Identity (MSI) within a Virtual Network (VNet). Here are some additional configurations and steps that might help resolve the issue:

Steps to Resolve the Issue

Verify Managed Identity Configuration: Ensure that the Managed Identity has the necessary permissions to access the Azure Cache for Redis instance. You can verify this in the Azure portal under the Managed Identity settings for your resources.

Use Azure Private Link: Consider using Azure Private Link to provide private connectivity from your VNet to the Azure Cache for Redis instance. Private Link simplifies the network architecture and secures the connection between endpoints in Azure.

Check Network Security Group (NSG) Rules: Ensure that the NSG rules for your VNet and subnets allow traffic between the Azure App Service and the Redis Cache. You may need to add specific rules to allow traffic on the Redis port (default is 6379).

Ensure Proper Subnet Delegation: Verify that the subnet delegation and access rules are correctly configured to allow communication between the Azure App Service and the Redis Cache.

Refresh Azure AD Token: Ensure that your application is correctly configured to refresh the Azure AD token before it expires. This is crucial for maintaining the connection.

Review Redis Configuration: Double-check the Redis configuration to ensure that it is set up to accept connections from within the VNet. Some settings might need to be adjusted when moving from public access to VNet access.

Use Azure AD Token for Authentication: When using Managed Identity, authenticate using an Azure AD token instead of a password. Ensure your client application is correctly configured to use the Azure AD token for authentication.

Additional Resources

Refer to the official documentation on using Managed Identity with Azure Cache for Redis for detailed instructions and troubleshooting steps.

By following these steps, you should be able to resolve the authentication issue and ensure that MSI authentication works seamlessly for your Azure Cache for Redis instance inside the VNet.