Reputation: 51
Got error "Service principal was not found" when trying to add a certificate to an azure app
I am following the example on https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-daemon-certificate-credential/ to authenticate a daemon app with certificate to a service app using Azure AD. I have done the following:
- create my own Active Directory
- create the daemon application in the AD Name: TodoListDaemonWithCertYanlin Sign-On URL: http ://TodoListDaemonWithCertYanlin App Id Url: http ://TodoListDaemonWithCertYanlin
- create a self-signed certificate makecert -r -pe -n "CN=TodoListDaemonWithCertYanlin" -ss My -len 2048 TodoListDaemonWithCert.cer
When I try to add the certificate to the daemon application in PowerShell, I got an error.
The PowerShell command that I used: New-MsolServicePrincipalCredential -AppPrincipalId "e5dedde0-2221-4ce4-a74d-af4e96705c01" -Type asy mmetric -Value $credValue -StartDate $cer.GetEffectiveDateString() -EndDate $cer.GetExpirationDateString() -Usage verify
The error is: New-MsolServicePrincipalCredential : Service principal was not found.
"Get-MsolServicePrincipal -SearchString TodoListDaemonWithCert" returned a bunch of applications, but mine is not included.
I doubt that Azure might search my org's AD instead of the AD that I created. But I have no idea how to debug the issue.
Upvotes: 3
Views: 8600
Answers (1)
Reputation: 51
Problem solved.
Here are why it happened: I logged into Azure using my org's credential, then created a testing Active Directory, and created the Todo List Daemon application in my testing Active Directory. When I signed into Azure in PowerShell, I used my org's credential. Seems Azure PowerShell will look for application principle in my org's AD only, not in my testing AD - there might have a way to switch AD, but I do not know yet.
Here are how I solved the problem:
- Went to https://manage.windowsazure.com and tried to sign in using a user in my testing AD.
- Azure prompted that the user was not associated with any subscription. Follow the "Sign up" link to sign up with a free trial subscription.
- Wait a couple minutes for the tenant to be provisioned
- In PowerShell, sign into azure using the user in my testing Azure AD, and run the PowerShell again. Now it succeeded.
Here are the PowerShell cmdlets that I ran:
connect-msolservice
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import("D:\Fast1\dev\TodoListDaemonWithCert.cer")
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
New-MsolServicePrincipalCredential -AppPrincipalId "e5dedde0-2221-4ce4-a74d-af4e96705c01" -Type asymmetric -Value $credValue -StartDate $cer.GetEffectiveDateString() -EndDate $cer.GetExpirationDateString() -Usage verify
Upvotes: 2
Related Questions
- Can't get the IDP certificate for my azure application
- Create App Service Managed Certificates says success, but certificate does not appear
- Failed to create App Service Managed Certificate
- Cannot find Certificate - Azure .NET Core App
- Azure: manually add app service certificate to key vault
- Azure app service: Cannot find the certificate in X509Store(StoreName.My, StoreLocation.CurrentUser)
- creating service principal in azure with certificate
- Azure App Service "Could not find service certificate" when it is there
- Unable to add Credential to a Service Principal in Azure AD
- Certificate not found on Azure Web App