AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application.

Smith Surendran 1 Reputation point
2022-07-06T05:53:58.547+00:00

Hi,
I'm following the steps mentioned in https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate and https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials to perform client certificate validation and to create client assertion token I am referring https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-client-assertions, but I'm getting below error.

{"error":"invalid_client","error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client:"}

I am creating Client assertion in Java.

String thumbprint = getThumbprint(cert);
String base64 =Base64.getUrlEncoder().encodeToString(thumbprint.getBytes(StandardCharsets.UTF_8));

This is the thumbprint in Azure portal.
218041-image.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,089 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Akram Bazina 1 Reputation point
    2022-08-30T13:00:01.417+00:00

    view the certificate and use SHA1 Fingerprint.

    0 comments No comments

  2. Ashish Jhunjhunwala 0 Reputation points
    2023-02-22T18:52:27.4666667+00:00

    I am facing similar error:

    ,"error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: '37313131413430454539363337333431434431374131443745444545353437443635433542333541', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'd9e98c63-d918-4f05-b859-e077acbed37c'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/d9e98c63-d918-4f05-b859-e077acbed37c'].\r\nTrace ID: b1b49b1d-7244-4531-b8a8-df53cf3a1b00\r\nCorrelation ID: c7bdea9d-f335-4851-9edf-bc507c88c1bf\r\nTimestamp: 2023-02-22 18:29:39Z","error_codes":[700027],"timestamp":"2023-02-22 18:29:39Z","trace_id":"b1b49b1d-7244-4531-b8a8-df53cf3a1b00","correlation_id":"c7bdea9d-f335-4851-9edf-bc507c88c1bf","error_uri":"https://login.microsoftonline.com/error?code=700027"

    Can you please provide pointers on how to fix this?

    0 comments No comments

  3. Idan Mor 5 Reputation points Microsoft Employee
    2023-07-10T08:22:12.2033333+00:00

    I had the same issue and I fixed it by adding "trustedCertificateSubjects" to the "App registration" Manifest.

    "trustedCertificateSubjects": [
    		{
    			"authorityId": "00000000-0000-0000-0000-000000000001",
    			"subjectName": "XXX.XXXXXXXXXXX.aad.XXXXXX.XX"
    		}
    	]
    

    User's image