Get-MsalToken with Client Certificate fails on Windows PowerShell 5.1

[darrenjrobinson]

The following syntax for Get-MSALToken on PowerShell 7.0.3 successfully returns an Access Token.

Get-MsalToken -ClientId $clientID -TenantId $tenantID -ClientCertificate $ClientCertificate

However it fails on Windows PowerShell 5.1 (using MSAL.PS v 4.16.0.2). I've also tested pervious versions of the MSAL.PS Module ( 4.9.0.1, 4.10.0.2 and 4.14.0.1 ) and the same error is returned. The error returned is:

Invalid provider type specified.

At line:6 char:18
+ ... cessToken = Get-MsalToken -ClientId $clientID -TenantId $tenantID -Cl ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : AuthenticationError: (Microsoft.Ident...arameterBuilder:AcquireTokenForClientParameterBuilder) [Write-Error], CryptographicException
    + FullyQualifiedErrorId : GetMsalTokenFailureAuthenticationError,Get-MsalToken

Platform info

PS C:\Users\darrenjrobinson> $psversiontable

Name                           Value
----                           -----
PSVersion                      5.1.19041.1
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.1
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

[jazuntee]

@darrenjrobinson That command works for me. What is the object type of the certificate variable you are providing?

PS C:\Users\jason> $ClientCertificate = (Get-ChildItem 'Cert:\CurrentUser\My\38E962BBCA768BA52EE9A997A1FEA32A811BD911') 
PS C:\Users\jason> $ClientCertificate.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     X509Certificate2                         System.Security.Cryptography.X509Certificates.X509Certifi...

[darrenjrobinson]

It works for me in PowerShell 7.x but fails on Windows PowerShell 5.1 @jasoth ObjectType of the Cert is the same as you.

[jazuntee]

The exception is occurring in the MSAL.NET library so the module is returning the inner exception as the error. Could it be a permission issue to the private key? https://stackoverflow.com/questions/22581811/invalid-provider-type-specified-cryptographicexception-when-trying-to-load-pri

[darrenjrobinson]

Interesting. If it was a permissions issue though I'd expect it to fail regardless of PS version as it is being used under the context of the same User in both v5.1 and v7. The same error is thrown under Administrative and User contexts (but only in PS v5.1). Here is it working in PS7 (Administrative context).

[jazuntee]

@darrenjrobinson are you still having an issue with this? It appears to be some difference between how the certificate providers work on each platform so there probably isn't much I can do to help. I have not been able to reproduce the issue myself either. Let me know if you can help me repo. Otherwise, I will close this out.

[darrenjrobinson]

@jasoth yes still having the issue. Have just updated to the latest MSAL.PS (4.21.0.1) module in WinPS5.1x and am getting the same error.

[jazuntee]

@darrenjrobinson Are you able to reproduce this with another certificate? Could you provide the steps used to get the certificate so I can attempt to repro as well?

[darrenjrobinson]

Hey @jasoth ,

I've gone through to reproduce it again. Following the same process I detailed in the MSAL.PS with Certificates blogpost from a few months back here

Generate Certificate

Export the Certificate

Convert the Certificate for upload to AAD

Upload to AAD App

Using the Cert for AuthN to the AAD App with PowerShell 7.0.3

Using the Cert for AuthN to the AAD App with Windows PowerShell 5.1

Interestingly I hadn't seen this particular expanded error message previously.

Here is the PSVersionTable from the error session above

And Module Version

[SLeuthold]

Following this thread! I'm getting the same issue.

[giani09]

same here :(

[YuriySamorodov]

Same =(

[tehKNi]

Yeh, same. Following :-)

[jazuntee]

Thank you @darrenjrobinson for the step by step. Sorry for the delay. I was able to reproduce when I created the certificate using the command in your screenshot.

Based on the error message, I added -KeySpec Signature to the New-SelfSignedCertificate command when generating the certificate. That fixed the issue for me. That should technically be included on the cert anyway so it can be used to sign the JWT.

[DennisBergemann]

I am late to the party, but as a special mention for followers or peoble that comes into the same issue as yours.

The certificate above is located under: localmachine, so make sure you start your script/app with rights to access local machine otherwise use it in userstore.

[krzydoug]

Based on the error message, I added -KeySpec Signature to the New-SelfSignedCertificate command when generating the certificate. That fixed the issue for me. That should technically be included on the cert anyway so it can be used to sign the JWT.

So our existing cert just won't work in 5.1?

[JManDoo]

I am late to the party, but as a special mention for followers or peoble that comes into the same issue as yours.

The certificate above is located under: localmachine, so make sure you start your script/app with rights to access local machine otherwise use it in userstore.

@krzydoug Here is what solved it for me thanks @DennisBergemann Adding the user/service account to access the Private Key of the certificate

[iamkl00t]

I am late to the party, but as a special mention for followers or peoble that comes into the same issue as yours.

The certificate above is located under: localmachine, so make sure you start your script/app with rights to access local machine otherwise use it in userstore.

Thank you - this was exactly my problem - just needed to run powershell as admin 🤦🏻‍♂️