Problem:Office 365 - AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application

Knowledge Base Community
, , ,
1

Problem

After you renew the rootCA (ucsCA) from the system, you receive the following error message when setting up Office 365 with a new connection for Azure.

swappy-20240702-210421
swappy-20240702-2104211093×523 55.1 KB

You will find the complete error message in the following log files:
/var/log/univention/management-console-module-office365.log
/var/log/univention/listener.log

> request body: client_id=67c9c997-3893-4e8a-a724-ee0e85526e9b&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiAiUlMyNTYiLCAieDV0IjogIlpPQmtTdTVsTk9acktodnlBeElTK29KcW9FQT1cbiJ9.eyJzdWIiOiAiNjdjOWM5OTctMzg5My00ZThhLWE3MjQtZWUwZTg1NTI2ZTliIiwgImlzcyI6ICI2N2M5Yzk5Ny0zODkzLTRlOGEtYTcyNC1lZTBlODU1MjZlOWIiLCAianRpIjogImI0Yjg2ZTliLWY4ZmMtNGFiYi05YmJlLTg2NDljNmM0NDkxZSIsICJleHAiOiAxNzIwMTcyMDUyLCAibmJmIjogMTcyMDE3MTE1MiwgImF1ZCI6ICJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vZjhmN2NkZWYtNWI5NS00NWY5LTgzMTctY2NiMTA0MjQ5MGY3L29hdXRoMi92Mi4wL3Rva2VuIn0.vuIvVFhHrYadb4e2vg5fmxugrOnNF-98BsBH2A3yqHWDX2Tok6J98YpzjLxHuNEx6-1rmIpKdR4jBfbjPGyJozbtAMhXCurLOqA0dfVxf6rhcSuEG4DVw4xkI_LyS0TA8vn-hn5Qwnc68eUBs2G9TBjYx6AxHdvjcZc893sXUwlpPtXGuWc7GuI_aS0npdsn8uFsMvpJtrMURId_m9dxASO_a20HsuJFBsxYtzzF20PWjuuzQ5FXefGRNUECO94OMxeA_4aw79uz7YsSseO5YPT4lD5wr6X7FYmofcq91iKW-SRfJ1_SUmHFQx3nZT8YM_2-j8-wjvrZa4D4eVATLg&grant_type=client_credentials&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

> response header: {
"Cache-Control": "no-store, no-cache",
"Pragma": "no-cache",
"Content-Type": "application/json; charset=utf-8",
"Expires": "-1",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"X-Content-Type-Options": "nosniff",
"P3P": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
"x-ms-request-id": "2d40fd8d-be3f-4671-bfed-01b0048b3300",
"x-ms-ests-server": "2.1.18399.9 - NEULR1 ProdSlices",
"x-ms-srs": "1.P",
"X-XSS-Protection": "0",
"Set-Cookie": "fpc=AhXdrAiGkKRIjjifQQKTjNzvX_POAQAAALGyGd4OAAAA; expires=Sun, 04-Aug-2024 09:24:02 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly",
"Date": "Fri, 05 Jul 2024 09:24:01 GMT",
"Content-Length": "1126"
}

> response body: {
"error": "invalid_client",
"error_description": "AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. 
Reason - The key was not found., Thumbprint of key used by client: '64E0644AEE6534E66B2A1BF2031212FA826AA040', Please visit the Azure Portal, 
Graph Explorer or directly use MS Graph to see configured keys for app Id '67c9c997-3893-4e8a-a724-ee0e85526e9b'. Review the documentation at 
https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, 
such as 'https://graph.microsoft.com/beta/applications/67c9c997-3893-4e8a-a724-ee0e85526e9b']. Trace ID: 2d40fd8d-be3f-4671-bfed-01b0048b3300 Correlation ID: 66033860-3137-45eb-8c31-956f95dbed94 Timestamp: 2024-07-05 09:24:02Z",
"error_codes": [700027],
"timestamp": "2024-07-05 09:24:02Z",
"trace_id": "2d40fd8d-be3f-4671-bfed-01b0048b3300",
"correlation_id": "66033860-3137-45eb-8c31-956f95dbed94",
"error_uri": "https://login.microsoftonline.com/error?code=700027"
}

Environment

univention-app info

UCS: 5.0-x
Installed: office365=5.10
Upgradable:

Solution

1. Check if the certificate from your Office 365 is guilty.

openssl x509 -noout -dates -in /etc/univention-office365/cert.pem

notBefore=Apr 19 11:27:00 2019 GMT
notAfter=Apr 18 11:27:00 2024 GMT

You can also check the timestamps on the files, if they have been updated.
ls -lah /etc/univention-office365

insgesamt 52K
drwx------ 2 listener root 4,0K Jul  3 17:08 .
drwx------ 6 listener root 4,0K Jul  5 11:32 ..
-r-------- 1 listener root   29 Jul 25  2019 cert.fp
-r-------- 1 listener root 5,5K Jul  25 2019 cert.pem
-r-------- 1 root     root 5,5K Jul  3 17:08 cert.pem.bak
-rw------- 1 listener root    3 Jan 18  2021 ids.json
-r-------- 1 listener root 1,7K Jul 25  2019 key.pem
-rw------- 1 listener root 1,4K Jan 10  2020 token.json

If the certificate has expired, you should renew it as described in the following article.

2. Check if the alias connections have updated their certificates.

Also the same, you could check the timestamps on the files from the alias connections, if they have been updated. So the certs have to been also updated

Example:
ls -lah /etc/univention-office365/defaultADconnection/

insgesamt 52K
drwx------ 2 listener root 4,0K Jul  3 17:08 .
drwx------ 6 listener root 4,0K Jul  5 11:32 ..
-r-------- 1 listener root   29 Jul 25  2019 cert.fp
-r-------- 1 listener root 5,5K Jul  25 2019 cert.pem
-r-------- 1 root     root 5,5K Jul  3 17:08 cert.pem.bak
-rw------- 1 listener root    3 Jan 18  2021 ids.json
-r-------- 1 listener root 1,7K Jul 25  2019 key.pem
-rw------- 1 root     root 9,5K Sep 25  2019 manifest.json
-rw------- 1 listener root 1,4K Jan 10  2020 token.json

If the certificate of the alias connection are outdated, it should be removed and re-created, so the cert.pem and the key.pem will be updated.

/usr/share/univention-office365/scripts/manage_adconnections --help

usage: manage_adconnections [-h] {list,create,remove,rename} ...

Manage Azure AD connection configuration for the Office 365 connector.

positional arguments:
  {list,create,remove,rename}

optional arguments:
  -h, --help            show this help message and exit
<skip>

Example:
Remove the alias connection defaultADconnection

/usr/share/univention-office365/scripts/manage_adconnections remove defaultADconnection

Unsetting office365/adconnection/alias/defaultADconnection
Restarting univention-directory-listener service

Renew alias connection with the name defaultADconnection

/usr/share/univention-office365/scripts/manage_adconnections create defaultADconnection

Create office365/adconnection/alias/defaultADconnection
Setting office365/adconnection/wizard
Restarting univention-directory-listener service

Check again the timestamps on the files for the alias connections.
As you can see, the file cert.fp and cert.pem are updated.

ls -lah /etc/univention-office365/defaultADconnection

drwx------ 2 listener root    4,0K Jul 12 18:32 .
drwx------ 7 listener root    4,0K Jul 12 15:48 ..
-r-------- 1 listener root      29 Jul  4 10:48 cert.fp
-r-------- 1 listener root    5,5K Jul  4 10:48 cert.pem
-rwx------ 1 listener nogroup  223 Jul 12 15:53 ids.json
-r-------- 1 listener root    1,7K Jul  4 10:48 key.pem
-rw------- 1 root     root    9,7K Jul 12 15:51 manifest.json
-rwx------ 1 listener nogroup 1,8K Jul 12 18:32 token.json

Ceck the cert.pem for new dates and see, the certificate is renewed.

openssl x509 -noout -dates -in /etc/univention-office365/cert.pem

notBefore=Apr 19 11:27:00 2024 GMT
notAfter=Apr 18 11:27:00 2029 GMT

3. Run the Setup Wizard

Now you have to run the Office 365 setup wizard in the UMC/Domain/Microsoft 365 setup wizard and configure the renewed alias connections successfully.

Screenshot from 2024-07-09 06-23-26
Screenshot from 2024-07-09 06-23-26962×863 58.9 KB

See also:
https://docs.software-univention.de/manual/latest/en/idm-cloud/office-365.html#setup

1 Like