search

microsoft / MSCloudLoginAssistant

PowerShell Module Handling Authentication to Cloud Services
https://www.powershellgallery.com/packages/MSCloudLoginAssistant/
MIT License
76 stars 50 forks source link

[Workload Tasks] Certificates are only checked in CurrentUser store #161

Closed remyloy closed 1 year ago

remyloy commented 1 year ago

The function Connect-MSCloudLoginTasksWithCertificateThumbprint only checks the CurrentUser store for the certificate with the given thumbprint, but does not check the store of the local machine.

This is problematic for us, or makes things more complicated, when used with Microsoft365DSC and the O365OrganizationSettings resource as this requires the certificate to be installed in the certificate store of the LCM user / LocalSystem user.

It would simplify things for us, if this function would use the local machine store, like the Microsoft Graph workload does, or if it at least would try both stores, if CurrentUser needs to be kept around for backwards compatibility.

andikrueger commented 1 year ago

In which scenario are you calling into Connect-MSCloudLoginTasksWithCertificateThumbprint while using Microsoft 365 DSC. Within M365DSC we use Connect-M365Tenant....

remyloy commented 1 year ago

My minimal repro here is

using module 'c:\microsoft365dsc\Modules\Microsoft365DSC\DSCResources\MSFT_O365OrgSettings\MSFT_O365OrgSettings.psm1'

$Params = @{
    IsSingleInstance      = 'Yes'
    ApplicationId         = $AppId
    TenantId              = $TenantName
    CertificateThumbprint = $CertThumbprint
}
MSFT_O365OrgSettings\Test-TargetResource @Params

And that snippet fails with

Get-Item : Der Pfad "Cert:\CurrentUser\My\[...]" kann nicht gefunden werden, da er nicht vorhanden ist.
In C:\Program Files\WindowsPowerShell\Modules\MSCloudLoginAssistant\1.0.114\Workloads\Tasks.psm1:83 Zeichen:24
+ ... rtificate = Get-Item "Cert:\CurrentUser\My\$($Global:MSCloudLoginConn ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Cert:\CurrentUs[...]:String) [Get-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand

Es ist nicht möglich, eine Methode für einen Ausdruck aufzurufen, der den NULL hat.
In C:\Program Files\WindowsPowerShell\Modules\MSCloudLoginAssistant\1.0.114\Workloads\Tasks.psm1:86 Zeichen:9
+         $CertificateBase64Hash = [System.Convert]::ToBase64String($Ce ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

I changed the line locally in Tasks.psm1 from CurrentUser to LocalMachine and that worked, i.e. it picked up the certificate that was already installed there for the Microsoft Graph related stuff.

andikrueger commented 1 year ago

This looks like an specific issue to the Tasks Workload which was recently introduced by: https://github.com/microsoft/MSCloudLoginAssistant/commit/0c030dfe0ef8ac99c471c642e31c9d926e813197

Within Microsoft Graph, there is a better implementation available:

https://github.com/microsoft/MSCloudLoginAssistant/blob/7c806ca06ebe1d0f855fefed6aa89a56be976388/Modules/MSCloudLoginAssistant/Workloads/MicrosoftGraph.psm1#L97-L115