Problem:Office 365 - AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application

Knowledge Base Community
, , ,
#1

Problem

After you renew the rootCA (ucsCA) from the system, you receive the following error message when setting up Office 365 with a new connection for Azure.

swappy-20240702-210421

You will find the complete error message in the following log files:
/var/log/univention/management-console-module-office365.log
/var/log/univention/listener.log

> request body: client_id=67c9c997-3893-4e8a-a724-ee0e85526e9b&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiAiUlMyNTYiLCAieDV0IjogIlpPQmtTdTVsTk9acktodnlBeElTK29KcW9FQT1cbiJ9.eyJzdWIiOiAiNjdjOWM5OTctMzg5My00ZThhLWE3MjQtZWUwZTg1NTI2ZTliIiwgImlzcyI6ICI2N2M5Yzk5Ny0zODkzLTRlOGEtYTcyNC1lZTBlODU1MjZlOWIiLCAianRpIjogImI0Yjg2ZTliLWY4ZmMtNGFiYi05YmJlLTg2NDljNmM0NDkxZSIsICJleHAiOiAxNzIwMTcyMDUyLCAibmJmIjogMTcyMDE3MTE1MiwgImF1ZCI6ICJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vZjhmN2NkZWYtNWI5NS00NWY5LTgzMTctY2NiMTA0MjQ5MGY3L29hdXRoMi92Mi4wL3Rva2VuIn0.vuIvVFhHrYadb4e2vg5fmxugrOnNF-98BsBH2A3yqHWDX2Tok6J98YpzjLxHuNEx6-1rmIpKdR4jBfbjPGyJozbtAMhXCurLOqA0dfVxf6rhcSuEG4DVw4xkI_LyS0TA8vn-hn5Qwnc68eUBs2G9TBjYx6AxHdvjcZc893sXUwlpPtXGuWc7GuI_aS0npdsn8uFsMvpJtrMURId_m9dxASO_a20HsuJFBsxYtzzF20PWjuuzQ5FXefGRNUECO94OMxeA_4aw79uz7YsSseO5YPT4lD5wr6X7FYmofcq91iKW-SRfJ1_SUmHFQx3nZT8YM_2-j8-wjvrZa4D4eVATLg&grant_type=client_credentials&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

> response header: {
"Cache-Control": "no-store, no-cache",
"Pragma": "no-cache",
"Content-Type": "application/json; charset=utf-8",
"Expires": "-1",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"X-Content-Type-Options": "nosniff",
"P3P": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
"x-ms-request-id": "2d40fd8d-be3f-4671-bfed-01b0048b3300",
"x-ms-ests-server": "2.1.18399.9 - NEULR1 ProdSlices",
"x-ms-srs": "1.P",
"X-XSS-Protection": "0",
"Set-Cookie": "fpc=AhXdrAiGkKRIjjifQQKTjNzvX_POAQAAALGyGd4OAAAA; expires=Sun, 04-Aug-2024 09:24:02 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly",
"Date": "Fri, 05 Jul 2024 09:24:01 GMT",
"Content-Length": "1126"
}

> response body: {
"error": "invalid_client",
"error_description": "AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. 
Reason - The key was not found., Thumbprint of key used by client: '64E0644AEE6534E66B2A1BF2031212FA826AA040', Please visit the Azure Portal, 
Graph Explorer or directly use MS Graph to see configured keys for app Id '67c9c997-3893-4e8a-a724-ee0e85526e9b'. Review the documentation at 
https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, 
such as 'https://graph.microsoft.com/beta/applications/67c9c997-3893-4e8a-a724-ee0e85526e9b']. Trace ID: 2d40fd8d-be3f-4671-bfed-01b0048b3300 Correlation ID: 66033860-3137-45eb-8c31-956f95dbed94 Timestamp: 2024-07-05 09:24:02Z",
"error_codes": [700027],
"timestamp": "2024-07-05 09:24:02Z",
"trace_id": "2d40fd8d-be3f-4671-bfed-01b0048b3300",
"correlation_id": "66033860-3137-45eb-8c31-956f95dbed94",
"error_uri": "https://login.microsoftonline.com/error?code=700027"
}

Environment

univention-app info

UCS: 5.0-x
Installed: office365=5.10
Upgradable:

Solution

1. Check if the certificate from your Office 365 is guilty.

openssl x509 -noout -dates -in /etc/univention-office365/cert.pem

notBefore=Apr 19 11:27:00 2019 GMT
notAfter=Apr 18 11:27:00 2024 GMT

root@ucs5:/etc/univention-office365# ls -lah

insgesamt 52K
drwx------ 2 listener root 4,0K Jul  3 17:08 .
drwx------ 6 listener root 4,0K Jul  5 11:32 ..
-r-------- 1 listener root   29 Jul 25  2019 cert.fp
-r-------- 1 listener root 5,5K Jul  25 2019 cert.pem
-r-------- 1 root     root 5,5K Jul  3 17:08 cert.pem.bak
-rw------- 1 listener root    3 Jan 18  2021 ids.json
-r-------- 1 listener root 1,7K Jul 25  2019 key.pem
-rw------- 1 listener root 1,4K Jan 10  2020 token.json

If the certificate has expired, you should renew it as described in the following article.

2. Check if the alias connections have updated their certificates.

root@ucs5:/etc/univention-office365# ls -lah defaultADconnection/

insgesamt 52K
drwx------ 2 listener root 4,0K Jul  3 17:08 .
drwx------ 6 listener root 4,0K Jul  5 11:32 ..
-r-------- 1 listener root   29 Jul 25  2019 cert.fp
-r-------- 1 listener root 5,5K Jul  25 2019 cert.pem
-r-------- 1 root     root 5,5K Jul  3 17:08 cert.pem.bak
-rw------- 1 listener root    3 Jan 18  2021 ids.json
-r-------- 1 listener root 1,7K Jul 25  2019 key.pem
-rw------- 1 root     root 9,5K Sep 25  2019 manifest.json
-rw------- 1 listener root 1,4K Jan 10  2020 token.json

If the certificate of the alias connection are also outdated, it should be removed and re-created, so the cert.pem and the key.pem will be updated.

root@ucs5:/etc/univention-office365# /usr/share/univention-office365/scripts/manage_adconnections --help

usage: manage_adconnections [-h] {list,create,remove,rename} ...

Manage Azure AD connection configuration for the Office 365 connector.

positional arguments:
  {list,create,remove,rename}

optional arguments:
  -h, --help            show this help message and exit

root@ucs5:/etc/univention-office365# /usr/share/univention-office365/scripts/manage_adconnections remove defaultADconnection

Unsetting office365/adconnection/alias/defaultADconnection
Restarting univention-directory-listener service

root@ucs5:/etc/univention-office365# /usr/share/univention-office365/scripts/manage_adconnections create defaultADconnection

Create office365/adconnection/alias/defaultADconnection
Setting office365/adconnection/wizard
Restarting univention-directory-listener service

root@ucs5:/etc/univention-office365/defaultADconnection# ls -lah

drwx------ 2 listener root    4,0K Jul 12 18:32 .
drwx------ 7 listener root    4,0K Jul 12 15:48 ..
-r-------- 1 listener root      29 Jul  4 10:48 cert.fp
-r-------- 1 listener root    5,5K Jul  4 10:48 cert.pem
-rwx------ 1 listener nogroup  223 Jul 12 15:53 ids.json
-r-------- 1 listener root    1,7K Jul  4 10:48 key.pem
-rw------- 1 root     root    9,7K Jul 12 15:51 manifest.json
-rwx------ 1 listener nogroup 1,8K Jul 12 18:32 token.json

openssl x509 -noout -dates -in /etc/univention-office365/cert.pem

notBefore=Apr 19 11:27:00 2024 GMT
notAfter=Apr 18 11:27:00 2029 GMT

Now you have to start the Office 365 setup wizard in the UMC and it should be able to complete this successfully for the alias connection you renewed without any failure!
Screenshot from 2024-07-09 06-23-26

1 Like
#2
Mastodon