Getting error: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client

Abdul Raouf 1 Reputation point
2022-07-07T18:39:32.637+00:00

Hi All,

I have written the same code which is in the document (https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-client-assertions). I was able to generate the client assertion, but when test it in the postman to get the access token, I am getting the below error:

{
"error": "invalid_client",
"error_description": "AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'xxxxxxxxxxxxxxxxxxxxxxxxxx'. Review the documentation at https://learn.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/xxxxxxxxxxxxxxxxxxxxx'].\r\nTrace ID: cb24f62e-410b-4ce0-bef5-b4b28d1f8001\r\nCorrelation ID: 987a0c7a-3be6-4b0b-8f66-39ce19294f91\r\nTimestamp: 2022-07-04 07:47:39Z",
"error_codes": [
700027
],
"timestamp": "2022-07-04 07:47:39Z",
"trace_id": "cb24f62e-410b-4ce0-bef5-b4b28d1f8001",
"correlation_id": "987a0c7a-3be6-4b0b-8f66-39ce19294f91",
"error_uri": "https://login.microsoftonline.com/error?code=700027"
}
Some suggested to pass the base64 url encoded format of the certificate's thumbprint in the x5t body parameter, but though I am getting the same error.

Also referred the solution from https://learn.microsoft.com/en-us/answers/questions/346048/how-to-get-access-token-from-client-certificate-ca.html.

@sikumars-msft @Givary-MSFT

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,716 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,666 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,326 Reputation points
    2022-07-07T21:44:57.167+00:00

    Hello @Abdul Raouf , as the error message states the certificate used to sign the assertion was not found in your application. Please ensure it has been added and that you're not targeting a certificate bound to a service principal from another tenant (for multi-tenant applications). You can review and upload your application certificates trough the Azure Portal.

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.

    0 comments