azcopy login - Support SNI (Subject Name & Issuer Authentication) (AKA --use-cert-sn-issuer / x5c / send_certificate_chain) #2815
Labels
Comments
|
BTW, I forgot to note, this is added to our backlog for next release. No guarantees it makes it in, but, it is there. |
|
We need this as well, and ideally, in a way where I can use the machine's certificate store on Windows instead of having to export a PFX and store the password somewhere for unattended/automated processes. Building in SNI support would be a massive win for us (so much that I have one of my devs looking at this on a private fork.) For us, we need this to support baremetal/Hyper-V VM scenarios as well - hence the cert support/SNI support versus using native MSI scenarios. |
|
#2877 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Which version of the AzCopy was used?
v10.26.0 (latest)
Which platform are you using? (ex: Windows, Mac, Linux)
Linux (though I'm pretty sure it doesn't matter)
What command did you run?
azcopy login --service-principal --certificate-path /XXX.pfx --application-id YYYYYYYYYWhat problem was encountered?
Failed to perform login command: ClientCertificateCredential authentication failed. FromAssertion(): http call(
https://login.microsoftonline.com/common/oauth2/v2.0/token)(POST) error: reply status code was 401:
{"error":"invalid_client","error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: 'XXXXX', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'XXXXX'. Review the documentation at
https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and
https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http
to build a query request URL, such as https://graph.microsoft.com/beta/applications/XXX
']. Alternatively, SNI may be configured on the app. Please ensure that client assertion is being sent with the x5c claim in the JWT header using MSAL's WithSendX5C() method so that Azure Active Directory can validate the certificate being used
How can we reproduce the problem in the simplest way?
Enable SNI auth on any service principal and try to login using a matching certificate
Have you found a mitigation/solution?
Logging in with
az login --use-cert-sn-issuerand then reusing its token viaAZCOPY_AUTO_LOGIN_TYPE="AZCLI"should work, but the latter is broken: #2794This makes
azcopy login --service-principal --certificate-pathwon't work for most MS-internal scenarios, as I'm sure you know cert pinning is disallowed.The text was updated successfully, but these errors were encountered: