Closed darrenjrobinson closed 3 years ago
@darrenjrobinson That command works for me. What is the object type of the certificate variable you are providing?
PS C:\Users\jason> $ClientCertificate = (Get-ChildItem 'Cert:\CurrentUser\My\38E962BBCA768BA52EE9A997A1FEA32A811BD911')
PS C:\Users\jason> $ClientCertificate.GetType()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True True X509Certificate2 System.Security.Cryptography.X509Certificates.X509Certifi...
It works for me in PowerShell 7.x but fails on Windows PowerShell 5.1 @jasoth ObjectType of the Cert is the same as you.
The exception is occurring in the MSAL.NET library so the module is returning the inner exception as the error. Could it be a permission issue to the private key? https://stackoverflow.com/questions/22581811/invalid-provider-type-specified-cryptographicexception-when-trying-to-load-pri
Interesting. If it was a permissions issue though I'd expect it to fail regardless of PS version as it is being used under the context of the same User in both v5.1 and v7. The same error is thrown under Administrative and User contexts (but only in PS v5.1). Here is it working in PS7 (Administrative context).
@darrenjrobinson are you still having an issue with this? It appears to be some difference between how the certificate providers work on each platform so there probably isn't much I can do to help. I have not been able to reproduce the issue myself either. Let me know if you can help me repo. Otherwise, I will close this out.
@jasoth yes still having the issue. Have just updated to the latest MSAL.PS (4.21.0.1) module in WinPS5.1x and am getting the same error.
@darrenjrobinson Are you able to reproduce this with another certificate? Could you provide the steps used to get the certificate so I can attempt to repro as well?
Hey @jasoth ,
I've gone through to reproduce it again. Following the same process I detailed in the MSAL.PS with Certificates blogpost from a few months back here
Interestingly I hadn't seen this particular expanded error message previously.
Here is the PSVersionTable from the error session above
And Module Version
Following this thread! I'm getting the same issue.
same here :(
Same =(
Yeh, same. Following :-)
Thank you @darrenjrobinson for the step by step. Sorry for the delay. I was able to reproduce when I created the certificate using the command in your screenshot.
Based on the error message, I added -KeySpec Signature
to the New-SelfSignedCertificate
command when generating the certificate. That fixed the issue for me. That should technically be included on the cert anyway so it can be used to sign the JWT.
I am late to the party, but as a special mention for followers or peoble that comes into the same issue as yours.
The certificate above is located under: localmachine, so make sure you start your script/app with rights to access local machine otherwise use it in userstore.
Based on the error message, I added
-KeySpec Signature
to theNew-SelfSignedCertificate
command when generating the certificate. That fixed the issue for me. That should technically be included on the cert anyway so it can be used to sign the JWT.
So our existing cert just won't work in 5.1?
I am late to the party, but as a special mention for followers or peoble that comes into the same issue as yours.
The certificate above is located under: localmachine, so make sure you start your script/app with rights to access local machine otherwise use it in userstore.
@krzydoug Here is what solved it for me thanks @DennisBergemann Adding the user/service account to access the Private Key of the certificate
I am late to the party, but as a special mention for followers or peoble that comes into the same issue as yours.
The certificate above is located under: localmachine, so make sure you start your script/app with rights to access local machine otherwise use it in userstore.
Thank you - this was exactly my problem - just needed to run powershell as admin 🤦🏻♂️
The following syntax for Get-MSALToken on PowerShell 7.0.3 successfully returns an Access Token.
Get-MsalToken -ClientId $clientID -TenantId $tenantID -ClientCertificate $ClientCertificate
However it fails on Windows PowerShell 5.1 (using MSAL.PS v 4.16.0.2). I've also tested pervious versions of the MSAL.PS Module ( 4.9.0.1, 4.10.0.2 and 4.14.0.1 ) and the same error is returned. The error returned is:
Platform info