Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connect-AzAccount: ClientCertificateCredential authentication failed #22480

Closed
runemy opened this issue Aug 3, 2023 · 20 comments
Closed

Connect-AzAccount: ClientCertificateCredential authentication failed #22480

runemy opened this issue Aug 3, 2023 · 20 comments
Assignees
@msJinLei
Labels
Authentication Azure PS Team bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Investigate 🔍 needs-author-feedback More information is needed from author to address the issue.

Comments

@runemy
Copy link

runemy commented Aug 3, 2023

Description

Hi,

With reference to #20728, that is now closed 3 weeks ago?
Looks like that my case have similarities with this issue.

I need to do an Connect-AzAccount with use of ServicePrincipal, with a CertificateThumbprint to a specific tenant (I have many tenants).

I have tried with use of both "-Tenant" and "-TenantId". Get the same Error on both.

PS C:\Users\T1-runemy\ps> Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ApplicationId -TenantId $TenantId -ServicePrincipal
Connect-AzAccount: ClientCertificateCredential authentication failed: Keyset does not exist
Could not find tenant id for provided tenant domain ''. Please ensure that the provided service principal '' is found in the provided tenant domain.

I have verified that the provided SPN ApplicationId (ClientId) is in my tenant and that this SPN do have valid CertificateThumbprint.

Issue script & Debug output

PS C:\Users\T1-runemy\ps> Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ApplicationId -Tenant $TenantId -ServicePrincipal
DEBUG: 8:52:28 AM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'ServicePrincipalCertificateWithSubscriptionId'.
DEBUG: 8:52:28 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 8:52:28 AM - [ConfigManager] Got nothing from [DefaultSubscriptionForLogin], Module = [], Cmdlet = []. Returning default value [].
DEBUG: 8:52:28 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 8:52:28 AM - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 8:52:28 AM - Using Autosave scope 'CurrentUser'
DEBUG: 8:52:28 AM - [ServicePrincipalAuthenticator] Calling ClientCertificateCredential.GetTokenAsync - Thumbprint:'XXXXXXXXXXXXXX', ApplicationId:'YYYYYYY', TenantId:'ZZZZZZZZZ', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/'
DEBUG: ClientCertificateCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.17763 [2023-08-03 06:52:28Z - 6f17dd07-bc1d-46ee-bc0a-e8116d7ff910] MSAL MSAL.NetCore with assembly version '4.49.1.0'. CorrelationId(6f17dd07-bc1d-46ee-bc0a-e8116d7ff910)
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.17763 [2023-08-03 06:52:28Z - 6f17dd07-bc1d-46ee-bc0a-e8116d7ff910] === AcquireTokenForClientParameters ===
SendX5C: False
ForceRefresh: False

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.17763 [2023-08-03 06:52:28Z - 6f17dd07-bc1d-46ee-bc0a-e8116d7ff910]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenForClient
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 6f17dd07-bc1d-46ee-bc0a-e8116d7ff910
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.17763 [2023-08-03 06:52:28Z - 6f17dd07-bc1d-46ee-bc0a-e8116d7ff910] === Token Acquisition (ClientCredentialRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.17763 [2023-08-03 06:52:28Z - 6f17dd07-bc1d-46ee-bc0a-e8116d7ff910] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.17763 [2023-08-03 06:52:28Z - 6f17dd07-bc1d-46ee-bc0a-e8116d7ff910] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.17763 [2023-08-03 06:52:28Z - 6f17dd07-bc1d-46ee-bc0a-e8116d7ff910] Exception type: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException

   at Internal.NativeCrypto.CapiHelper.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeProvHandle()
   at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeKeyHandle()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 keySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
   at Internal.Cryptography.Pal.CertificatePal.<>c.<GetRSAPrivateKey>b__67_0(CspParameters csp)
   at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
   at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPrivateKey(X509Certificate2 certificate)
   at Microsoft.Identity.Client.PlatformsCommon.Shared.CommonCryptographyManager.SignWithCertificate(String message, X509Certificate2 certificate)
   at Microsoft.Identity.Client.Internal.JsonWebToken.Sign(X509Certificate2 certificate, String base64EncodedThumbprint, Boolean sendX5C)
   at Microsoft.Identity.Client.Internal.ClientCredential.CertificateAndClaimsClientCredential.AddConfidentialClientParametersAsync(OAuth2Client oAuth2Client, ILoggerAdapter logger, ICryptographyManager cryptographyManager, String clientId, String tokenEndpoint, Boolean sendX5C, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.OAuth2.TokenClient.AddBodyParamsAndHeadersAsync(IDictionary`2 additionalBodyParameters, String scopes, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.FetchNewAccessTokenAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
DEBUG: ClientCertificateCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): ClientCertificateCredential authentication failed: Keyset does not exist
 ---> Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException (0x80090016): Keyset does not exist
DEBUG: 8:52:28 AM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Connect-AzAccount: ClientCertificateCredential authentication failed: Keyset does not exist
Could not find tenant id for provided tenant domain 'ZZZZZZZZZ'. Please ensure that the provided service principal 'YYYYYYY' is found in the provided tenant domain.
DEBUG: 8:52:28 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 8:52:28 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.12.5; CommandName: Connect-AzAccount; PSVersion: 7.2.8; IsSuccess: False; Duration: 00:00:00.0649455; Exception: ClientCertificateCredential authentication failed: Keyset does not exist
Could not find tenant id for provided tenant domain 'ZZZZZZZZZ'. Please ensure that the provided service principal 'YYYYYYY' is found in the provided tenant domain.;
DEBUG: 8:52:28 AM - ConnectAzureRmAccountCommand end processing.
PS C:\Users\T1-runemy\ps>

Environment data

PS C:\Users\T1-runemy\ps> $PsVersionTable

Name                           Value
----                           -----
PSVersion                      7.2.8
PSEdition                      Core
GitCommitId                    7.2.8
OS                             Microsoft Windows 10.0.17763
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

PS C:\Users\T1-runemy\ps>

Module versions

PS C:\Users\T1-runemy\ps> Get-Module Az*

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.12.5                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}

PS C:\Users\T1-runemy\ps>

Error output

PS C:\Users\T1-runemy\ps> Resolve-AzError
DEBUG: 8:56:23 AM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 8:56:23 AM - using account id 'YYYYYYY'...
DEBUG: 8:56:23 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].

  
   HistoryId: 2

Message        : ClientCertificateCredential authentication failed: Keyset does not exist
                 Could not find tenant id for provided tenant domain 'ZZZZZZZZZ'. Please ensure that the provided service principal
                 'YYYYYYY' is found in the provided tenant domain.
StackTrace     :    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantIdOrName,
                 String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, IOpenIDConfiguration openIDConfigDoc, Action`1
                 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation, String authScope)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_2.<ExecuteCmdlet>b__5()
                    at System.Threading.Tasks.Task`1.InnerInvoke()
                    at System.Threading.Tasks.Task.<>c.<.cctor>b__272_0(Object obj)
                    at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback
                 callback, Object state)
                 --- End of stack trace from previous location ---
                    at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback
                 callback, Object state)
                    at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
                 --- End of stack trace from previous location ---
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_1.<ExecuteCmdlet>b__1(AzureRmProfile localProfile,
                 RMProfileClient profileClient, String name)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass136_0.<SetContextWithOverwritePrompt>b__0(AzureRmProfile prof,
                 RMProfileClient client)
                    at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.ArgumentNullException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ApplicationId -TenantId $TenantId -ServicePrincipal
Position       : At C:\Users\T1-runemy\ps\test.ps1:15 char:1
                 + Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 2

Message        : ClientCertificateCredential authentication failed: Keyset does not exist
StackTrace     :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
                    at Azure.Identity.ClientCertificateCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
                    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential
                 tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment,
                 String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
                    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String
                 tenantId, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
                    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantIdOrName,
                 String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, IOpenIDConfiguration openIDConfigDoc, Action`1
                 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation, String authScope)
Exception      : Azure.Identity.AuthenticationFailedException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ApplicationId -TenantId $TenantId -ServicePrincipal
Position       : At C:\Users\T1-runemy\ps\test.ps1:15 char:1
                 + Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 2

Message        : Keyset does not exist
StackTrace     :    at Internal.NativeCrypto.CapiHelper.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
                    at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeProvHandle()
                    at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeKeyHandle()
                    at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 keySize, CspParameters parameters, Boolean useDefaultKeySize)
                    at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
                    at Internal.Cryptography.Pal.CertificatePal.<>c.<GetRSAPrivateKey>b__67_0(CspParameters csp)
                    at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
                    at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
                    at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
                    at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPrivateKey(X509Certificate2 certificate)
                    at Microsoft.Identity.Client.PlatformsCommon.Shared.CommonCryptographyManager.SignWithCertificate(String message, X509Certificate2 certificate)
                    at Microsoft.Identity.Client.Internal.JsonWebToken.Sign(X509Certificate2 certificate, String base64EncodedThumbprint, Boolean sendX5C)
                    at Microsoft.Identity.Client.Internal.ClientCredential.CertificateAndClaimsClientCredential.AddConfidentialClientParametersAsync(OAuth2Client
                 oAuth2Client, ILoggerAdapter logger, ICryptographyManager cryptographyManager, String clientId, String tokenEndpoint, Boolean sendX5C, CancellationToken
                 cancellationToken)
                    at Microsoft.Identity.Client.OAuth2.TokenClient.AddBodyParamsAndHeadersAsync(IDictionary`2 additionalBodyParameters, String scopes, CancellationToken
                 cancellationToken)
                    at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String
                 tokenEndpointOverride, CancellationToken cancellationToken)
                    at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.FetchNewAccessTokenAsync(CancellationToken cancellationToken)
                    at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
                    at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
                    at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters,
                 AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)
                    at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 builder, Boolean async,
                 CancellationToken cancellationToken)
                    at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean async, CancellationToken
                 cancellationToken)
                    at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean async, CancellationToken
                 cancellationToken)
                    at Azure.Identity.ClientCertificateCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
Exception      : Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ApplicationId -TenantId $TenantId -ServicePrincipal
Position       : At C:\Users\T1-runemy\ps\test.ps1:15 char:1
                 + Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 2



DEBUG: 8:56:24 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.12.5; CommandName: Resolve-AzError; PSVersion: 7.2.8; IsSuccess: True; Duration: 00:00:01.0279617
DEBUG: 8:56:24 AM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 8:56:24 AM - ResolveError end processing.

PS C:\Users\T1-runemy\ps>
@runemy runemy added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Aug 3, 2023
@ghost ghost added customer-reported and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Aug 3, 2023
@runemy
Copy link
Author

runemy commented Aug 3, 2023

I use tenant-id to connect, not tenant-name

@isra-fel
Copy link
Member

isra-fel commented Aug 5, 2023

@msJinLei please take a look. Thanks.
It was a WindowsCryptographicException and the message was "Keyset does not exist".

@isra-fel
Copy link
Member

isra-fel commented Sep 6, 2023

@msJinLei did you get any chance to look into this?

@msJinLei msJinLei self-assigned this Oct 9, 2023
@msJinLei
Copy link
Contributor

msJinLei commented Oct 9, 2023
edited
Loading

@runemy to use Thumbprint to login, you should firstly ensure the certificate is installed in your local machine.

try to use the following way to see whether the certificate is installed

Get-ChildItem -Path 'cert:\LocalMachine\My' | Where-Object { $_.Thumbprint -eq '984E459FF99D87FD97AFC46DCDCBCB90E0B7FCD5' } | Select Thumbprint,Subject,NotAfter,FriendlyName

@msJinLei msJinLei added the needs-author-feedback More information is needed from author to address the issue. label Oct 9, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added the no-recent-activity There has been no recent activity on this issue. label Oct 16, 2023
@lesca
Copy link

lesca commented Oct 28, 2023

@runemy to use Thumbprint to login, you should firstly ensure the certificate is installed in your local machine.

try to use the following way to see whether the certificate is installed

Get-ChildItem -Path 'cert:\LocalMachine\My' | Where-Object { $_.Thumbprint -eq '984E459FF99D87FD97AFC46DCDCBCB90E0B7FCD5' } | Select Thumbprint,Subject,NotAfter,FriendlyName

The certificate must locate in "LocalMachine" and be removed from "CurrentUser" to work.

@microsoft-github-policy-service microsoft-github-policy-service bot removed the no-recent-activity There has been no recent activity on this issue. label Oct 28, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added the no-recent-activity There has been no recent activity on this issue. label Nov 5, 2023
@robinmalik
Copy link
Contributor

robinmalik commented Nov 6, 2023
edited
Loading

Hi, I'm hitting what I think is a similar issue. I have a wrapper/proxy/helper function that attempts to connect to the Graph API (via Connect-MgGraph) and ARM (via Connect-AzAccount). This function works fine from the command line when executing as myself, using a certificate in the Local Computer > Personal certificate store, using PowerShell without elevation (though my user account is a local administrator), and with elevation.

Edit: Removed text as I think I've narrowed this down to PowerShell 5.1. When running as PowerShell 7.3.9 it works but 5.1 errors with:

Connect-AzAccount : Entry point was not found.
Could not find tenant id for provided tenant domain 'REMOVED'. Please ensure that the provided service principal 'REMOVED' is found in the provided tenant domain.

PSVersionTable:

Name                           Value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
----                           -----                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
PSVersion                      5.1.22621.2552                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
PSEdition                      Desktop                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
BuildVersion                   10.0.22621.2552                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
CLRVersion                     4.0.30319.42000                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
WSManStackVersion              3.0                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
PSRemotingProtocolVersion      2.3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
SerializationVersion           1.1.0.1
  • Az.Accounts 2.13.1

Any ideas? Thank you.

@microsoft-github-policy-service microsoft-github-policy-service bot removed the no-recent-activity There has been no recent activity on this issue. label Nov 6, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added the no-recent-activity There has been no recent activity on this issue. label Nov 13, 2023
@robinmalik
Copy link
Contributor

This impacts multiple users across Windows 10, Windows 11 and Windows Server 2022. PowerShell 5.1 will not connect, but PowerShell 7+ works.

@microsoft-github-policy-service microsoft-github-policy-service bot removed the no-recent-activity There has been no recent activity on this issue. label Nov 14, 2023
@isra-fel
Copy link
Member

Could not find tenant id for provided tenant domain 'REMOVED'. Please ensure that the provided service principal 'REMOVED' is found in the provided tenant domain.

I think this error message was from the query-tenant-id-by-domain-name feature @msJinLei please take a look.

Also @robinmalik if you know the ID of the tenant (directory) we'd suggest connecting with -TenantId instead of -Domain.

@robinmalik
Copy link
Contributor

@isra-fel Thanks for the reply. Just to confirm that we're only using the tenant id, and not the domain name.

@microsoft-github-policy-service microsoft-github-policy-service bot added the no-recent-activity There has been no recent activity on this issue. label Nov 22, 2023
@robinmalik
Copy link
Contributor

This bot needs looking at. It's commenting this across a range of issues when the onus isn't on the people with the issue to reply (again).

@microsoft-github-policy-service microsoft-github-policy-service bot removed the no-recent-activity There has been no recent activity on this issue. label Nov 22, 2023
@IsaacCalligeros95 IsaacCalligeros95 mentioned this issue Nov 29, 2023
Open
@robinmalik
Copy link
Contributor

Related: #21952 and #21398

@ay-azara
Copy link

ay-azara commented Dec 1, 2023
edited
Loading

Getting the same error as Robin on PSv5. Certificate is installed systemwide, TenantId being passed, with a service principal that is already used elsewhere. As far as I can tell the only difference between working and non-working code is that I'm on Az.Accounts v2.13.2.

As an aside, the error message doesn't make sense if you're using a GUID to connect.

Could not find tenant id for provided tenant domain '<guid redacted>'. Please ensure that the provided service principal 
'<thumbprint redacted>' is found in the provided tenant domain.

@ay-azara
Copy link

ay-azara commented Dec 7, 2023
edited
Loading

Confirmed that the "Entrypoint not found" error goes away by downgrading Az.Accounts to version 2.10.2 which narrows down the culprit release to one of the 13 released between 2.10.2 and 2.13.2.

@microsoft-github-policy-service microsoft-github-policy-service bot added the no-recent-activity There has been no recent activity on this issue. label Dec 14, 2023
@robinmalik
Copy link
Contributor

Comment because of bot.

@microsoft-github-policy-service microsoft-github-policy-service bot removed the no-recent-activity There has been no recent activity on this issue. label Dec 15, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added the no-recent-activity There has been no recent activity on this issue. label Dec 22, 2023
@ay-azara
Copy link

ay-azara commented Jan 8, 2024
edited
Loading

What needs done to fix this? Do I need to identify the exact release the issue occurred? It's fine if you need more information to help but radio silence and having the bot close this is not helpful.

@microsoft-github-policy-service microsoft-github-policy-service bot removed the no-recent-activity There has been no recent activity on this issue. label Jan 8, 2024
@Jeff-Jerousek
Copy link

Why does this keep getting closed when there is no resolution?

@Makzemann
Copy link

Issue persists

@Jeff-Jerousek
Copy link

@Makzemann Agreed, I've had to downgrade several modules to maintain functionality. It seems the bug was introduced around October 2022, so everything released before then continues to work.

@Jeff-Jerousek Jeff-Jerousek mentioned this issue May 1, 2024
Closed
@ay-azara
Copy link

ay-azara commented Jun 13, 2024
edited
Loading

Ran into this error again on Az.Accounts v2.17.0 and gained some new insights.

NOTE: I'm describing an instance of the 'Keyset' error, not the 'Entrypoint' error which may or may not be fixed.

The Error

ClientCertificateCredential authentication failed: Keyset does not exist.
Could not find tenant id for provided tenant domain 'redacted'.
Please ensure 'redacted' is found in the provided tenant domain.

Insights:

  • Only the SYSTEM account and Administrators group have permissions on LocalMachine certificates with private keys.
  • The ability to find the certificate using the Powershell cert:/ provider does not mean the user has access to the private key of the certificate.

Based on that, you can try one of the following to fix the issue:

  • Install the certificate to the Personal Store of the user
  • Make the user an admin
  • Assign the user permissions to the certificate by opening MMC, adding the Certificates snap-in, right clicking on the certificate, selecting -> All Tasks -> Manage Private Keys, and assigning the user. Then restart the service the user is running or log out and back in with it. Hopefully you'll be able to see it.
    • Haven't had time to test extensively but including it in case it helps someone else

This script tries to determine your access level to the certificate by checking if the private key exists and whether the private key property returns an object or null back.

$Thumbprint = 'thumbprint_here'

# Search everything
$Certificate = Get-ChildItem 'cert:\' -Recurse |
    Where-Object { $_.Thumbprint -eq $Thumbprint } |
    Select-Object -First 1

# Test programmatic access to the private key
if ($Certificate) {
    if ($Certificate.HasPrivateKey -and
        [String]::IsNullOrEmpty($Certificate.PrivateKey))
    {
        Write-Host "This user does not have permissions to the private key."
    } else {
        Write-Host "This user has permissions to the private key."
    }
} else {
    Write-Host "Could not find cert with thumbprint '$Thumbprint'"
}

@Titus1024
Copy link

Ran into this error again on Az.Accounts v2.17.0 and gained some new insights.

NOTE: I'm describing an instance of the 'Keyset' error, not the 'Entrypoint' error which may or may not be fixed.

The Error

ClientCertificateCredential authentication failed: Keyset does not exist.
Could not find tenant id for provided tenant domain 'redacted'.
Please ensure 'redacted' is found in the provided tenant domain.

Insights:

  • Only SYSTEM account and Administrators group have permissions on LocalMachine certificates with private keys.
  • The ability to find the certificate using the Powershell cert:/ provider does not mean the user has access to the private key of the certificate.

Based on that, you can try the following to fix the issue:

  • Install the certificate to the Personal Store of the user

  • Make the user an admin

  • Assign the user permissions to the certificate by opening MMC, adding the Certificates snap-in, right clicking on the certificate, selecting -> All Tasks -> Manage Private Keys, and assigning the user. Then restart the service the user is running or log out and back in with it. Hopefully you'll be able to see it.

    • Haven't had time to test extensively but including it in case it helps someone else

This script tries to determine your access level to the certificate by checking if the private key exists and whether the private key property returns an object or null back.

$Thumbprint = 'thumbprint_here'

# Search everything
$Certificate = Get-ChildItem 'cert:\' -Recurse |
    Where-Object { $_.Thumbprint -eq $Thumbprint } |
    Select-Object -First 1

# Test programmatic access to the private key
if ($Certificate) {
    if ($Certificate.HasPrivateKey -and
        [String]::IsNullOrEmpty($Certificate.PrivateKey))
    {
        Write-Host "This user does not have permissions to the private key."
    } else {
        Write-Host "This user has permissions to the private key."
    }
} else {
    Write-Host "Could not find cert with thumbprint '$Thumbprint'"
}

This fixed the issue for me. I had to update the private key permissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@msJinLei msJinLei

Labels
Authentication Azure PS Team bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Investigate 🔍 needs-author-feedback More information is needed from author to address the issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@Jeff-Jerousek @lesca @runemy @robinmalik @isra-fel @Titus1024 @msJinLei @Makzemann @ay-azara