Connect-AzureRmAccount : accessing_ws_metadata_exchange_failed

Question

I get the following error when attempting to connect to Azure using PowerShell. This account previously worked, but not sure what changed. Multi-factor authentication was enabled for organization, but this account should be excluded. This is an organizational account; not a Microsoft account. I have found similar errors online, but not this particular issue...

Connect-AzureRmAccount –Credential $Credential -Verbose
VERBOSE: Performing the operation "log in" on target "User account in environment 'AzureCloud'".
Connect-AzureRmAccount : accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed: The underlying connection was closed: An unexpected error 
occurred on a send.
At line:1 char:1
+ Connect-AzureRmAccount –Credential $Credential -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Connect-AzureRmAccount], AadAuthenticationFailedException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand

I enabled Debug output for more information...

DEBUG: AzureQoSEvent: CommandName - Connect-AzureRmAccount; IsSuccess - False; Duration - 00:00:19.9521148; Exception - Microsoft.Azure.Commands.Common.Authentica
tion.AadAuthenticationFailedException: accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed: The underlying connection was closed: An unex
pected error occurred on a send. ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: accessing_ws_metadata_exchange_failed: Accessing WS me
tadata exchange failed ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Una
ble to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existin
g connection was forcibly closed by the remote host
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   --- End of inner exception stack trace ---
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.MexParser.<FetchMexAsync>d__4.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)
   at Microsoft.Azure.Commands.Common.Authentication.UserTokenProvider.DoAcquireToken(AdalConfiguration config, PromptBehavior promptBehavior, Action`1 promptActi
on, String userId, SecureString password)
   at Microsoft.Azure.Commands.Common.Authentication.UserTokenProvider.SafeAquireToken(AdalConfiguration config, String showDialog, Action`1 promptAction, String 
userId, SecureString password, Exception& ex)
   --- End of inner exception stack trace ---
   at Microsoft.Azure.Commands.Common.Authentication.UserTokenProvider.AcquireToken(AdalConfiguration config, String promptBehavior, Action`1 promptAction, String
 userId, SecureString password)
   at Microsoft.Azure.Commands.Common.Authentication.UserTokenProvider.GetAccessToken(AdalConfiguration config, String promptBehavior, Action`1 promptAction, Stri
ng userId, SecureString password, String credentialType)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String ten
ant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, Se
cureString password, String promptBehavior, Action`1 promptAction)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString passwo
rd, String promptBehavior, Action`1 promptAction)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscrip
tionId, String subscriptionName, SecureString password, Boolean skipValidation, Action`1 promptAction, String name)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass83_0.<ExecuteCmdlet>b__0(AzureRmProfile localProfile, RMProfileClient profile
Client, String name)
   at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
   at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
DEBUG: Finish sending metric.
DEBUG: 11:22:02 AM - ConnectAzureRmAccountCommand end processing.
DEBUG: 11:22:02 AM - ConnectAzureRmAccountCommand end processing.

Answer 1

The issue was that the Connect-AzureRMAccount cmdlet used TLS 1.0 by default. Centrify disabled TLS 1.0 support which caused the authentication attempts to close connection. The issue was resolved by adding the following to the PowerShell scripts to force TLS 1.2 security protocol:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12