Closed write2tsm closed 11 months ago
That permissions is all that is required. I cannot say that I've ever seen this - looks like something with the self signed certificate created to service authentication or potentially something odd with .net versions on the machine.
I'd have to open a case with the exchange online peeps. You might also want to look at the Tony Redmond guidance I published on setting up the graph application. You can add the exchange rights to that if that certificate and application are working.
============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465
Hours: Sunday - Wednesday 08:00 - 16:00 eastern time zone.
Manager: Tom Roughley @.**@.>)
Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900
==============================
From: write2tsm @.> Sent: Tuesday, July 18, 2023 1:41 AM To: timmcmic/DLConversionV2 @.> Cc: Subscribed @.***> Subject: [timmcmic/DLConversionV2] Error Connecting to Exchange Online Using Certificate Based Auth (Issue #141)
Hey Tim
Followed the guidance in this article--> https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps
However, just want to confirm that the "Exchange.ManageAsApp" permissions is all we need - is that equivalent of Exchange Online Organization and Recipient Management?
Also, after running the command:
Connect-ExchangeOnline -Certificate <%X509Certificate2 Object%> -AppID "23344395u3w45" -Organization "contosoelectronics.onmicrosoft.com"
I'm seeing this error:
Error Acquiring Token: Could not use the certificate for signing. See inner exception for details. Possible cause: this may be a known issue with apps build against .NET Desktop 4.6 or lower. Either target a higher version of .NET desktop - 4.6.1 and above, or use a different certificate type (non-CNG) or sign your own assertion as described at https://aka.ms/msal-net-signed-assertion. At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.1.0\netFramework\ExchangeOnlineManagement.psm1:729 char:21
throw $_.Exception.InnerException;
*
Are you able to suggest on this please?
Thanks
- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/141, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6J2NAVAJ56B7236C6LXQYOVFANCNFSM6AAAAAA2N3QMAU. You are receiving this because you are subscribed to this thread.Message ID: @.**@.>>
Hi Tim
Just some more context. I'm using a Azure AD App Registration for both MS Graph and Exchange Online authentication using the self-signed certificate.
Found this post that describes the error and solution to fix it--> https://pscustomobject.github.io/powershell/exchange/office%20365/Could-not-use-the-certificate-for-signing/
I'll try this while you get any response from the Exchange Online team.
Thanks
Interesting - if this works for you then I'll gather some info and write up a blog on it. Might be something new in the make cert functions.
Tim
============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465
Hours: Sunday - Wednesday 08:00 - 16:00 eastern time zone.
Manager: Tom Roughley @.**@.>)
Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900
==============================
From: write2tsm @.> Sent: Tuesday, July 18, 2023 6:21 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Error Connecting to Exchange Online Using Certificate Based Auth (Issue #141)
Hi Tim
Just some more context. I'm using a Azure AD App Registration for both MS Graph and Exchange Online authentication using the self-signed certificate.
Found this post that describes the error and solution to fix it--> https://pscustomobject.github.io/powershell/exchange/office%20365/Could-not-use-the-certificate-for-signing/
I'll try this while you get any response from the Exchange Online team.
Thanks
- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/141#issuecomment-1641066803, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6LODJJ2J6T4VRA3DLTXQ4D5FANCNFSM6AAAAAA2N3QMAU. You are receiving this because you commented.Message ID: @.**@.>>
Hey Tim
Update on the issue....I was able to follow the guidance here to fix that issue. https://pscustomobject.github.io/powershell/exchange/office%20365/Could-not-use-the-certificate-for-signing/
moved on and have successfully connected to both MS Graph and Exchange Online using the certificate auth. However, bumped into another one that I reported in a separate issue.
Thanks
Hey Tim, I ran into this issue as well and I ended up having to add -KeySpec KeyExchange
to the cmd for creating the new certificate.
@JFraser83 thanks that's great!
@write2tsm sorry that I missed your reply!
I am facing the same issue as noted above though even with that keyspec set. I can connect-exchangeonline with app based auth just fine however when I try and run a start-multipledistributionlist cmdlet it fails
@JFraser83 confused - so you're previous comment about adding keyspec did not fix the issue? Do you have the ability to try the suggestion in the previous comments?
Initially I created a certificate without using that -keyspec parameter and I was getting this error as well "Could not use the certificate for signing. See inner exception for details. Possible cause: this may be a known issue with apps build against .NET Desktop 4.6 or lower. Either target a higher version of .NET desktop - 4.6.1 and above, or use a different certificate" Even using a simple Connect-ExchangeOnline -AppId <%App_id%> -CertificateThumbprint <%Thumbprint string of certificate%> -Organization "contoso.onmicrosoft.com" would fail.
I created a new certificate with the parameter, I was then able to run a Connect-ExchangeOnline -AppId <%App_id%> -CertificateThumbprint <%Thumbprint string of certificate%> -Organization "contoso.onmicrosoft.com" with the new certificate thumbprint and it connected just fine; however, trying to run the following
Start-MultipleDistributionListMigration -groupSMTPAddresses $groups -globalCatalogServer labdc2016.corp.contoso.ca -activeDirectoryCredential $cred -logFolderPath c:\temp\NestedTest -aadConnectServer labdc2016.corp.contoso.ca -aadConnectCredential $cred -exchangeServer labex2019 -exchangeCredential $cred -useCollectedFullMailboxAccessOnPrem:$TRUE -msGraphTenantID $msGraphTenantID -msGraphApplicationId $msGraphApplicationId -msGraphCertificateThumbprint $msGraphCertificateThumbprint -exchangeOnlineOrganizationName "tenant.onmicrosoft.com" -exchangeOnlineAppId $msGraphApplicationId -exchangeOnlineCertificateThumbprint $msGraphCertificateThumbprint -useCollectedFullMailboxAccessOffice365:$TRUE -useCollectedSendAsOnPrem:$TRUE -useCollectedFolderPermissionsOnPrem:$TRUE -useCollectedFolderPermissionsOffice365:$TRUE -enableHybridMailflow:$TRUE -dnNoSyncOU "OU=DoNotSync,DC=corp,DC=contoso,DC=ca"
Fails and in the log I see the following output: note I edited out the secrets but they are in the log.
`[11/8/2023 4:47:52 PM] - **** [11/8/2023 4:47:52 PM] - **** [11/8/2023 4:47:52 PM] - BEGIN NEW-EXCHANGEONLINEPOWERSHELLSESSION [11/8/2023 4:47:52 PM] - **** [11/8/2023 4:47:52 PM] - ExchangeOnlineCertificate = E [11/8/2023 4:47:52 PM] - ExchangeAppID = b52 [11/8/2023 4:47:52 PM] - ExchangeOrgName = M365*****onmicrosoft.com [11/8/2023 4:47:52 PM] - Is certificate auth = True [11/8/2023 4:47:52 PM] - ExchangeOnlineCommandPrefix = O365 [11/8/2023 4:47:52 PM] - Creating the connection to exchange online powershell using certificate authentication. An error occurred while sending the request. At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.4.0\netFramework\ExchangeOnlineManagement.psm1:762 char:21
+ CategoryInfo : OperationStopped: (:) [], HttpRequestException
+ FullyQualifiedErrorId : An error occurred while sending the request.`
Hey Tim
Followed the guidance in this article--> https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps
However, just want to confirm that the "Exchange.ManageAsApp" permissions is all we need - is that equivalent of Exchange Online Organization and Recipient Management?
Also, after running the command:
Connect-ExchangeOnline -Certificate <%X509Certificate2 Object%> -AppID "23344395u3w45" -Organization "contosoelectronics.onmicrosoft.com"
I'm seeing this error:
Error Acquiring Token: Could not use the certificate for signing. See inner exception for details. Possible cause: this may be a known issue with apps build against .NET Desktop 4.6 or lower. Either target a higher version of .NET desktop - 4.6.1 and above, or use a different certificate type (non-CNG) or sign your own assertion as described at https://aka.ms/msal-net-signed-assertion. At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.1.0\netFramework\ExchangeOnlineManagement.psm1:729 char:21
Are you able to suggest on this please?
Thanks