cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Cert not found for Connect-MgGraph via Runbook Hybrid Worker

Alex_Rechs
Brass Contributor

‎Mar 17 2023 04:56 AM

‎Mar 17 2023 04:56 AM

Cert not found for Connect-MgGraph via Runbook Hybrid Worker

I use certificate to connect to Microsoft Graph and it works fine in runbooks azure instance. However, when I perform 
Connect-MgGraph -CertificateThumbprint <certThumbprint>-ClientID "<clientID>" -TenantID "<tenantID>"
in runbook for Hybrid Worker machine I'm getting the following error:

Connect-MgGraph : Certificate with subject name '[Subject] CN=CertName [Issuer] CN=CertName [Serial Number] CertSN [Not Before] 1/21/2023 1:33:10 PM [Not After] 1/21/2024 1:53:13 PM [Thumbprint] CertificateThumbPrint ' was not found in certificate store or has expired. At line:14 char:1 + Connect-MgGraph -CertificateName $cert -ClientID "<ClientID>- ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Connect-MgGraph], ArgumentException + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph

 

The certificate is found and data is valid, but error says "not found" anyway. I tried to specify the exact path to the certificate and use store, also I switched different graph module version, none of that helped.

4,422 Views
0 Likes
4 Replies
Reply
4 Replies
LainRobertson

‎Mar 17 2023 07:23 AM - edited ‎Mar 17 2023 04:57 PM

‎Mar 17 2023 07:23 AM - edited ‎Mar 17 2023 04:57 PM

Re: Cert not found for Connect-MgGraph via Runbook Hybrid Worker

@Alex_Rechs 

 

Hi, Alex.

 

Have a read of the following and note the difference in accessing the certificate between the current user store versus the machine store:

 

 

As the article notes, you can't use a file location for the -CertificateName or -CertificateThumbprint options, only the crypto stores.

 

Additionally, if the running process is actually a service, make sure you:

 

  1. Load up a blank MMC;
  2. Add the Certificates snap-in;
  3. When adding it, choose the "Service account" option;
  4. Select the appropriate service;
  5. Add the certificate (.pfx, not .cer) to the Personal store.

 

LainRobertson_0-1679062601254.png

 

That will allow the service to locate the certificate within its "currentuser" store. (Note: PowerShell can't access service crypto stores via the Cert:\ drive making the MMC your only option.)

 

It's actually less fiddley just to use the machine store and add the separate command for fetching the certificate first (in my opinion) for this service example, but this at least covers your options.

 

I suppose the other obvious point is to ensure that it is indeed the same certificate (i.e. the correct thumbprint), but I'm sure you've tripled-checked that already.

 

Cheers,

Lain

0 Likes
Reply
Alex_Rechs

‎Mar 17 2023 08:34 AM

‎Mar 17 2023 08:34 AM

Re: Cert not found for Connect-MgGraph via Runbook Hybrid Worker

Hi Lain,
Thanks for the suggestions.
The article you are referring to says:
> To use a certificate stored in your machine's certificate store or another location when connecting to Microsoft Graph, specify the certificate's location.
I guess it's talking about "Service account" nevertheless?
Also, when selecting "Service account" there are the list of services is presented where you have to select the needed. However, no services with *powershell* keyword is available. Microsoft documentation just says: "Hybrid Runbook Worker jobs run under the local System account", but what Service account exactly used is unknown.
0 Likes
Reply
best response confirmed by Alex_Rechs (Brass Contributor)
LainRobertson

‎Mar 17 2023 05:48 PM

‎Mar 17 2023 05:48 PM

Solution

Re: Cert not found for Connect-MgGraph via Runbook Hybrid Worker

@Alex_Rechs 

 

I know nothing about the Azure Hybrid Runbook Worker.

 

I've just had a quick read of the following article just to get an overview of it - which hardly makes me knowledgeable on the topic, but it does provide some useful information to even someone in my position. Notably that:

 

  • If you're using the "User run as credentials" option, then your certificate will need to live either within the crypto store of that user's profile on the server running the runbook agent (if you wish to use the -CertificateThumbprint or -CertificateName parameters) or within the LocalMachine crypto store (if you use the -Certificate parameter) on that same server;
  • The Windows Service name appears to be "Azure Hybrid Instance Metadata Service".

 

Reference article:

 

This topic isn't really about PowerShell but rather the hybrid runbook worker's configuration. You might want to ask about it in one of the Azure-centric forums as well.

 

Once the correct certificate is positioned in the correct store or you switch to using the third example from the earlier example where you load the certificate separately before using it in the Connect-MgGraph call (using the -Certificate parameter, not -CertificateThumbprint or Name), the error should be resolved.

 

Cheers,

Lain

0 Likes
Reply
Alex_Rechs

‎Mar 21 2023 09:44 AM - edited ‎Mar 21 2023 09:47 AM

‎Mar 21 2023 09:44 AM - edited ‎Mar 21 2023 09:47 AM

Re: Cert not found for Connect-MgGraph via Runbook Hybrid Worker

It is worked, when I installed a certificate over "Azure Hybrid Instance Metadata Service" (Personal store). Now I'm getting another error, which I'm going to open another topic about.

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Alex_Rechs (Brass Contributor)
LainRobertson

‎Mar 17 2023 05:48 PM

‎Mar 17 2023 05:48 PM

Solution

Re: Cert not found for Connect-MgGraph via Runbook Hybrid Worker

@Alex_Rechs 

 

I know nothing about the Azure Hybrid Runbook Worker.

 

I've just had a quick read of the following article just to get an overview of it - which hardly makes me knowledgeable on the topic, but it does provide some useful information to even someone in my position. Notably that:

 

  • If you're using the "User run as credentials" option, then your certificate will need to live either within the crypto store of that user's profile on the server running the runbook agent (if you wish to use the -CertificateThumbprint or -CertificateName parameters) or within the LocalMachine crypto store (if you use the -Certificate parameter) on that same server;
  • The Windows Service name appears to be "Azure Hybrid Instance Metadata Service".

 

Reference article:

 

This topic isn't really about PowerShell but rather the hybrid runbook worker's configuration. You might want to ask about it in one of the Azure-centric forums as well.

 

Once the correct certificate is positioned in the correct store or you switch to using the third example from the earlier example where you load the certificate separately before using it in the Connect-MgGraph call (using the -Certificate parameter, not -CertificateThumbprint or Name), the error should be resolved.

 

Cheers,

Lain

View solution in original post

0 Likes
Reply