Activating Custom JWT authentication causes Internal Server Error

Question

Activating Custom JWT authentication causes Internal Server Error

Lichtblau, Martin 0

Activating Custom JWT Authentication results in the following error:
"Update of your namespace failed with the following error: "The operation failed due to an internal server error. The initial state of the impacted resources (if any) are restored. Please try again in few minutes. If error still persists, report c230d3a4-27fe-4160-9bae-fe57654874c4:3/25/2025 7:13:12 AM (UTC) to our forums for assistance or raise a support ticket ."

The first time it worked. After that never again. Tried multiple times in a row.
I don't know if it's a problem with the managed idenity or the certificate stored in the KeyVault.

Lichtblau, Martin 0 Reputation points

2025-03-26T13:57:14.1666667+00:00

Same internal server error happens when executing the command in Azure CLI (Cloud Shell).
Looking into the API changelog I get the impressions that this functionality was just recently updated and something got messed up (see Changelog 2025-02-15).
Support looks bad too: "For technical support, upgrade to a paid support plan or explore our free resources".
Seth Shanmugam 0 Reputation points Microsoft Employee

2025-03-26T22:53:23.18+00:00

Hello @Lichtblau, Martin , we have introduced a new settings "EncodedIssuerCertificateInfo" in CustomJwtAuthenticationSettings, which allows you to upload Certificate in pem format to the Namespace without going through the AKV path.

Can you please retry again. Feel free to file Azure support ticket for further help.
Lichtblau, Martin 0 Reputation points

2025-03-27T07:12:38.8566667+00:00

@Seth Shanmugam Thx. Will try.
But I find it suspicious that the changelog says that all JwtCustomAuthentication functionality was removed.
Seth Shanmugam 0 Reputation points Microsoft Employee

2025-03-28T21:22:13.1766667+00:00

The 2024-12-15 Preview API version will these changes since this feature is still in Private Preview; the GA API version will not have this.
Khadeer Ali 4,960 Reputation points Microsoft External Staff

2025-04-01T12:25:04.0933333+00:00

@Lichtblau, Martin ,

Just checking in to see if the answer provided by Seth Shanmugam helped resolve your query.
Lichtblau, Martin 0 Reputation points

2025-04-01T13:45:58.8066667+00:00

Updating the resource property topicSpacesConfiguration with an encodedCertificate as customJwtAuthentication succeeded. But it seems that the server accepts any value for the fields encodedCertificate and kid. The EventGrid Configuration page shows the issuer, but seemingly doesn't get it that I use an encodedCertificate, since it shows an error that I haven't selected an issuer certificate.

Sadly, Custom-JWT client authentification doesn't work with an encodedCertifcate, responding Connecting with MQTT server failed (NotAuthorized).

FYI.: A user on github also received the internal server when re-enabling custom JWT authentication using an Azure KeyVault (see https://github.com/Azure/terraform-provider-azapi/issues/790).

Please fix the error so that it's possible to select a certifcate KeyVault just like mentioned in the documentation.
Khadeer Ali 4,960 Reputation points Microsoft External Staff

2025-04-07T12:03:50.4766667+00:00

@Lichtblau, Martin
Just checking if you were able to resolve the issue.
Lichtblau, Martin 0 Reputation points

2025-04-08T07:00:30.5433333+00:00

I found an unsatisfying workaround using EncodedIssuerCertificateInfo. Using issuerCertificates stored in KeyVault produces an error, caused by a bug in Azure: since you cannot define a topicSpaceConfiguration twice. Once you have set customJwtAuthentication using issuerCertificates you cannot change it (see report on github).

2 answers

Your answer

Lichtblau, Martin 0 Reputation points

2025-03-26T13:57:14.1666667+00:00

Same internal server error happens when executing the command in Azure CLI (Cloud Shell).
Looking into the API changelog I get the impressions that this functionality was just recently updated and something got messed up (see Changelog 2025-02-15).
Support looks bad too: "For technical support, upgrade to a paid support plan or explore our free resources".
Seth Shanmugam 0 Reputation points Microsoft Employee

2025-03-26T22:53:23.18+00:00

Hello @Lichtblau, Martin , we have introduced a new settings "EncodedIssuerCertificateInfo" in CustomJwtAuthenticationSettings, which allows you to upload Certificate in pem format to the Namespace without going through the AKV path.

Can you please retry again. Feel free to file Azure support ticket for further help.
Lichtblau, Martin 0 Reputation points

2025-03-27T07:12:38.8566667+00:00

@Seth Shanmugam Thx. Will try.
But I find it suspicious that the changelog says that all JwtCustomAuthentication functionality was removed.
Seth Shanmugam 0 Reputation points Microsoft Employee

2025-03-28T21:22:13.1766667+00:00

The 2024-12-15 Preview API version will these changes since this feature is still in Private Preview; the GA API version will not have this.
Khadeer Ali 4,960 Reputation points Microsoft External Staff

2025-04-01T12:25:04.0933333+00:00

@Lichtblau, Martin ,

Just checking in to see if the answer provided by Seth Shanmugam helped resolve your query.
Lichtblau, Martin 0 Reputation points

2025-04-01T13:45:58.8066667+00:00

Updating the resource property topicSpacesConfiguration with an encodedCertificate as customJwtAuthentication succeeded. But it seems that the server accepts any value for the fields encodedCertificate and kid. The EventGrid Configuration page shows the issuer, but seemingly doesn't get it that I use an encodedCertificate, since it shows an error that I haven't selected an issuer certificate.

Sadly, Custom-JWT client authentification doesn't work with an encodedCertifcate, responding Connecting with MQTT server failed (NotAuthorized).

FYI.: A user on github also received the internal server when re-enabling custom JWT authentication using an Azure KeyVault (see https://github.com/Azure/terraform-provider-azapi/issues/790).

Please fix the error so that it's possible to select a certifcate KeyVault just like mentioned in the documentation.
Khadeer Ali 4,960 Reputation points Microsoft External Staff

2025-04-07T12:03:50.4766667+00:00

@Lichtblau, Martin
Just checking if you were able to resolve the issue.
Lichtblau, Martin 0 Reputation points

2025-04-08T07:00:30.5433333+00:00

I found an unsatisfying workaround using EncodedIssuerCertificateInfo. Using issuerCertificates stored in KeyVault produces an error, caused by a bug in Azure: since you cannot define a topicSpaceConfiguration twice. Once you have set customJwtAuthentication using issuerCertificates you cannot change it (see report on github).

Answer 1

Sander van de Velde | MVP 36,146 MVP

Hello @Lichtblau, Martin ,

welcome to this moderated Azure community forum.

It seems there is something going wrong inside the Eventgrid itself although it could be a UI Portal glitch.

Please try it another time or use the Azure CLI or PowerBI to make the changes.

If this does not work, create an Azure support ticket.

Please share the region and the actions you perform or the manual you follow.

If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

Sander van de Velde | MVP 36,146 Reputation points MVP

2025-03-26T21:58:23.1733333+00:00

Update: I sent a message about this situation to some MSFT people involved.
Lichtblau, Martin 0 Reputation points

2025-04-29T09:11:36.7733333+00:00
Any updates? @Sander van de Velde | MVP
I am still getting the internal server error when adding Custom JWT authentication using a KeyVault certificate.

If error still persists, report 0ebced7e-803e-424b-8e20-05af3b7184e2:4/29/2025 9:15:53 AM (UTC) to our forums for assistance or raise a support ticket ."
Sander van de Velde | MVP 36,146 Reputation points MVP

2025-04-29T09:42:00.89+00:00

Hello @Lichtblau, Martin ,

I sent another message to the team.

If you cannot wait, submitting a support ticket is the best way to resolve this.

Answer 2

Updating the resource property topicSpacesConfiguration with an encodedCertificate as customJwtAuthentication succeeded. But it seems that the server accepts any value for the fields encodedCertificate and kid. The EventGrid Configuration page shows the issuer, but seemingly doesn't get it that I use an encodedCertificate, since it shows an error that I haven't selected an issuer certificate.
User's image

Sadly, Custom-JWT client authentification doesn't work with an encodedCertifcate, responding Connecting with MQTT server failed (NotAuthorized).

FYI.: A user on github also received the internal server when re-enabling custom JWT authentication using an Azure KeyVault (see https://github.com/Azure/terraform-provider-azapi/issues/790).

**Please fix the error so that it's possible to select a certifcate KeyVault just like mentioned in the documentation.

UPDATE:** MQTT client authentication works now! Had to adapt the encoding and formatting of the encodedCertificate and private key used for signing the client JWT. But still ...

Share via

Activating Custom JWT authentication causes Internal Server Error

2 answers

Your answer