MQTT client 'RefusedNotAuthorized' when connecting to edge translation gateway.

Garethvdl 0 Reputation points
2024-10-14T13:48:03.76+00:00

Hi

I am trying to connect a downstream MQTT device to a translation edge gateway. I understand from https://zcusa.951200.xyz/en-us/azure/iot-central/core/how-to-connect-iot-edge-transparent-gateway#provision-a-downstream-device that "IoT Central relies on the Device Provisioning Service (DPS) to provision devices in IoT Central. Currently, IoT Edge can't use DPS provision a downstream device to your IoT Central application." It then goes on to provision the thermostat device manually using ProvisioningDeviceClient anyway.

  1. How is this implementation differ from an enrolment group?
  2. How do I achieve this using x.509 certificates.

With all the provisioning samples I have used when I try run mosquitto for instance I get 'RefusedNotAuthorized' and a edgeHub error of

'DEVICEID authentication failure

<3> 2024-10-14 13:42:05.261 +00:00 [ERR] [Microsoft.Azure.Devices.Edge.Hub.Mqtt.DeviceIdentityProvider] - Unable to generate identity for clientId DEVICEID and username GATEWAYHOSTNAME/DEVICEID/?api-version=2020-09-30

<6> 2024-10-14 13:42:05.261 +00:00 [INF] [EdgeHub] - "ClientNotAuthenticated, Client ID: DEVICEID; Username: GATEWAYHOSTNAME/DEVICEID/?api-version=2020-09-30'

Regards,

Gareth

Azure IoT Central
Azure IoT Central
An Azure hosted internet of things (IoT) application platform.
364 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sander van de Velde | MVP 33,146 Reputation points MVP
    2024-10-14T19:37:01.7733333+00:00

    Hello @Garethvdl,

    welcome to this moderated Azure community forum.

    You mention you want to use Azure IoT Edge solution as an translation gateway.

    As seen here, there are several kinds of gateways, protocol translation, identity translation and also the transparent gateway.

    Only the transparent gateway works out of the box as seen in this example.

    The other two types of gateways need extra coding from your side (to run device clients locally as proxy for local devices or to support other protocols).

    These types of gateways have no direct relationship with the Device Provisioning Service (enrolment groups). You need to distribute credentials yourself.


    If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.