Unable to authenticate with MSAL using a certificate
Hi guys, I'm using the certificate authentication for my WinForms app to connect to SharePoint and Graph API. I followed this article to create the certificate https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-self-signed-certificate Uploaded the certificate to the App Registration, gave all appropriate permissions. However, when I tried to connect to SharePoint or the Graph API, I got this error A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700021: Client assertion application identifier doesn't match 'client_id' parameter. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Microsoft.Graph.ServiceException: Code: generalException Message: An error occurred sending the request. BUT, this only happened on 1 specific machine running Windows 11 Pro. I tested on 4-5 different machines (both W10 and W11), they didn't get this error. I tried verifying the cert thumbprint which matched the one uploaded on the App Registrations. The certificate is not stored in the machine cert store, I use X509KeyStorageFlags.EphemeralKeySet when calling it. Not sure what else to check.Differences with X509Certificate2 between Powershell and PWSH Core (Windows)
Hi all, I wrote some code that loads a certificate from a crt file and it works so far. But with PWSH (7.5.1) some properties (like DnsNameList) are empty. With Windows Powershell the properties are filled. This is true, even when using static LoadCertificateFromFile class under PWSH. (Otherwise I load the certificate with [ X509Certificate2]::new( thebytes )) The validity of the certificate makes no difference so far. It would be nice if anyone has a suggestion how I can work around that issue. THX in advance and best regards!
PKIVIEW download error
We are deploying a 2-tier PKI with an offline Root CA and an Enterprise SubCA. After deploying the Root CA with CRL and AIA pointing to a web server http://crl.company.com we copied there the Root CA's Certificate and CRL. From the subordinate CA server we're able to open the publishing web site and load the crl and crt via Web browser. However when using PKIVIEW to check the setup we saw a "Download error" for both the Root and Subordinate CA. is there anyone that can help on this ? thanks
Intune Certificate Connector and OID 1.3.6.1.4.1.311.25.2
Hi, Way back in May when update KB5014754 broke cert auth for so many orgs it was identified that whilst RPC auto-enrolled certificates will get the new required OID the Intune certificate connector can't do the same. As the timeline on the KB (https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16) states that enforcement will happen from updates released on February 14th 2023 is there any indication that a fix will be deployed for the intune certificate connector ahead of that time? We have many customers using intune enrolled certificates to authenticate for AOVPN, WiFi and more which will stop working once this change is enforced. February doesn't seem like a long time away when a solution likely means needing to get the connectors updated and other possible changes.
Intune PKCS Certificate does not get installed on Client
Hi, I am testing the deployment of a user certificate via Device Configuration Policy (Windows 10 - PKCS certificate). Now, the certificate is requested, and in the logs of the CA, I see that the PKCS request was successful. I can also see the requested certificate for the user on the Configuration Profile under "Certificates." Soon, I realize that the report shows an error without an error code, and the certificate is not installed. After waiting for a couple of hours, I notice that Intune reports success, and the certificate is installed. It seems that Intune retrieves the certificate very quickly, within a couple of minutes, but then cannot install it on the client immediately. Instead, it attempts installation again after a couple of hours, where it succeeds. The client remains connected to the network throughout. Is this normal behavior, or am I missing something?External email not received with NDR '550 5.4.317 Message expired, cannot connect to remote server(C
Hi all, we are getting some problem from one of the external domain not getting through. there is a NDR to the sender '550 5.4.317 Message expired, cannot connect to remote server(CertificateExpired)' I also run some test using checktls and it also report [001.696] Connection converted to SSL SSLVersion in use: TLSv1_3 Cipher in use: TLS_AES_256_GCM_SHA384 Perfect Forward Secrecy: yes Session Algorithm in use: Curve P-256 DHE(256 bits) Certificate #1 of 3 (sent by MX): EXPIRED Cert VALIDATION ERROR(S): certificate has expired So email is encrypted but the recipient domain is not verified ssl : scheme=smtp cert=94220930177 : identity=mail.domain.com cn=*.domain.com alt=2 *.domain2 domain.com Cert Hostname VERIFIED (mail.domain.com = *.domain.com | DNS:*.domain.com | DNS:domain.com) cert not revoked by OCSP Data: Version: 3 (0x2) Serial Number: 0e:cd:b7:0b:82:c2:46:0b::5c:0b:b4:29:5f:e2 Validity: Not Before: Oct 26 00:00:00 2021 GMT Not After: Nov 26 23:59:59 2022 GMT I have check all exchange server and mail security gateway, all using new ssl certificate. can anyone shed some light on this matter. Thank you all
User Certificate Template by Group Policy
I'm looking for a way to specify a certificate template to be autoenrolled for a set of users. What we did so far is : - defined a new user specific template. - defined the template security for the specific AD group the users belongs to with read,enroll,autoenroll. - defined a GPO to enable the autoenroll for the specific group. However the autoenroll, at login, does not work and a pop up notification appear saying that the user has to complete the enrollment. If the autoenroll is made manually it works, the template is shown and works fineA fatal error occurred when attempting to access the SSL server credential private key: 0x8009030d
First published on MSDN on Apr 28, 2017 Recently, I have assisted a Premier customer who installed a new certificate on Windows Server 2008 R2 but was unable to bind the certificate to the Website hosted on IIS.
