What is causing the error "Device Certificate was not found for Cert Authorities" in an Azure AD Application?

1
votes

I have a multi-tenant Azure AD application. It has been running fine for over a year. Let's say that the App is published by the "corp" Azure AD tenant. If I log into the app with an account from the "corp" tenant, the application works as expected. However, if I access the application with an account from a different tenant, I get an error saying

"Device Certificate was not found for Cert Authorities:OU=82dbaca4-3e81-46ca-9c73-0950c1eaca97,CN=MS-Organization-Access,DC=windows,DC=net"

I found this article that looks very similar to the problem I am seeing. We recently enabled Conditional Access in the "corp" Azure AD tenant, but not specifically for this application. I tried updating ADAL to version 3.19.2 but the error persists.

The application does work in my dev environment with a test Azure AD. I think there is some sort of issue going on between ADAL on the Conditional Access Policy of my Corp AAD tenant. However, since there is no CA policy for this app in particular, I am not even sure why it would try to access a device cert to verify if the device was registered in AAD.

Error Details

Description:

An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details:

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: Device Certificate was not found for Cert Authorities:OU=82dbaca4-3e81-46ca-9c73-0950c1eaca97,CN=MS-Organization-Access,DC=windows,DC=net

Full Stack Trace:

  [AdalException: Device Certificate was not found for Cert Authorities:OU=82dbaca4-3e81-46ca-9c73-0950c1eaca97,CN=MS-Organization-Access,DC=windows,DC=net]
   Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.DeviceAuthHelper.FindCertificateByCertAuthorities(IDictionary`2 challengeData, X509Certificate2Collection certCollection) +710
   Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.DeviceAuthHelper.FindCertificate(IDictionary`2 challengeData) +138
   Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.<CreateDeviceAuthChallengeResponseAsync>d__2.MoveNext() +144
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
   Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.<HandleDeviceAuthChallengeAsync>d__25`1.MoveNext() +479
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
   Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.<GetResponseAsync>d__22`1.MoveNext() +3220
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
   Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.<GetResponseAsync>d__21`1.MoveNext() +359
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
   Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<SendHttpMessageAsync>d__72.MoveNext() +401
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
   Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<SendTokenRequestAsync>d__69.MoveNext() +415
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
   Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<CheckAndAcquireTokenUsingBrokerAsync>d__59.MoveNext() +605
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
   Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<RunAsync>d__57.MoveNext() +4005
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
   Microsoft.IdentityModel.Clients.ActiveDirectory.<AcquireTokenCommonAsync>d__37.MoveNext() +451
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
   Microsoft.IdentityModel.Clients.ActiveDirectory.<AcquireTokenAsync>d__0.MoveNext() +313

[AggregateException: One or more errors occurred.]
   System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) +116
   AvanadeExternalAccess.Utils.AzureADAuthHelper.GetAuthResult() +397
   AvanadeExternalAccess.Utils.InvitationManager.GetUrl(Invitation Invite) +24
   AvanadeExternalAccess.Controllers.HomeController.Index() +616
   lambda_method(Closure , ControllerBase , Object[] ) +87
   System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +1180
   System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +1366
   System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__39(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +40
   System.Web.Mvc.Async.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult) +74
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +43
   System.Web.Mvc.Async.AsyncInvocationWithFilters.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3d() +72
   System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +385
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +43
   System.Web.Mvc.Async.<>c__DisplayClass2b.<BeginInvokeAction>b__1c() +30
   System.Web.Mvc.Async.<>c__DisplayClass21.<BeginInvokeAction>b__1e(IAsyncResult asyncResult) +185
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +39
   System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +29
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +70
   System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +52
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +36
   System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +39
   System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +43
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +70
   System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +39
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +649
   System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +213
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +131
3
azureazure-active-directoryadal
Where does this error occur?juunas
Added details about the errorAndy Schneider
@AndySchneider: Were you able to solve this?Vineet Desai
@VineetDesai No I still haven’t been able to.Andy Schneider

3 Answers

1
votes

That error only occurs for resources that are using Device Based Conditional in Azure A2. For example we have CA policies for Exchange Online and SharePoint Online, that for any location, the device must be either Compliant or Hybrid Azure-AD joined. However, this is where it gets complicated, any resource or application that is calling those services/applications where conditional access is applied, must also have the same or higher CA Policy to pass that header information to the resource you are accessing. That is in detail here.

0
votes

This error could mean the user has conditional access enabled and requires a domain joined device. This scenario is not currently supported in ADAL at the moment. Guidance is to use only MFA and not require a domain joined device. ADAL does not have Windows 10 WAM certificate support, which would allow both domain joined devices and MFA for authentication. This is on the backlog. Vote for the issue here to help gauge impact and customer interest.

0
votes

This error occurs because your VM is not joined to the Azure AD domain. If it was working before and then stopped working, it's because a new policy was implemented by your company.

I had a similar problem when running powershell scripts. I was trying to access AZ.KeyVault and Get-AzKeyVaultSecret. I also had issues when installing the On-Premises Data Gateway.

IMPORTANT: To execute the steps below, you must sign-in to the VM with an account that exists in the Azure AD, you may try using your personal account. If you are using a Service Account, it's most likely that the Service Account is not in the Azure AD.

To join the Azure AD Domain

  1. Download Microsoft Workplace Join.
  2. Install Workplace_x64.msi.
  3. Open a Command Prompt (Run as Administrator), and type...
  4. Type: cd "C:\Program Files\Microsoft Workplace Join"
  5. Type: AutoWorkplace.exe /i
  6. When prompted with "This device is currently not joined to your organization's Azure AD domain.", click Join. If the VM is already joined "This device is currently Hybrid Azure AD joined to your organization's Azure AD domain for XXXXX", you can click Leave if you want to leave the domain.

Try again and it should work. Cheers