Azure ClientCertificateCredential - Using SNI

AhmadMasalha
October 8, 2023
288 views
0 votes
2 Answers

I’m trying to authenticate to an Azure AD Application using ClientCertificateCredential (in C#):

using Azure.Identity;
var credential = new ClientCertificateCredential("TenantId", "AppId", @"pathtocert.pfx");

on the application, I had configured the certificate’s SNI as a trusted certificated:

"trustedCertificateSubjects": [
    {
        "authorityId": "auth id ...",
        "subjectName": "cert subject name",
        "revokedCertificateIdentifiers": []
    }
]

I had validated that all the values and configurations. Yet, I keep encountering the following error:

Azure.Identity.AuthenticationFailedException
HResult=0x80131500
Message=ClientCertificateCredential authentication failed: A configuration issue is preventing authentication – check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason – The key was not found., Thumbprint of key used by client: ‘<the correct current thumbprint>’, Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘<app Id>’. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as ‘https://graph.microsoft.com/beta/applications/<App Id>’]. Alternatively, SNI may be configured on the app. Please ensure that client assertion is being sent with the x5c claim in the JWT header using MSAL’s WithSendX5C() method so that Azure Active Directory can validate the certificate being used.

I have checked all the provided links as well as other documents, none were helpful in resolving this issue. Any insights or direction to resolve this issue?

Tags: azure azure-active-directory c#certificate

Answers

Chosen as BEST ANSWER
- AhmadMasalha
- October 8, 2023 at 1:41 pm
- 0 votes
0
Found the solution: [FEATURE REQ] DefaultAzureCredential should send x5c claim for app authentication

Code Example (which worked successfully for me):
```
var options = new ClientCertificateCredentialOptions()
{
    SendCertificateChain = true,
};
var creds = new ClientCertificateCredential(tenantId, clientId, certPath, options);
```

(Edit)

- Rukmini
- October 5, 2023 at 11:24 am
- 0 votes
0
The error usually occurs, if the .cer certificate is not uploaded in the Azure AD Application Certificates and Secrets blade or if the .pfx cert is not present in the machine where the code is running.

I got the same error, when I dint upload any certificate in the Azure AD Application Certificates and Secrets blade:

Hence to resolve the error, upload the .cer certificate in the Certificates and Secrets blade:

Manifest looks like below:

Make sure that the .pfx certificate exists in the machine where the code is running:

Now for sample, I used the below code to generate the access token to authenticate the application:
```
using Azure.Core;
using Azure.Identity;
using System;
using System.Security.Cryptography.X509Certificates;

class Program
{
    static void Main(string[] args)
    {
        // Define the parameters for the ClientCertificateCredential
        string tenantId = "TenantID";
        string clientId = "ClientID";
        string certificatePath = @"C:UsersrukminiDownloadsAzureADCert.pfx";
        string certificatePassword = "****";

        // Load the certificate from the specified path and password
        X509Certificate2 certificate = new X509Certificate2(certificatePath, certificatePassword);

        // Create the ClientCertificateCredential
        ClientCertificateCredential credential = new ClientCertificateCredential(tenantId, clientId, certificate);

        //Obtain an access token to authenticate to the Azure AD application
        AccessToken token = credential.GetTokenAsync(new Azure.Core.TokenRequestContext(new[] { "https://graph.microsoft.com/.default" })).Result;

        // Print the access token
        Console.WriteLine(token.Token);
    }
}
```
Access token generated successfully:
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Azure ClientCertificateCredential – Using SNI

Answers