Skip to content
This repository has been archived by the owner on Jan 19, 2021. It is now read-only.

Connect PnP Online using AADL Thumbprint deletes Cert Private Key #2101

Closed
yumoraby opened this issue May 24, 2019 · 20 comments
Closed

Connect PnP Online using AADL Thumbprint deletes Cert Private Key #2101

yumoraby opened this issue May 24, 2019 · 20 comments
Assignees

Comments

@yumoraby
Copy link

The new AADL Auth setting added on May 14/15th 2019 when running the command on my machines for some reason deletes the cert private key. The first running of the commandlet will connect to the Office 365 Tenant.

However it will also remove the cert private Key. Not sure why this is happening, had this with my colleague and he was getting the same error. When connecting to North America data centre, however when connecting to Canada data centre the private key is not removed, as can continue to connect without any Issue.

@ghost
Copy link

ghost commented May 24, 2019

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

@ghost ghost added the Needs: Triage 🔍 label May 24, 2019
@yumoraby
Copy link
Author

The new AADL Auth setting added on May 14/15th 2019 when running the command on my machines for some reason deletes the cert private key. The first running of the commandlet will connect to the Office 365 Tenant.

However it will also remove the cert private Key. Not sure why this is happening, had this with my colleague and he was getting the same error. When connecting to North America data centre, however when connecting to Canada data centre the private key is not removed, as can continue to connect without any Issue.

Connecting with Connect-AzureAD and the same setup for Thumbprints do not delete the cert key.

@yumoraby yumoraby reopened this May 24, 2019
@alzia
Copy link

alzia commented May 24, 2019

Looked at the source code and I think in the InitiateAzureAdAppOnlyConnectionWithCert() there is a call to a function CleanupCryptoMachineKey() that cleans up the private key, this would need an update. Is this call mandatory?

image

@alzia
Copy link

alzia commented May 29, 2019

Following up if there's any ETA on the fix? Thanks in advance.

@wobba
Copy link
Contributor

wobba commented May 31, 2019

@alzia this code was added as each connect would generate a new private key file, thus filling up space - which was reported as an issue. Cleanup happens after the token has been retrieved, so not sure what issue this causes.

Can you explain a bit more how to repro?

@wobba wobba self-assigned this May 31, 2019
@alzia
Copy link

alzia commented Jun 1, 2019

@wobba - thanks for your response. Running the Connect-PnP command with AADL settings removes the private key of the certificate. The first time when we run the command we notice the connection is established smoothly without any issues, however, the second time when we run the same command that connected previously with no issues throws an exception that a KeySet doesn't exist.

Please see the screen grabs below :
image

We are updating our modules so it can support MFA and require the AADL setting, previously running Connect-PnP with credentials multiple times in a session did not throw the KeySet exception.

@wobba
Copy link
Contributor

wobba commented Jun 1, 2019

One solution could be to remove the file on Disconnect, and for those having issues, they would need to call that to properly clean up. What do you think @erwinvanhunen?

@alzia If you run disconnect between your commands, does that work?

Seems to me there is some caching in the adal lib which needs the cert perhaps..and I will see what the best option would be for cleanup.

@yumoraby
Copy link
Author

yumoraby commented Jun 1, 2019

One solution could be to remove the file on Disconnect, and for those having issues, they would need to call that to properly clean up. What do you think @erwinvanhunen?

@alzia If you run disconnect between your commands, does that work?

Seems to me there is some caching in the adal lib which needs the cert perhaps..and I will see what the best option would be for cleanup.

@wobba The private key is already deleted before we can disconnect. The deletion seems to appear when we run connect-pnponline. The strange behaviour however is that when @alzia runs this for a tenant in Canada the key is not deleted. But for tenants in North America they key is deleted.

@alzia is this still the case?

@wobba
Copy link
Contributor

wobba commented Jun 2, 2019

I know it's deleted on connect, but please try a disconnect before your second connect to verify behavior. I will look at this a bit later.

@wobba
Copy link
Contributor

wobba commented Jun 2, 2019

Seems the issue with new private key files is when loading from a pfx file. I'll work on a proper fix for this.

cc @erwinvanhunen

@wobba
Copy link
Contributor

wobba commented Jun 3, 2019

Pushed a fix for this where we now cleanup only for file based certificates, not when loaded via thumbprint.

@wobba wobba closed this as completed Jun 3, 2019
@yumoraby
Copy link
Author

yumoraby commented Jun 3, 2019

Pushed a fix for this where we now cleanup only for file based certificates, not when loaded via thumbprint.

Thanks you

@wobba
Copy link
Contributor

wobba commented Jun 3, 2019

@yumoraby would you be able to build the dev branch and verify if this fix works for you? You might have to reinstall the certificate.

@alzia
Copy link

alzia commented Jun 3, 2019

@wobba - I will check and get back to you on this.
Thanks.

@yumoraby
Copy link
Author

yumoraby commented Jun 5, 2019

@wobba I have built the Dev Branch, there was some errors in the Get-Provisioning Templates, however as we were not working on this module. @alzia and I commented out the errors. We were then able to test and connect with PnP Online without the private key being deleted. This fix has been confirmed to work. Thank you!

@SB-o-matic
Copy link

@wobba @alzia

Gentlemen,
WeI are having this exact issue with the private key being removed after a successful connect. I am getting this with the Connect-PnPOnline cmdlet (with the Thumbprint parameter) even when I call Disconnect-PnPOnline between attempts. I have not experienced this with the Connect-AzureAD cmdlet.

Is the fix going to take some time to reach all tenants?

@yumoraby
Copy link
Author

@wobba @alzia

Gentlemen,
WeI are having this exact issue with the private key being removed after a successful connect. I am getting this with the Connect-PnPOnline cmdlet (with the Thumbprint parameter) even when I call Disconnect-PnPOnline between attempts. I have not experienced this with the Connect-AzureAD cmdlet.

Is the fix going to take some time to reach all tenants?

Have you downloaded the latest package 3.10.1906.0 as this has fixed the issue for me, no deletion of Private Key. Make sure you do a clean upgrade, remove the old version and install the latest.

@SB-o-matic
Copy link

@wobba @alzia
Gentlemen,
WeI are having this exact issue with the private key being removed after a successful connect. I am getting this with the Connect-PnPOnline cmdlet (with the Thumbprint parameter) even when I call Disconnect-PnPOnline between attempts. I have not experienced this with the Connect-AzureAD cmdlet.
Is the fix going to take some time to reach all tenants?

Have you downloaded the latest package 3.10.1906.0 as this has fixed the issue for me, no deletion of Private Key. Make sure you do a clean upgrade, remove the old version and install the latest.

Will give it a go now. Thanks for the prompt reply.

@SB-o-matic
Copy link

@wobba @alzia
Gentlemen,
WeI are having this exact issue with the private key being removed after a successful connect. I am getting this with the Connect-PnPOnline cmdlet (with the Thumbprint parameter) even when I call Disconnect-PnPOnline between attempts. I have not experienced this with the Connect-AzureAD cmdlet.
Is the fix going to take some time to reach all tenants?

Have you downloaded the latest package 3.10.1906.0 as this has fixed the issue for me, no deletion of Private Key. Make sure you do a clean upgrade, remove the old version and install the latest.

Will give it a go now. Thanks for the prompt reply.

I was successful after upgrading the module, thanks!

What is weird is that I didn't experience the same on a Windows 10 machine with 3.9.XXX (did on a 2012r2 box).

@wobba
Copy link
Contributor

wobba commented Jun 11, 2019

Happy the fix solved the issue and sorry for causing it in the first place :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants