Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Debug Certificate Authentication Issues #3490

Closed
meggenberger opened this issue Jul 20, 2023 · 4 comments
Closed

Debug Certificate Authentication Issues #3490

meggenberger opened this issue Jul 20, 2023 · 4 comments

Comments

@meggenberger
Copy link

meggenberger commented Jul 20, 2023

Description of the issue

I'm using MicrosoftDSC to extract the settings and save them for archival purposes. Now I have to change the authentication to Service Principal with Certificate Thumbprint.

When I run the script locally everything works and I can extract the values from AAD workload. When running it in the pipeline I just get the following:

VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: AADConditionalAccessPolicy, AADAuthorizationPolicy, AADGroup, AADAdministrativeUnit, AADEntitlementManagementAccessPackageCatalog, AADEntitlementManagementAccessPackageCatalogResource, AADGroupLifecyclePolicy, AADGroupsNamingPolicy, AADGroupsSettings, AADNamedLocationPolicy, AADRoleDefinition, AADRoleSetting, AADSecurityDefaults, AADTenantDetails, AADTokenLifetimePolicy

Authentication methods specified:

  • Service Principal with Certificate Thumbprint

VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.719.1\DSCResources\MSFT_AADAdministrativeUnit\MSFT_AADAdministrati
veUnit.psm1'.
Partial Export file was saved at: C:\Users\VSSADM~1\AppData\Local\Temp\7d88381f-5415-4fc2-a121-29b7fca916a2.partial.ps1

Within the pipeline I download the cert and the private key from an Azure Key Vault and save it into the local cert store of the agent where the job is running. This works and I see the cert is installed and we have the private key:

PSPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\F3FB2E541495962FD6070B57811F9B54D8
C471B1
PSParentPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSChildName : F3FB2E541495962FD6070B57811F9B54D8C471B1
PSIsContainer : False
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 5/23/2024 1:58:13 PM
NotBefore : 5/23/2023 1:38:13 PM
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 3, 14...}
SerialNumber : 1A32DAC5159BAD814D84D14DABA3685F
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : F3FB2E541495962FD6070B57811F9B54D8C471B1
Version : 3
Handle : 2952549909680
Issuer : CN=MicrosoftDSC365
Subject : CN=MicrosoftDSC365
EnhancedKeyUsageList : {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)}
DnsNameList : {MicrosoftDSC365}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :

How can I get more information where it's actually failing? I added -debug and -verbose to the command but the output above is all I get.

Microsoft 365 DSC Version

1.23.712.1

Workload

Azure Active Directory

The DSC configuration

Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy", "AADAuthorizationPolicy", "AADGroup", "AADAdministrativeUnit", "AADEntitlementManagementAccessPackageCatalog", "AADEntitlementManagementAccessPackageCatalogResource", "AADGroupLifecyclePolicy", "AADGroupsNamingPolicy", "AADGroupsSettings", "AADNamedLocationPolicy", "AADRoleDefinition", "AADRoleSetting", "AADSecurityDefaults", "AADTenantDetails", "AADTokenLifetimePolicy") -ApplicationId 0477c4d5-1234-48d1-afd9-16a8c30921be -TenantId testli01.onmicrosoft.com -CertificateThumbprint F3FB2E541495962FD6070B57AB1F9B54D8C471B1 -Path D:\a_temp -Filters @("AADGroup": "startsWith(DisplayName,'ABCZ')") -FileName "AAD_Components"

Verbose logs showing the problem

VERBOSE: No existing connections to Microsoft Graph
Exporting Microsoft 365 configuration for Components: AADConditionalAccessPolicy, AADAuthorizationPolicy, AADGroup, AADAdministrativeUnit, AADEntitlementManagementAccessPackageCatalog, AADEntitlementManagementAccessPackageCatalogResource, AADGroupLifecyclePolicy, AADGroupsNamingPolicy, AADGroupsSettings, AADNamedLocationPolicy, AADRoleDefinition, AADRoleSetting, AADSecurityDefaults, AADTenantDetails, AADTokenLifetimePolicy

Authentication methods specified:

  • Service Principal with Certificate Thumbprint

VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.719.1\DSCResources\MSFT_AADAdministrativeUnit\MSFT_AADAdministrati
veUnit.psm1'.
Partial Export file was saved at: C:\Users\VSSADM~1\AppData\Local\Temp\7d88381f-5415-4fc2-a121-29b7fca916a2.partial.ps1
##[error]The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Function Export-TargetResource cannot be created because function capacity 4096 has been exceeded for this scope.
##[error]PowerShell exited with code '1'.
Finishing: Export the current config

Environment Information + PowerShell Version

@{OsName=; OsOperatingSystemSKU=; OsArchitecture=; WindowsVersion=1809; WindowsBuildLabEx=17763.1.amd64fre.rs5_release.180914-1434; OsLanguage=; OsMuiLanguages=}
-Message PSVersion: 5.1.17763.4644
-Message PSEdition: Desktop
-Message Compatible Versions:
-Message 1.0 2.0 3.0 4.0 5.0 5.1.17763.4644
@ricmestre
Copy link
Contributor

@meggenberger I already reported this here #3454 , please go through the thread to understand the issue.

Still waiting for @andikrueger for further testing on how to tackle this.

@meggenberger
Copy link
Author

@ricmestre Thank you very much for the pointer to the existing issue. I'll try some workarounds mentioned there.

@andikrueger
Copy link
Collaborator

Please let us know, what works for you or if you see any other issues. Any feedback / test results are a big help to figure out what to fix.

@andikrueger
Copy link
Collaborator

Closing due to inactivity.

@andikrueger andikrueger closed this as not planned Won't fix, can't repro, duplicate, stale Dec 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants