Search code examples
c#azureazure-active-directorycertificate

Azure ClientCertificateCredential - Using SNI


I'm trying to authenticate to an Azure AD Application using ClientCertificateCredential (in C#):

using Azure.Identity;
var credential = new ClientCertificateCredential("TenantId", "AppId", @"path\to\cert.pfx");

on the application, I had configured the certificate's SNI as a trusted certificated:

"trustedCertificateSubjects": [
    {
        "authorityId": "auth id ...",
        "subjectName": "cert subject name",
        "revokedCertificateIdentifiers": []
    }
]

I had validated that all the values and configurations. Yet, I keep encountering the following error:

Azure.Identity.AuthenticationFailedException HResult=0x80131500 Message=ClientCertificateCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: '<the correct current thumbprint>', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '<app Id>'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/<App Id>']. Alternatively, SNI may be configured on the app. Please ensure that client assertion is being sent with the x5c claim in the JWT header using MSAL's WithSendX5C() method so that Azure Active Directory can validate the certificate being used.

I have checked all the provided links as well as other documents, none were helpful in resolving this issue. Any insights or direction to resolve this issue?


Solution

  • Found the solution: [FEATURE REQ] DefaultAzureCredential should send x5c claim for app authentication

    Code Example (which worked successfully for me):
    C#:

    var options = new ClientCertificateCredentialOptions()
    {
        SendCertificateChain = true,
    };
    var creds = new ClientCertificateCredential(tenantId, clientId, certPath, options);
    

    Python:

    import base64
    
    from azure.identity import CertificateCredential, ManagedIdentityCredential
    from azure.keyvault.secrets import SecretClient
    
    def get_cert(self, keyvault_url, cert_name):
        credential = ManagedIdentityCredential()
        secret_client = SecretClient(vault_url=keyvault_url, credential=credential)
        cert_secret = secret_client.get_secret(cert_name).value
        return base64.b64decode(cert_secret)
    
    creds = CertificateCredential(_tenantId, _clientId, certificate_data=get_cert(keyvault_url, cert_name), send_certificate_chain=True)