ghost
commented
5 years ago Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
Closed yumoraby closed 5 years ago
ghost
commented
5 years ago Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
yumoraby
commented
5 years ago The new AADL Auth setting added on May 14/15th 2019 when running the command on my machines for some reason deletes the cert private key. The first running of the commandlet will connect to the Office 365 Tenant.
However it will also remove the cert private Key. Not sure why this is happening, had this with my colleague and he was getting the same error. When connecting to North America data centre, however when connecting to Canada data centre the private key is not removed, as can continue to connect without any Issue.
Connecting with Connect-AzureAD and the same setup for Thumbprints do not delete the cert key.
alzia
commented
5 years ago Looked at the source code and I think in the InitiateAzureAdAppOnlyConnectionWithCert() there is a call to a function CleanupCryptoMachineKey() that cleans up the private key, this would need an update. Is this call mandatory?
alzia
commented
5 years ago Following up if there's any ETA on the fix? Thanks in advance.
wobba
commented
5 years ago @alzia this code was added as each connect would generate a new private key file, thus filling up space - which was reported as an issue. Cleanup happens after the token has been retrieved, so not sure what issue this causes.
Can you explain a bit more how to repro?
alzia
commented
5 years ago @wobba - thanks for your response. Running the Connect-PnP command with AADL settings removes the private key of the certificate. The first time when we run the command we notice the connection is established smoothly without any issues, however, the second time when we run the same command that connected previously with no issues throws an exception that a KeySet doesn't exist.
Please see the screen grabs below :
We are updating our modules so it can support MFA and require the AADL setting, previously running Connect-PnP with credentials multiple times in a session did not throw the KeySet exception.
wobba
commented
5 years ago One solution could be to remove the file on Disconnect, and for those having issues, they would need to call that to properly clean up. What do you think @erwinvanhunen?
@alzia If you run disconnect between your commands, does that work?
Seems to me there is some caching in the adal lib which needs the cert perhaps..and I will see what the best option would be for cleanup.
yumoraby
commented
5 years ago One solution could be to remove the file on Disconnect, and for those having issues, they would need to call that to properly clean up. What do you think @erwinvanhunen?
@alzia If you run disconnect between your commands, does that work?
Seems to me there is some caching in the adal lib which needs the cert perhaps..and I will see what the best option would be for cleanup.
@wobba The private key is already deleted before we can disconnect. The deletion seems to appear when we run connect-pnponline. The strange behaviour however is that when @alzia runs this for a tenant in Canada the key is not deleted. But for tenants in North America they key is deleted.
@alzia is this still the case?
wobba
commented
5 years ago I know it's deleted on connect, but please try a disconnect before your second connect to verify behavior. I will look at this a bit later.
wobba
commented
5 years ago Seems the issue with new private key files is when loading from a pfx file. I'll work on a proper fix for this.
cc @erwinvanhunen
wobba
commented
5 years ago Pushed a fix for this where we now cleanup only for file based certificates, not when loaded via thumbprint.
yumoraby
commented
5 years ago Pushed a fix for this where we now cleanup only for file based certificates, not when loaded via thumbprint.
Thanks you
wobba
commented
5 years ago @yumoraby would you be able to build the dev branch and verify if this fix works for you? You might have to reinstall the certificate.
alzia
commented
5 years ago @wobba - I will check and get back to you on this. Thanks.
yumoraby
commented
5 years ago @wobba I have built the Dev Branch, there was some errors in the Get-Provisioning Templates, however as we were not working on this module. @alzia and I commented out the errors. We were then able to test and connect with PnP Online without the private key being deleted. This fix has been confirmed to work. Thank you!
SB-o-matic
commented
5 years ago @wobba @alzia
Gentlemen, WeI are having this exact issue with the private key being removed after a successful connect. I am getting this with the Connect-PnPOnline cmdlet (with the Thumbprint parameter) even when I call Disconnect-PnPOnline between attempts. I have not experienced this with the Connect-AzureAD cmdlet.
Is the fix going to take some time to reach all tenants?
yumoraby
commented
5 years ago @wobba @alzia
Gentlemen, WeI are having this exact issue with the private key being removed after a successful connect. I am getting this with the Connect-PnPOnline cmdlet (with the Thumbprint parameter) even when I call Disconnect-PnPOnline between attempts. I have not experienced this with the Connect-AzureAD cmdlet.
Is the fix going to take some time to reach all tenants?
Have you downloaded the latest package 3.10.1906.0 as this has fixed the issue for me, no deletion of Private Key. Make sure you do a clean upgrade, remove the old version and install the latest.
SB-o-matic
commented
5 years ago @wobba @alzia Gentlemen, WeI are having this exact issue with the private key being removed after a successful connect. I am getting this with the Connect-PnPOnline cmdlet (with the Thumbprint parameter) even when I call Disconnect-PnPOnline between attempts. I have not experienced this with the Connect-AzureAD cmdlet. Is the fix going to take some time to reach all tenants?
Have you downloaded the latest package 3.10.1906.0 as this has fixed the issue for me, no deletion of Private Key. Make sure you do a clean upgrade, remove the old version and install the latest.
Will give it a go now. Thanks for the prompt reply.
SB-o-matic
commented
5 years ago @wobba @alzia Gentlemen, WeI are having this exact issue with the private key being removed after a successful connect. I am getting this with the Connect-PnPOnline cmdlet (with the Thumbprint parameter) even when I call Disconnect-PnPOnline between attempts. I have not experienced this with the Connect-AzureAD cmdlet. Is the fix going to take some time to reach all tenants?
Have you downloaded the latest package 3.10.1906.0 as this has fixed the issue for me, no deletion of Private Key. Make sure you do a clean upgrade, remove the old version and install the latest.
Will give it a go now. Thanks for the prompt reply.
I was successful after upgrading the module, thanks!
What is weird is that I didn't experience the same on a Windows 10 machine with 3.9.XXX (did on a 2012r2 box).
wobba
commented
5 years ago Happy the fix solved the issue and sorry for causing it in the first place :)
The new AADL Auth setting added on May 14/15th 2019 when running the command on my machines for some reason deletes the cert private key. The first running of the commandlet will connect to the Office 365 Tenant.
However it will also remove the cert private Key. Not sure why this is happening, had this with my colleague and he was getting the same error. When connecting to North America data centre, however when connecting to Canada data centre the private key is not removed, as can continue to connect without any Issue.