Microsoft Security | Microsoft Entra | Other
Additional Microsoft Entra services and features related to identity, access, and network security
Cloud AP Error - AAD_CLOUDAP_E_HTTP_CERTIFICATE_URI_IS_EMPTY - What is missing from Mex?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
I'm receiving a AAD_CLOUDAP_E_HTTP_CERTIFICATE_URI_IS_EMPTY error from a LsaLogonUser request with a Certificate on a smart card (Using KERB_CERTIFICATE_LOGON). I understand that a Certificate Endpoint URI is missing from the Metadata of WS-FED, but I'm not sure where to find information on "how" to set the certificate endpoint in the metadata XML. What XML node/config is it looking for so I can read how to set it?
To be honest, I'd rather use a passive logon request with a web browser and pass the result to LsaLogonUser but the documentation for that function seems WOEFULLY out of date. I don't even know how to pass a SAML token to it for authentication.
Microsoft Security | Microsoft Entra | Other
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,396 Reputation points Microsoft Employee Moderator2024-05-25T00:09:17.7533333+00:00 You can check if the certificate is configured in VSC. You might also see the URI empty error if you have ADFS and the endpoint is not published in Mex. If this is the case, please check for the "/13/certificatemixed" endpoint available in MEX (when you are off VPN).
Also, what is the active logon URI configured for the tenant in AAD? After it reaches the mex endpoint it should get redirected to the active logon URL.
-
Anonymous
2024-05-28T14:24:35.49+00:00 I don't see the redirection occurring at all in any network logs. It requests the MEX endpoint XML then the error occurs, suggesting something is missing. This is a 3rd party federation I'm trying to setup so it's not using Microsoft tools to create the Metadata XML. I believe I set the active endpoint correctly. That being
SecurityTokenServiceEndpointin the Metadata. It's certainly not being redirected to the STS.I'm not certain how to set the
certificatemixedin the metadata.
Would seeing a copy of the metadata XML help?Just to be clear, the passive auth works fine, but the active is what we're trying to get working.
-
Anonymous
2024-05-28T19:57:50.4866667+00:00 And I do have an active URL set.
Sign in to comment
Sign in to answer