This blog post describes my recent experience with an Azure AD service principal authentication with a certificate. The process is well documented and seemed quite straightforward, however this was not my experience.

The issue

I was able to successfully follow the process to setup Azure AD service principal until the step where I granted the service principal with a role (using PS cmdlets). When I tried to login as the service principal, I encountered the issue below.

Login-AzureRmAccount -CertificateThumbprint $cert.Thumbprint -ApplicationId $appId -ServicePrincipal -TenantId $subscription.TenantId

Login-AzureRmAccount : Invalid provider type specified. At line:1 char:1 + Login-AzureRmAccount -CertificateThumbprint $cert.Thumbprint -Applica ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Add-AzureRmAccount], CryptographicException + FullyQualifiedErrorId : http://Microsoft.Azure.Commands.Profile.AddAzureRMAccountCommand

Referring to the documentation on Add-AzureRMAccount (Login-AzureRMAccount is an alias) the TenantId parameter expected an array of strings, which prompted me to change the command to:

Login-AzureRmAccount -CertificateThumb print $cert.Thumbprint -ApplicationId $azureAdApplication.IdentifierUris -ServicePrincipal -TenantId string[]$subscription.TenantId

This time the error received was:

Login-AzureRmAccount : 'authority' should be in Uri format Parameter name: authority At line:1 char:1 + Login-AzureRmAccount -CertificateThumbprint $cert.Thumbprint  -Applica ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Add-AzureRmAccount], ArgumentException + FullyQualifiedErrorId : http://Microsoft.Azure.Commands.Profile.AddAzureRMAccountCommand

Note: I updated the Azure PowerShell module to 1.3.2 (19 April 2016) and still received the ‘authority‘ error.  The ‘Invalid provider type‘ error didn’t appear though, instead it provided a clearer error message:  Cannot convert ‘System.Object[]’ to the type ‘System.String’ required by parameter ‘TenantId’

The workaround / fix

As a workaround, I resorted to using the Azure cross-platform (version, as tested, is 0.9.2) CLI that performs the equivalent operation in PowerShell.  If you don’t mind CLI, I think this can be considered a fix.

Before running this command you need to convert the PFX file to a PEM file as described here.

azure login --service-principal --tenant "$tenantid" -u "$appid" --certificate-file <path to PEM file>\cert.pem --thumbprint "$cert"

This resulted in the following.

info:    Executing command login
info:    Added subscription <Subscription name>
info:    Setting subscription "<Subscription Name>" as default
info:    login command OK

I have not performed a detailed analysis on why the PS cmdlet produced such errors – there might be information that can be gleaned via Fiddler on what REST API requests were generated (in the mean time I raised this issue with @AzureSupport and an issue on Github).

Hope this short post saves you troubleshooting time.

 

Category:
Azure Platform, Identity and Access Management
Tags:
, ,

Join the conversation! 3 Comments

  1. Hi,

    Did you receive any update from Azure support? I have the same issue 🙁

    Alex

  2. FYI, I had this same issue, followed the linked microsoft documentation from the post, the solution was to make sure to call New-SelfSignedCertificate with -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider”

Comments are closed.