CODEWITHSUNDEEP
azure-active-directorymicrosoft-graph-api
LostException
LostException

Reputation: 77

Microsoft Graph - WithCertificate - fails with "The provided certificate has a key that is not accessable."

With a windows desktop app, I am trying to access Exchange calendar resources using confidentialClientApplicationBuilder using the WithCertificate option. When we call AcquireTokenForClient, we get a Microsoft.Identity.Client.MsalException "The provided certificate has a key that is not accessable."

When we use WithClientSecret option it works fine.

On the client side, the certificate is obtained from one of our DLLs that is code signed with our code signing certificate. On the Azure side, our code signing cert (PFX) is converted to CER (using Windows Credential manager import/export) and then uploaded to our app registration on the "Certificates and Secrets" page. When I debug, the certificate thumbprint extracted from the DLL matches the thumbrpint of the cert loaded into Azure.

Here is the code:

            assemblyPath = @"C:\Programs\MyProgramLibrary.dll";

            var cert = X509Certificate.CreateFromSignedFile(assemblyPath);
            var cert2 = new X509Certificate2(cert);

            _Application = ConfidentialClientApplicationBuilder.Create(QuicklaunchAzureAppRegistration.ClientId())
                                         .WithCertificate(cert2)
                                         .WithAuthority(new Uri(string.Format(msalAuthFormat, TenantId)))
                                         .Build();


            result = await _Application.AcquireTokenForClient(_Scopes).ExecuteAsync();

I Is it complaining about the certificate on the client side or the server side or both? What Key is it looking for? Can a code signing certificate be used?

Upvotes: 1

Views: 2040

Answers (1)

alphaz18
alphaz18

Reputation: 2766

From what you're saying, it sounds like on the client side. it sounds like the client side needs access to the private key which it doesn't seem to be able to . and yes a code signing certificate i believe must be used. here's an example of it working with a self signed cert: https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi#optional-create-a-self-signed-certificate

Upvotes: 1

Related Questions