Error Connecting to Exchange Online Using Certificate Based Auth

[write2tsm]

Hey Tim

Followed the guidance in this article--> https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps

However, just want to confirm that the "Exchange.ManageAsApp" permissions is all we need - is that equivalent of Exchange Online Organization and Recipient Management?

Also, after running the command:

Connect-ExchangeOnline -Certificate <%X509Certificate2 Object%> -AppID "23344395u3w45" -Organization "contosoelectronics.onmicrosoft.com"

I'm seeing this error:

Error Acquiring Token: Could not use the certificate for signing. See inner exception for details. Possible cause: this may be a known issue with apps build against .NET Desktop 4.6 or lower. Either target a higher version of .NET desktop - 4.6.1 and above, or use a different certificate type (non-CNG) or sign your own assertion as described at https://aka.ms/msal-net-signed-assertion. At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.1.0\netFramework\ExchangeOnlineManagement.psm1:729 char:21

• throw $_.Exception.InnerException;

• 
  + CategoryInfo          : OperationStopped: (:) [], MsalClientException
  + FullyQualifiedErrorId : Could not use the certificate for signing. See inner exception for details. Possible cause: this may be a known issue with apps build against .NET Desktop 4.6 or lower. Either target a higher version of .NET desktop - 4.6.1 and above, or use a different certificate type (non-CNG) or sign your own assertion as described at https://aka.ms/msal-net-signed-assertion.

Are you able to suggest on this please?

Thanks

[timmcmic]

That permissions is all that is required. I cannot say that I've ever seen this - looks like something with the self signed certificate created to service authentication or potentially something odd with .net versions on the machine.

I'd have to open a case with the exchange online peeps. You might also want to look at the Tony Redmond guidance I published on setting up the graph application. You can add the exchange rights to that if that certificate and application are working.

============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465

Hours: Sunday - Wednesday 08:00 - 16:00 eastern time zone.

Manager: Tom Roughley @.**@.>)

Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900

==============================

From: write2tsm @.> Sent: Tuesday, July 18, 2023 1:41 AM To: timmcmic/DLConversionV2 @.> Cc: Subscribed @.***> Subject: [timmcmic/DLConversionV2] Error Connecting to Exchange Online Using Certificate Based Auth (Issue #141)

Hey Tim

Followed the guidance in this article--> https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps

However, just want to confirm that the "Exchange.ManageAsApp" permissions is all we need - is that equivalent of Exchange Online Organization and Recipient Management?

Also, after running the command:

Connect-ExchangeOnline -Certificate <%X509Certificate2 Object%> -AppID "23344395u3w45" -Organization "contosoelectronics.onmicrosoft.com"

I'm seeing this error:

Error Acquiring Token: Could not use the certificate for signing. See inner exception for details. Possible cause: this may be a known issue with apps build against .NET Desktop 4.6 or lower. Either target a higher version of .NET desktop - 4.6.1 and above, or use a different certificate type (non-CNG) or sign your own assertion as described at https://aka.ms/msal-net-signed-assertion. At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.1.0\netFramework\ExchangeOnlineManagement.psm1:729 char:21

• throw $_.Exception.InnerException;

  *

• • CategoryInfo : OperationStopped: (:) [], MsalClientException
  • FullyQualifiedErrorId : Could not use the certificate for signing. See inner exception for details. Possible cause: this may be a known issue with apps build against .NET Desktop 4.6 or lower. Either target a higher version of .NET desktop - 4.6.1 and above, or use a different certificate type (non-CNG) or sign your own assertion as described at https://aka.ms/msal-net-signed-assertion.

Are you able to suggest on this please?

Thanks

- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/141, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6J2NAVAJ56B7236C6LXQYOVFANCNFSM6AAAAAA2N3QMAU. You are receiving this because you are subscribed to this thread.Message ID: @.**@.>>

[write2tsm]

Hi Tim

Just some more context. I'm using a Azure AD App Registration for both MS Graph and Exchange Online authentication using the self-signed certificate.

1. First, used the guidance by Tony Redmond (https://practical365.com/use-certificate-authentication-microsoft-graph-sdk/) to create the self-signed certificate, assign MS Graph API permissions to it, upload the certificate to the App Registration object and was able to successfully connect to MS Graph.
2. Used the guidance here (https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-azure-ad) for configuring the Exchange Online specific permissions, but this failed with the error I reported initially in the issue.

Found this post that describes the error and solution to fix it--> https://pscustomobject.github.io/powershell/exchange/office%20365/Could-not-use-the-certificate-for-signing/

I'll try this while you get any response from the Exchange Online team.

Thanks

[timmcmic]

Interesting - if this works for you then I'll gather some info and write up a blog on it. Might be something new in the make cert functions.

Tim

============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465

Hours: Sunday - Wednesday 08:00 - 16:00 eastern time zone.

Manager: Tom Roughley @.**@.>)

Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900

==============================

From: write2tsm @.> Sent: Tuesday, July 18, 2023 6:21 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Error Connecting to Exchange Online Using Certificate Based Auth (Issue #141)

Hi Tim

Just some more context. I'm using a Azure AD App Registration for both MS Graph and Exchange Online authentication using the self-signed certificate.

1. First, used the guidance by Tony Redmond (https://practical365.com/use-certificate-authentication-microsoft-graph-sdk/) to create the self-signed certificate, assign MS Graph API permissions to it, upload the certificate to the App Registration object and was able to successfully connect to MS Graph.
2. Used the guidance here (https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-azure-ad) for configuring the Exchange Online specific permissions, but this failed with the error I reported initially in the issue.

Found this post that describes the error and solution to fix it--> https://pscustomobject.github.io/powershell/exchange/office%20365/Could-not-use-the-certificate-for-signing/

I'll try this while you get any response from the Exchange Online team.

Thanks

- Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/141#issuecomment-1641066803, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6LODJJ2J6T4VRA3DLTXQ4D5FANCNFSM6AAAAAA2N3QMAU. You are receiving this because you commented.Message ID: @.**@.>>

[write2tsm]

Hey Tim

Update on the issue....I was able to follow the guidance here to fix that issue. https://pscustomobject.github.io/powershell/exchange/office%20365/Could-not-use-the-certificate-for-signing/

moved on and have successfully connected to both MS Graph and Exchange Online using the certificate auth. However, bumped into another one that I reported in a separate issue.

Thanks

[JFraser83]

Hey Tim, I ran into this issue as well and I ended up having to add -KeySpec KeyExchange to the cmd for creating the new certificate.

[timmcmic]

@JFraser83 thanks that's great!

@write2tsm sorry that I missed your reply!

[JFraser83]

I am facing the same issue as noted above though even with that keyspec set. I can connect-exchangeonline with app based auth just fine however when I try and run a start-multipledistributionlist cmdlet it fails

[timmcmic]

@JFraser83 confused - so you're previous comment about adding keyspec did not fix the issue? Do you have the ability to try the suggestion in the previous comments?

[JFraser83]

Initially I created a certificate without using that -keyspec parameter and I was getting this error as well "Could not use the certificate for signing. See inner exception for details. Possible cause: this may be a known issue with apps build against .NET Desktop 4.6 or lower. Either target a higher version of .NET desktop - 4.6.1 and above, or use a different certificate" Even using a simple Connect-ExchangeOnline -AppId <%App_id%> -CertificateThumbprint <%Thumbprint string of certificate%> -Organization "contoso.onmicrosoft.com" would fail.

I created a new certificate with the parameter, I was then able to run a Connect-ExchangeOnline -AppId <%App_id%> -CertificateThumbprint <%Thumbprint string of certificate%> -Organization "contoso.onmicrosoft.com" with the new certificate thumbprint and it connected just fine; however, trying to run the following

Start-MultipleDistributionListMigration -groupSMTPAddresses $groups -globalCatalogServer labdc2016.corp.contoso.ca -activeDirectoryCredential $cred -logFolderPath c:\temp\NestedTest -aadConnectServer labdc2016.corp.contoso.ca -aadConnectCredential $cred -exchangeServer labex2019 -exchangeCredential $cred -useCollectedFullMailboxAccessOnPrem:$TRUE -msGraphTenantID $msGraphTenantID -msGraphApplicationId $msGraphApplicationId -msGraphCertificateThumbprint $msGraphCertificateThumbprint -exchangeOnlineOrganizationName "tenant.onmicrosoft.com" -exchangeOnlineAppId $msGraphApplicationId -exchangeOnlineCertificateThumbprint $msGraphCertificateThumbprint -useCollectedFullMailboxAccessOffice365:$TRUE -useCollectedSendAsOnPrem:$TRUE -useCollectedFolderPermissionsOnPrem:$TRUE -useCollectedFolderPermissionsOffice365:$TRUE -enableHybridMailflow:$TRUE -dnNoSyncOU "OU=DoNotSync,DC=corp,DC=contoso,DC=ca"

Fails and in the log I see the following output: note I edited out the secrets but they are in the log.

`[11/8/2023 4:47:52 PM] - **** [11/8/2023 4:47:52 PM] - **** [11/8/2023 4:47:52 PM] - BEGIN NEW-EXCHANGEONLINEPOWERSHELLSESSION [11/8/2023 4:47:52 PM] - **** [11/8/2023 4:47:52 PM] - ExchangeOnlineCertificate = E [11/8/2023 4:47:52 PM] - ExchangeAppID = b52 [11/8/2023 4:47:52 PM] - ExchangeOrgName = M365*****onmicrosoft.com [11/8/2023 4:47:52 PM] - Is certificate auth = True [11/8/2023 4:47:52 PM] - ExchangeOnlineCommandPrefix = O365 [11/8/2023 4:47:52 PM] - Creating the connection to exchange online powershell using certificate authentication. An error occurred while sending the request. At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.4.0\netFramework\ExchangeOnlineManagement.psm1:762 char:21

• throw $_.Exception.InnerException;

• 
  + CategoryInfo          : OperationStopped: (:) [], HttpRequestException
  + FullyQualifiedErrorId : An error occurred while sending the request.`