Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No precise instructions regarding signing keys creation and alternatives #5394

Closed
NicklausBrain opened this issue Mar 7, 2018 — with docs.microsoft.com · 4 comments

Comments

Copy link

@NicklausBrain NicklausBrain commented Mar 7, 2018 — with docs.microsoft.com

After assigning claims mapping policy to your service principal you will experience the following error during authentication procedure:
"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid. Please contact the application's administrator."
There is no valid instructions how to pass this error.
Actually there are two options available...

The first option is to create such a key using Azure AD Graph API:

Create a certificate with the private key in PFX format
Convert the PFX file to base-64 encoded file: $fileContentBytes = get-content "file.pfx" -Encoding Byte [System.Convert]::ToBase64String($fileContentBytes) | Out-File "pfxbytes.txt"
Sign-in to Azure AD Graph API using the following link: https://graphexplorer.azurewebsites.net/
Execute the following method: PATCH https://graph.windows.net/myorganization/servicePrincipals/<ObjectID_of_the_service_principal_of_your_app>
{

        "keyCredentials":

[{

              "startDate": "2018-02-22T01:10:00Z",

              "endDate": "2019-02-22T01:10:00Z",

              "type": "X509CertAndPassword",

              "usage": "Sign",

              "keyId": "100C8EC2-0011-490c-86A2-3BF89A708456",

              "value": "Content of pfxbytes.txt"

        }],

        "passwordCredentials":

[{

              "startDate": "2018-02-22T01:10:00Z",

              "endDate": "2019-02-22T01:10:00Z",

              "keyId": "100C8EC2-0011-490c-86A2-3BF89A708456",

              "value": "Password for the PFX file"

        }]

}

Note that "startDate" and "endDate" must match the real dates of the certificate. "keyId" must be the same for both "keyCredentials"and "passwordCredentials" (you can use any GUID generator to provide its value).

The second option is to verify your application domain:

Add and verify your application domain in “Custom domain names” blade of Azure AD.
Domain verification means that your domain must be accessible through the Internet and you must publish a special TXT file with the secret key on this domain, so that Azure AD can check that this domain belongs to you.
Then you should set the switch "acceptMappedClaims": true in your app registration manifest.
Not that it is also possible to use your application without publishing it to a valid Internet domain.
Azure AD always has the default verified domain that belongs to the directory itself
Registering this domain in your “hosts” file will allow you to use your Intranet app.

See https://social.msdn.microsoft.com/Forums/azure/en-US/2507cb82-97a4-4fad-8266-0fffcdbb0642/azure-ad-applicationspecific-signing-key?forum=WindowsAzureAD


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

@mike-urnun-msft

This comment has been minimized.

Copy link
Contributor

@mike-urnun-msft mike-urnun-msft commented Mar 7, 2018

@NicklausBrain Thank you for your feedback! We will investigate and get back to you with our findings.

@MohitGargMSFT

This comment has been minimized.

Copy link
Member

@MohitGargMSFT MohitGargMSFT commented Mar 7, 2018

@NicklausBrain Thanks for reporting! I have assigned the issue to the author to investigate and update as appropriate.

@billmath

This comment has been minimized.

Copy link
Contributor

@billmath billmath commented Mar 7, 2018

@NicklausBrain Thank you for your feedback. I have created a work item for this and will be incorporating your feedback into the re-design of this page. Currently we are working on replacing this page with a new version but I do not have an eta on when it will be ready.

Let me know if there is anything else. Otherwise I will go ahead and close this issue later today. thanks!

@billmath

This comment has been minimized.

Copy link
Contributor

@billmath billmath commented Mar 9, 2018

@MohitGargMSFT #please-close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.