-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Unable to authenticate to SharePoint Online with certificate thumbprint in multi tenant setup #275
Comments
@evobis : just to rule out a difference between .NET Framework and .NET Core...what is the PS version you're using (version 5 uses .NET Framework, version 7 uses .NET core) |
@jansenbe thanks for replying :) I was using PowerShell 5.1, but I just installed PowerShell 7 and it works perfectly here as well. The issue only occurs when using PnP.Framework 1.4 in C#. |
@evobis : can you do a fiddler trace while doing the PS login (works) and the .NET call (fails) and share the outcome. If the trace contains confidential content then feel free to send it to bjansen@microsoft.com. |
@jansenbe thanks, I've send you an e-mail with the traces. |
@jansenbe did you by any chance find an opportunity to look into the issue or have a status of the progress? :) |
Sorry, did not yet have time...really busy at the moment. Will try to squeeze this in this week though |
No reason to apologize. As I see it you are doing me a favor. |
I did a small bit of further digging, the issue seems have appeared from 1.2 -> 1.3. I don't have time to really dive into the issue, but I hope this can help you a bit more. |
Looking at 1.2.0 the AuthenticationManager calls 1.3.0 relies on "GetBuilderWithAuthority" - which seems to ignore that a tenantId has been set in the AuthenticationManager. A fix would seem to be to wrap the if(this.TenantId) {
builder = builder.WithAuthority(azureADEndPoint, tenantId, true);
} else {
builder = builder.WithAuthority($"{azureADEndPoint}/organizations");
} ^ just some quick pseudocode, I hope someone with a greater understanding of this repo can actually verify/implement it |
I've got the same error with PnP.Framework 1.5.0 (according to https://www.nuget.org/packages/PnP.Framework 1.5.0 version was release 2021-06-07 and should include provided fix?) when tried to authenticate to SPO with certificate. Here is the minimal code to reproduce the issue: using (var authMngr = PnP.Framework.AuthenticationManager.CreateWithCertificate(AppId, StoreName.My,
StoreLocation.CurrentUser, AppCertificateThumbprint, AADDomain))
{
using (var ctx = authMngr.GetContext("https://{mytenant}.sharepoint.com/sites/foo"))
{
ctx.Load(ctx.Web);
ctx.ExecuteQuery();
Console.WriteLine(ctx.Web.Title);
}
} it throws exception: Similar code with SharePointPnPCoreOnline works properly: using (var authMngr = new AuthenticationManager())
{
using (var ctx = authMngr.GetAzureADAppOnlyAuthenticatedContext("https://{mytenant}.sharepoint.com/sites/foo",
AppId, AADDomain, StoreName.My, StoreLocation.CurrentUser, AppCertificateThumbprint))
{
ctx.Load(ctx.Web);
ctx.ExecuteQuery();
Console.WriteLine(ctx.Web.Title);
}
} |
Description
When trying to authenticate to SharePoint site with Certificate Thumbprint, ClientId(App Registration) and TenantId I am faced with an error. If I Authenticate with PnP.PowerShell with the exact same thumbprint and IDs I am authenticated without issues.
This is a multi tenant setup with multiple domains associated.
I use the exact same AppId and TenantId in PowerShell and .Net Core C#
This works
Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $cert.Thumbprint -Tenant $tenantId
Get-PnPWeb
This does not work
new PnP.Framework.AuthenticationManager(AuthenticationSettings.ClientId, StoreName.My, StoreLocation.CurrentUser, AuthenticationSettings.CertificateThumbprint, AuthenticationSettings.TenantID).GetContext(AuthenticationSettings.SharePointSiteUrl);
Note: I tried to do the exact same with "SharePointPnPCoreOnline" in .net framework 4.8 C# and it works perfectly. I am authenticated without issues.
Error
AADSTS700016: Application with identifier '................' was not found in the directory 'sharepoint.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: 8f5324b2-96e9-4107-b630-00b078492000 Correlation ID: 004872a6-bda0-4e2f-ae52-e12eb801547b Timestamp: 2021-04-14 06:51:18Z
Framework version
Powershell PnP.PowerShell: 1.4
.Net Core: 3.1
.Net Core PnP.Framework: 1.4
The text was updated successfully, but these errors were encountered: