AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application.

Question

AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application.

Smith Surendran 6

Hi,
I'm following the steps mentioned in https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate and https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials to perform client certificate validation and to create client assertion token I am referring https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-client-assertions, but I'm getting below error.

{"error":"invalid_client","error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client:"}

I am creating Client assertion in Java.

String thumbprint = getThumbprint(cert);
String base64 =Base64.getUrlEncoder().encodeToString(thumbprint.getBytes(StandardCharsets.UTF_8));

This is the thumbprint in Azure portal.

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2022-07-06T08:13:54.587+00:00

@Smith Surendran

Thank you for reaching out to us. Could please help me with the correlation ID/Timestamp when this error comes AADSTS700027, so that I can investigate further.

Let me know if you have any further questions.
Smith Surendran 6 Reputation points

2022-07-06T09:54:58.13+00:00

Hi
I am pasting the complete error here

"error":"invalid_client","error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: '35633263633737663466373261373762313234663365336464316333373263383137646539313761', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '6f3722db-c19b-4d1a-bce2-7b40e9bf3cc1'. Review the documentation at https://learn.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/6f3722db-c19b-4d1a-bce2-7b4*emphasized text*0e9bf3cc1'].\r\nTrace ID: 56333c4d-d7dd-49bf-9e76-52ed239ba302\r\nCorrelation ID: a59752b8-995a-4b06-b29f-3dcfcd547ad9\r\nTimestamp: 2022-07-06 09:53:40Z","error_codes":[700027],"timestamp":"2022-07-06 09:53:40Z","trace_id":"56333c4d-d7dd-49bf-9e76-52ed239ba302","correlation_id":"a59752b8-995a-4b06-b29f-3dcfcd547ad9","error_uri":"https://login.microsoftonline.com/error?code=700027"}
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2022-07-07T07:32:24.62+00:00

@Smith Surendran Thank you for sharing the logs, "Key was not found" is generated when client who uses cert needs to include x5t property when getting a token. did you refer to the steps mentioned by one of our colleague on the below QnA posts, he has shared the PowerShell script about the same.

https://learn.microsoft.com/en-us/answers/questions/346048/how-to-get-access-token-from-client-certificate-ca.html#:~:text=Access%20token%20request%20with%20a%20certificate%20is%20a%20bit%20different%20from%20the%20normal%20Access%20token%20request%20with%20a%20shared%20secret%20flow%20(using%20AppId/Secret%20).%20To%20get%20an%20access%20token%20using%20a%20certificate%20you%20have%20to%3A

https://learn.microsoft.com/en-us/answers/questions/882005/aadsts700027-client-assertion-failed-signature-val.html#:~:text=could%20cause%20the%20%22AADSTS700027%3A%20Client%20assertion%20contains%20an%20invalid%20signature.
Smith Surendran 6 Reputation points

2022-07-07T13:13:52.613+00:00

Hi @Givary-MSFT Thank you for responding quickly, with your suggestion, I am not getting this error now but I am getting AADSTS50000

"error":"server_error","error_description":"AADSTS50000: There was an error issuing a token or an issue with our sign-in service.\r\nTrace ID: e632d9ac-b514-43d7-94f2-269380333c00\r\nCorrelation ID: 79b65050-73de-4caa-9b06-8f786ce90714\r\nTimestamp: 2022-07-07 13:09:21Z","error_codes":[50000],"timestamp":"2022-07-07 13:09:21Z","trace_id":"e632d9ac-b514-43d7-94f2-269380333c00","correlation_id":"79b65050-73de-4caa-9b06-8f786ce90714","error_uri":"https://login.microsoftonline.com/error?code=50000"}

Need your further guidance.
Params added-
scope='https://graph.microsoft.com/.default'
client_id='xxxx'
client_assertion_type='urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
client_assertion='xxxx'
'grant_type='client_credentials'
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2022-07-08T06:24:25.443+00:00

@Smith Surendran

Did you try to decode the client_assertion information and verify the same ? Also from the correlation id/timestamp of AADSTS50000, after reviewing the backend logs i see this error is caused by The certificate key algorithm is not supported, can you verify that as well.
Smith Surendran 6 Reputation points

2022-07-08T06:56:05.337+00:00

218777-jwttokkendoc.pdf

Hi I tried to verify the assertion token, I have attached the same, I am able view the header and payload information correctly.

Regarding error, caused by The certificate key algorithm is not supported

Can you please elaborate and what could be the possible reason for such errors.

I am using a certificate(.crt).

5 answers

Your answer

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2022-07-06T08:13:54.587+00:00

@Smith Surendran

Thank you for reaching out to us. Could please help me with the correlation ID/Timestamp when this error comes AADSTS700027, so that I can investigate further.

Let me know if you have any further questions.
Smith Surendran 6 Reputation points

2022-07-06T09:54:58.13+00:00

Hi
I am pasting the complete error here

"error":"invalid_client","error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: '35633263633737663466373261373762313234663365336464316333373263383137646539313761', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '6f3722db-c19b-4d1a-bce2-7b40e9bf3cc1'. Review the documentation at https://learn.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/6f3722db-c19b-4d1a-bce2-7b4*emphasized text*0e9bf3cc1'].\r\nTrace ID: 56333c4d-d7dd-49bf-9e76-52ed239ba302\r\nCorrelation ID: a59752b8-995a-4b06-b29f-3dcfcd547ad9\r\nTimestamp: 2022-07-06 09:53:40Z","error_codes":[700027],"timestamp":"2022-07-06 09:53:40Z","trace_id":"56333c4d-d7dd-49bf-9e76-52ed239ba302","correlation_id":"a59752b8-995a-4b06-b29f-3dcfcd547ad9","error_uri":"https://login.microsoftonline.com/error?code=700027"}
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2022-07-07T07:32:24.62+00:00

@Smith Surendran Thank you for sharing the logs, "Key was not found" is generated when client who uses cert needs to include x5t property when getting a token. did you refer to the steps mentioned by one of our colleague on the below QnA posts, he has shared the PowerShell script about the same.

https://learn.microsoft.com/en-us/answers/questions/346048/how-to-get-access-token-from-client-certificate-ca.html#:~:text=Access%20token%20request%20with%20a%20certificate%20is%20a%20bit%20different%20from%20the%20normal%20Access%20token%20request%20with%20a%20shared%20secret%20flow%20(using%20AppId/Secret%20).%20To%20get%20an%20access%20token%20using%20a%20certificate%20you%20have%20to%3A

https://learn.microsoft.com/en-us/answers/questions/882005/aadsts700027-client-assertion-failed-signature-val.html#:~:text=could%20cause%20the%20%22AADSTS700027%3A%20Client%20assertion%20contains%20an%20invalid%20signature.
Smith Surendran 6 Reputation points

2022-07-07T13:13:52.613+00:00

Hi @Givary-MSFT Thank you for responding quickly, with your suggestion, I am not getting this error now but I am getting AADSTS50000

"error":"server_error","error_description":"AADSTS50000: There was an error issuing a token or an issue with our sign-in service.\r\nTrace ID: e632d9ac-b514-43d7-94f2-269380333c00\r\nCorrelation ID: 79b65050-73de-4caa-9b06-8f786ce90714\r\nTimestamp: 2022-07-07 13:09:21Z","error_codes":[50000],"timestamp":"2022-07-07 13:09:21Z","trace_id":"e632d9ac-b514-43d7-94f2-269380333c00","correlation_id":"79b65050-73de-4caa-9b06-8f786ce90714","error_uri":"https://login.microsoftonline.com/error?code=50000"}

Need your further guidance.
Params added-
scope='https://graph.microsoft.com/.default'
client_id='xxxx'
client_assertion_type='urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
client_assertion='xxxx'
'grant_type='client_credentials'
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2022-07-08T06:24:25.443+00:00

@Smith Surendran

Did you try to decode the client_assertion information and verify the same ? Also from the correlation id/timestamp of AADSTS50000, after reviewing the backend logs i see this error is caused by The certificate key algorithm is not supported, can you verify that as well.
Smith Surendran 6 Reputation points

2022-07-08T06:56:05.337+00:00

218777-jwttokkendoc.pdf

Hi I tried to verify the assertion token, I have attached the same, I am able view the header and payload information correctly.

Regarding error, caused by The certificate key algorithm is not supported

Can you please elaborate and what could be the possible reason for such errors.

I am using a certificate(.crt).

Answer 1

Easwar Kilari 30 Microsoft Employee

This error usually occurs when you are using thumbprint as is instead of base64 encoding in x5t(in header) while creating a jwt token.
You can simply run following script to generate a base64 encoded string of your thumbprint:

# Hexadecimal string
$hexString = "<Thumbprint from portal>" 
# Convert the hexadecimal string to a byte array
$bytes = for ($i = 0; $i -lt $hexString.Length; $i += 2) {
    [Convert]::ToByte($hexString.Substring($i, 2), 16)
}

# Convert the byte array to a Base64 string
$CertificateBase64Hash = [System.Convert]::ToBase64String($bytes)

# Output the result
$CertificateBase64Hash

Save as .ps1 file and run it in powershell as

.\base64.ps1

Now you use this output in x5t value in header and get the token. Use the generated jwt token as client_assertion in your POST request.

Florian Bratec 0 Reputation points

2024-11-20T23:07:20.8733333+00:00

Thanks!! That solved the problem!
Vitaliy Rychkov 0 Reputation points

2024-11-28T09:29:08.66+00:00

Thank you Easwar, very precise answer.

Answer 2

Idan Mor 15 Microsoft Employee

I had the same issue and I fixed it by adding "trustedCertificateSubjects" to the "App registration" Manifest.

"trustedCertificateSubjects": [
		{
			"authorityId": "00000000-0000-0000-0000-000000000001",
			"subjectName": "XXX.XXXXXXXXXXX.aad.XXXXXX.XX"
		}
	]

User's image

Rajesh Patel 5 Reputation points

2023-11-22T16:22:41.55+00:00

How do you find authorityId?
Nicolas DAVIAU DE TERNAY 0 Reputation points

2024-08-26T14:08:47.2733333+00:00

It's a fixed value

Answer 3

Volodymyr Kochubeinyk (OntargIT) 5

Where I can find and take that

authorityId and subjectName

Easwar Kilari 30 Reputation points Microsoft Employee

2024-08-27T07:45:23.2733333+00:00

authorityId is fixed, SubjectName you can find in your certificate. It will be in this format CN=xyz. Here xyz is your SubjectName.

Answer 4

Akram Bazina 1

view the certificate and use SHA1 Fingerprint.

Answer 5

I am facing similar error:

,"error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: '37313131413430454539363337333431434431374131443745444545353437443635433542333541', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'd9e98c63-d918-4f05-b859-e077acbed37c'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/d9e98c63-d918-4f05-b859-e077acbed37c'].\r\nTrace ID: b1b49b1d-7244-4531-b8a8-df53cf3a1b00\r\nCorrelation ID: c7bdea9d-f335-4851-9edf-bc507c88c1bf\r\nTimestamp: 2023-02-22 18:29:39Z","error_codes":[700027],"timestamp":"2023-02-22 18:29:39Z","trace_id":"b1b49b1d-7244-4531-b8a8-df53cf3a1b00","correlation_id":"c7bdea9d-f335-4851-9edf-bc507c88c1bf","error_uri":"https://login.microsoftonline.com/error?code=700027"

Can you please provide pointers on how to fix this?

Share via

AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application.

5 answers

Your answer