Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Silent Batch Job Certificate Issue #85

Closed
cstaubli opened this issue Sep 2, 2022 · 5 comments
Closed

Silent Batch Job Certificate Issue #85

cstaubli opened this issue Sep 2, 2022 · 5 comments

Comments

@cstaubli
Copy link
Contributor

cstaubli commented Sep 2, 2022

I tried to setup a CI Pipeline with silent mode and certificate authentication, but was unable to. With secret authentication everything works as desired. After some debugging I've found the following issue:

The method Microsoft.Identity.Client.ConfidentialClientApplicationBuilder WithCertificate expects a value of type X509Certificate2 rather than a string as defined in Start-IntuneManagement.ps1 and CloudAPIPowerShellManagement.psm1 (Source). The method in question is located in MSALAuthentication.psm1

Changing the param type to X509Certificate2 fixed the authentication with certificate for me, I fetch a certificate from LocalMachine store and pass this to the parameter Certificate, like this

$f = [System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine")

$null = $store.Open($f)

$cert = $store.Certificates | Where-Object {$_.Subject -eq "..."}

$TenantId = "..."

$AppId = "..."

$SilentBatchFile = "BulkExport.json"

.\intunemanagement\Start-IntuneManagement.ps1 -Silent -TenantId $TenantId -AppId $AppId -SilentBatchFile $SilentBatchFile -Certificate $cert

$null = $store.Close()

If you prefer I can submit a PR with these changes
@Micke-K
Copy link
Owner

Micke-K commented Sep 2, 2022

Hello Christian,

Great find!

The question is where it is better to convert it to a cert. That should probably happen where it is actually used and not in the start script.

Can you get it to work if you implement it in the function in the MSALAuthenication.psm1 file instead? I'm happy to approve a PR if you get that to work.

Thank you!

Cheers!

@cstaubli
Copy link
Contributor Author

cstaubli commented Sep 2, 2022

Hi Mikael

Sure I can change it in MSALAuthenication.psm1 and convert the thumbprint provided to a X509Certificate2. I propose to search in LocalMachine store for a certificate, what do you think?

Cheers
Christian

@Micke-K
Copy link
Owner

Micke-K commented Sep 2, 2022

We can start there. Next option would be to check User store if not found in the machine store.

Thank you so much!

Cheers!

@cstaubli cstaubli mentioned this issue Sep 2, 2022
Merged
@cstaubli
Copy link
Contributor Author

cstaubli commented Sep 2, 2022

I've created a PR, which checks both LocalMachine and CurrentUser store

@Micke-K
Copy link
Owner

Micke-K commented Sep 10, 2022

Closing this since the PR is merged

Cheers!

@Micke-K Micke-K closed this as completed Sep 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cstaubli @Micke-K