Issue while connecting Kusto DB from Azure Data Factory using Service Principal Id and Certificate

Sandeep Shekhar 0 Reputation points Microsoft Vendor
2024-05-24T05:05:26.7966667+00:00

We are trying to migrate to Service Principal Id and Certificate authentication to connect to Azure Data Explorer DB through Azure Data Factory Linked service. We are authenticating our .Net Applications from the same AME Certificate and AME Service Principal Id successfully but when we try to use the same from ADF Linked Services, we are getting below error message:

Failed to connect to Kusto cluster 'https://mycluster.kusto.windows.net'. Kusto client failed to perform AAD application authentication. This is not a Kusto service error. Please review your application credentials. Full details: 'A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700030: Invalid certificate - subject name in certificate is not authorized. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are: mycertificatename. A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700030: Invalid certificate - subject name in certificate is not authorized. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are

 

We have same certificate stored on our Corp App Id too and that is working fine from ADF but the same certificate is not working for AME App Id through ADF call

  • My AME Service Principal Id and My AME Certificate (Using Key Vault option) to log into Kusto DB using ADF Linked Service: Connection Failed
  • My AME Service Principal Id and My AME Certificate to log into Kusto DB using .Net code: Succeeded
  • My AME Service Principal Id and My AME Service Principal Key to log into Kusto DB using ADF Linked Service: Connection Succeeded
  • My Corp Service Principal Id and My AME Certificate (Using Key Vault option) to log into Kusto DB: Connection Succeeded
  • My Corp Service Principal Id and My Corp Service Principal Key to log into Kusto DB: Connection Succeeded

 

Please help if you have any idea about this issue.

Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
497 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,893 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sandeep Shekhar 0 Reputation points Microsoft Vendor
    2024-05-24T18:13:35.5633333+00:00

    I believe everything was fine with certificate and subscription as all other things (.Net code) were working except the Azure Data Factory linked services for that given App Id. With other App Id, ADF Linked Services were also working fine.

     

    After investigating further, we found some issue with Service Principal Id configuration and updating that resolved the issue.

     

    Resolution Step:

    Microsoft Entra Id --> App Registration --> My AME App --> Manage --> Manifest

    Somehow there was one tag coming up in Manifest section as below and that was causing this issue:

    "trustedCertificateSubjects": [

    {

    "authorityId": "00000000-0000-0000-0000-000000000001",

    "subjectName": "some certificate name",

    "revokedCertificateIdentifiers": []

    }

    ]

     

    Removing the above tag resolved the issue. But still one thing I am not sure as with the same configuration how .Net code was authenticating but not the Azure Data Factory linked service, that I will try to explore later.


  2. phemanth 7,345 Reputation points Microsoft Vendor
    2024-05-25T05:09:34.85+00:00

    @Sandeep Shekhar - Welcome to Microsoft Q&A platform and thanks for posting your question.

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others "I'll repost your solution in case you'd like to accept the answer.

    **Ask:**We are trying to migrate to Service Principal Id and Certificate authentication to connect to Azure Data Explorer DB through Azure Data Factory Linked service. We are authenticating our .Net Applications from the same AME Certificate and AME Service Principal Id successfully but when we try to use the same from ADF Linked Services, we are getting below error message:

    Failed to connect to Kusto cluster 'https://mycluster.kusto.windows.net'. Kusto client failed to perform AAD application authentication. This is not a Kusto service error. Please review your application credentials. Full details: 'A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700030: Invalid certificate - subject name in certificate is not authorized. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are: mycertificatename. A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700030: Invalid certificate - subject name in certificate is not authorized. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are

     

    We have same certificate stored on our Corp App Id too and that is working fine from ADF but the same certificate is not working for AME App Id through ADF call

    • My AME Service Principal Id and My AME Certificate (Using Key Vault option) to log into Kusto DB using ADF Linked Service: Connection Failed
    • My AME Service Principal Id and My AME Certificate to log into Kusto DB using .Net code: Succeeded
    • My AME Service Principal Id and My AME Service Principal Key to log into Kusto DB using ADF Linked Service: Connection Succeeded
    • My Corp Service Principal Id and My AME Certificate (Using Key Vault option) to log into Kusto DB: Connection Succeeded
    • My Corp Service Principal Id and My Corp Service Principal Key to log into Kusto DB: Connection Succeeded

     

    Solution: I believe everything was fine with certificate and subscription as all other things (.Net code) were working except the Azure Data Factory linked services for that given App Id. With other App Id, ADF Linked Services were also working fine.

    After investigating further, we found some issue with Service Principal Id configuration and updating that resolved the issue.

    Resolution Step:

    Microsoft Entra Id --> App Registration --> My AME App --> Manage --> Manifest

    Somehow there was one tag coming up in Manifest section as below and that was causing this issue:

    "trustedCertificateSubjects": [

    {

    "authorityId": "00000000-0000-0000-0000-000000000001",

    "subjectName": "some certificate name",

    "revokedCertificateIdentifiers": []

    }

    ]

     

    Removing the above tag resolved the issue. But still one thing I am not sure as with the same configuration how .Net code was authenticating but not the Azure Data Factory linked service, that I will try to explore later.

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.


    Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.