AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application.

Smith Surendran 6 Reputation points
2022-07-06T05:53:58.547+00:00

Hi,
I'm following the steps mentioned in https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate and https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials to perform client certificate validation and to create client assertion token I am referring https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-client-assertions, but I'm getting below error.

{"error":"invalid_client","error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client:"}

I am creating Client assertion in Java.

String thumbprint = getThumbprint(cert);
String base64 =Base64.getUrlEncoder().encodeToString(thumbprint.getBytes(StandardCharsets.UTF_8));

This is the thumbprint in Azure portal.
218041-image.png

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

5 answers

Sort by: Most helpful
  1. Easwar Kilari 30 Reputation points Microsoft Employee
    2024-08-27T07:36:51.5666667+00:00

    This error usually occurs when you are using thumbprint as is instead of base64 encoding in x5t(in header) while creating a jwt token.
    You can simply run following script to generate a base64 encoded string of your thumbprint:

    # Hexadecimal string
    $hexString = "<Thumbprint from portal>" 
    # Convert the hexadecimal string to a byte array
    $bytes = for ($i = 0; $i -lt $hexString.Length; $i += 2) {
        [Convert]::ToByte($hexString.Substring($i, 2), 16)
    }
    
    # Convert the byte array to a Base64 string
    $CertificateBase64Hash = [System.Convert]::ToBase64String($bytes)
    
    # Output the result
    $CertificateBase64Hash
    
    

    Save as .ps1 file and run it in powershell as

    .\base64.ps1
    

    Now you use this output in x5t value in header and get the token. Use the generated jwt token as client_assertion in your POST request.

    6 people found this answer helpful.

  2. Idan Mor 15 Reputation points Microsoft Employee
    2023-07-10T08:22:12.2033333+00:00

    I had the same issue and I fixed it by adding "trustedCertificateSubjects" to the "App registration" Manifest.

    "trustedCertificateSubjects": [
    		{
    			"authorityId": "00000000-0000-0000-0000-000000000001",
    			"subjectName": "XXX.XXXXXXXXXXX.aad.XXXXXX.XX"
    		}
    	]
    

    User's image

    2 people found this answer helpful.

  3. Volodymyr Kochubeinyk (OntargIT) 5 Reputation points
    2024-05-23T14:53:07.3633333+00:00

    Where I can find and take that

    authorityId and subjectName

    1 person found this answer helpful.

  4. Akram Bazina 1 Reputation point
    2022-08-30T13:00:01.417+00:00

    view the certificate and use SHA1 Fingerprint.

    0 comments No comments

  5. Ashish Jhunjhunwala 0 Reputation points
    2023-02-22T18:52:27.4666667+00:00

    I am facing similar error:

    ,"error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: '37313131413430454539363337333431434431374131443745444545353437443635433542333541', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'd9e98c63-d918-4f05-b859-e077acbed37c'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/d9e98c63-d918-4f05-b859-e077acbed37c'].\r\nTrace ID: b1b49b1d-7244-4531-b8a8-df53cf3a1b00\r\nCorrelation ID: c7bdea9d-f335-4851-9edf-bc507c88c1bf\r\nTimestamp: 2023-02-22 18:29:39Z","error_codes":[700027],"timestamp":"2023-02-22 18:29:39Z","trace_id":"b1b49b1d-7244-4531-b8a8-df53cf3a1b00","correlation_id":"c7bdea9d-f335-4851-9edf-bc507c88c1bf","error_uri":"https://login.microsoftonline.com/error?code=700027"

    Can you please provide pointers on how to fix this?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.