[Question] Azure.Identity support using pfx file

[MarcoEnxuto]

Query/Question
Hi,
According to this post, pfx files should be supported. Unfortunately i don't see any support, or at least i can't get it work.
I did follow the troubleshooting steps but i don't see what i'm doing wrong.
So, i posted here a question, since i'm using a local server with IIS and Environment variables.
The app throws an exception indicating Could not load the certificate....

Either way, the certificate is in a public path and accessible.

AZURE_CLIENT_CERTIFICATE_PATH C:\Users\Public\cert.pfx
AZURE_CLIENT_ID (guid)
AZURE_TENANT_ID (another guid)

Environment:

• Azure.Identity 1.5.0, Microsoft Identity Client 4.37.0
• Windows Server 2022 and .NET 5
• Visual Studio 16.11.7

[jsquire]

Thank you for your feedback. Tagging and routing to the team members best able to assist.

[christothes]

Hi @MarcoEnxuto - Does the following work if you try to construct the certificate directly using your file path? If not, what is the error?

new X509Certificate2(clientCertificatePath);

[MarcoEnxuto]

Hi @christothes, no. I'm not instantiating that class.
I'm using the following members to initiate the connection to Azure service.

Here's a code snippet...
public void ConfigureServices(IServiceCollection services) { services.AddControllers(); services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd")) .EnableTokenAcquisitionToCallDownstreamApi() .AddMicrosoftGraph(Configuration.GetSection("MicrosoftGraphAPI")) .AddInMemoryTokenCaches(); }

As soon i use the graph service client, it throws a "Could not load the certificate".
Can you confirm the AZURE_CLIENT_CERTIFICATE_PATH uses PFX file path? there's some incongruencies on help pages.

[christothes]

Sorry, I know you aren't using that class directly, but it was intended as a test to see if Azure.Identity would be able to use your path since that is essentially what it does. Could you try this to verify that your pfx cert path is valid and that the password is unencrypted?

[MarcoEnxuto]

Yes. I updated the question on Q&A, telling i checked that using Import-PfxCertificate Cmdlet on PowerShell. But i'll try here on C#. Good point.

[MarcoEnxuto]

@christothes after careful debug, that code raises The system cannot find the file specified.
This is a quite odd.
The file is present as you can see.

On the second image, the first line is the code you mentioned, with the path of the file above.
Am i doing anything wrong?

[christothes]

In the debugger immediate window, are you able to run these statements?

File.Exists(@"C:\Useres\Public\cert.pfx")
or
Directory.GetFiles(@"C:\Useres\Public");

[MarcoEnxuto]

Well, by using your suggestion, it exists...
But the class X509Certificate2 doesn't find the file, or even the env variable...

[christothes]

This is very strange. Can you reproduce with X509Certificate2 directly?

[MarcoEnxuto]

You bet it is @christothes.
But to clarify, I'm doing a remote debug from my dev box to the Server.
As you requested, just did that, and it throws as earlier.

Is it possible this happening because i have the debugger attached? I don't think so...

[MarcoEnxuto]

Hi @christothes, did you reach any conclusion based on my findings? Thanks.

[MarcoEnxuto]

Hello,
Any news regarding this @christothes?

[MarcoEnxuto]

Hello, Any news regarding this @christothes?

Hi @schaabs, i guess @christothes might be Out of Office. Can you help me here?
Thanks a lot.

[christothes]

Hi @MarcoEnxuto - Because this reproduces directly with X509Certificate2, this doesn't appear to be an issue with the client SDK. Have you seen this?

[MarcoEnxuto]

Hi @MarcoEnxuto - Because this reproduces directly with X509Certificate2, this doesn't appear to be an issue with the client SDK. Have you seen this?

Hi @christothes, sorry to bother.
Well, i don't know what to say but i did read carefully your suggestion. What the link reports is an error when a user tries to instantiate X509Certificate2 class with a relative path. What i did, is the complete opposite. I use an absolute path when invoking the new instance. As you have seen earlier.

I tried another way by copying the pfx certificate file to the output directory where i deploy my web app, which was the initial intention of the author of that post. In the Immediate window i could execute successfully the code File.Exists (which returne true), but at runtime the code returns the exception "The system cannot find the file specified".

I also changed the AZURE_CLIENT_CERTIFICATE to a relative path, and i got the same outcome.

Something is not right here, and it is interesting that i am the only one reporting this...

[christothes]

I'm running out of ideas on this one, Perhaps you could verify the access control rules defined on the file or the containing directory?

Debug.WriteLine(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
var fileInfo = new FileInfo(@"<path to cert>");
var accessControl = fileInfo.GetAccessControl();
var rules = accessControl.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
foreach (FileSystemAccessRule rule in rules)
{
    Debug.WriteLine(rule.IdentityReference.Value);
}

[MarcoEnxuto]

Hi again @christothes,
The code snippet printed the below info:

IIS APPPOOL<websitename>

BUILTIN\IIS_IUSRS
BUILTIN\Administrators
NT AUTHORITY\SYSTEM
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\SERVICE
NT AUTHORITY\BATCH

[christothes]

Hi again @christothes, The code snippet printed the below info:

IIS APPPOOL

BUILTIN\IIS_IUSRS BUILTIN\Administrators NT AUTHORITY\SYSTEM NT AUTHORITY\INTERACTIVE NT AUTHORITY\SERVICE NT AUTHORITY\BATCH

Have you confirmed that those permissions allow IIS APPOOL to access the file?

The only other thought I had is to check if the certificate file is blocked. https://superuser.com/questions/590787/what-does-it-mean-when-a-file-is-blocked-in-windows

[MarcoEnxuto]

Hi @christothes, finally i found out what was wrong. And this took a while.
It seems we have to change on IIS Application Pool the following setting: Load user profile=true within the Process Model property Group. This link told me the solution. Another life saved.

Instead of using Web App service on Azure for development purposes, because well... costs... I decided to deploy on prem, using IIS.
So, for those who have the same thinking, and want to test the integration before deploying to Azure, on a Staging/Prod environments, you should consider the following configurations
First, get a certificate that was already configured on AAD, and place it on the local server.
Second, configure the Environment variables such as the image below

Third, enable the "Load User profile" in the Application Pool, click ok and recycle it.
Now the Azure.Identity loads the certificate properly.

Thank you very much @christothes for your patience on this subject and thanks for your suggestions, i did help on my research.

On a side note: i wish you Merry Christmas for you and your family.