I am trying to import a pfx certificate using this command:
Import-PfxCertificate -FilePath deleteme\App1\App1\Windows_TemporaryKey.pfx -CertStoreLocation Cert:\CurrentUser\My
This runs on an Azure DevOps agent and it terminates with the following error:
2021-08-17T08:12:41.8589900Z Import-PfxCertificate : The PFX file you are trying to import requires either a different password or membership in an
2021-08-17T08:12:41.8843817Z Active Directory principal to which it is protected.
2021-08-17T08:12:41.9009498Z At D:\Agents\02-V2\_work\_temp\ea432c03-2d7e-41d0-b921-60675873b966.ps1:5 char:1
2021-08-17T08:12:41.9091156Z + & Import-PfxCertificate -FilePath deleteme\App1\App1\Windows_Temporar ...
2021-08-17T08:12:41.9275703Z + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2021-08-17T08:12:41.9332015Z + CategoryInfo : NotSpecified: (:) [Import-PfxCertificate], Win32Exception
2021-08-17T08:12:41.9657873Z + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.CertificateServices.Commands.ImportPfxCer
2021-08-17T08:12:41.9940803Z tificate
Now, I have seen plenty of stackoverflow posts dealing with this error, but all of them were for certificates which actually had private keys. This one has no private key (at least I have not been prompted to enter one when importing it on my local machine) and it is actually the template CMake pfx file, which I believe comes with every Windows CMake distribution (in the cmake-x.xx.x-windows-x86_64\share\cmake-x.xx\Templates\Windows directory). So I am intereseted in the second part of the error message: the membership in the "Active Directory principal to which it is protected". This is already pretty cryptic for me. The pfx has some principal associated with it? I haven't seen any such properties when inspecting the pfx using the Open command in the file's context menu. Or the current user has to have some AD principal associated? If it is so, which one?
To put this whole Import-PfxCertificate effort into context - it is part of me trying to automatically build an UWP app in CI, but CMake refuses to pass the ARM64 compiler checks exactly because it can not import this particular certificate (it is possible to import it without problems on all of my local machines). I know that I am able to force CMake to skip those compiler checks but I would need to be able to import certificates anyway to sign the app, so I think I would hit that problem again anyways.
Related
I'm trying to get site template and getting error:
PS C:\Windows\system32> Get-PnPSiteTemplate -Out template.xml
Get-PnPSiteTemplate : GetAccessTokenAsync() called without an ACS token generator. Specify in AuthenticationManager constructor the authentication parameters
At line:1 char:1
Get-PnPSiteTemplate -Out template.xml
CategoryInfo : WriteError: (:) [Get-PnPSiteTemplate], ArgumentException
FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.Provisioning.Site.GetSiteTemplate
Version:
pnp.powershell 1.6.0
I had the same issue and after quite some time invested in troubleshooting, I've figured out that the export gets interrupted once it iterates over a list. It is not related to the site you're trying to export because it happened also on other, newly created sites.
It turned out that the problem was that the PNP Module requires Admin Consent since it can manipulate almost all components of O365.
Solution: Connect to the site with the following command:
Connect-PnPOnline -interactive -URL "Your Site Url"
Provide admin consent to PnP and then try to export the site template with:
Get-PnPSiteTemplate -Out "File Location" # Use handlers and other params if needed
If the prompt window doesn't show up, run the following command first:
register-pnpmanagementshellaccess # See notes before running this cmdlet
Note: Admin consent requires additional permissions and SharePoint Admin role is not enough! So either ask a Global Admin to consent for you or ask for additional AD permissions. If I'm not mistaken Application Administrator role should be the right choice.
This seems to have worked for me.
Get-PnPSiteTemplate -out template.xml -ExcludeHandlers Lists,ApplicationLifecycleManagement
It seems the lists and ALM sections need an ACS token generator and that fails with UseWebLogin.
This is what I got on version 1.7.10, but I have used 1.7.0 and 1.5.0 and seen the same issues. I don't know if the older versions have more problematic modules.
Method: I found this resolution by running Set-PnPTraceLog -on -logfile log.txt -Level Debug and Set-PnPTraceLog -off, then reviewing log file to see which module failed.
I may use the Export-PnPListToSiteTemplate and see how that goes in getting list XML for the template file.
I had the same issue with PnP.PowerShell 1.6.0. I was using Connect-PnPOnline command with -UseWebLogin flag because my account had multi factor authentication turned on.
My solution was to disable MFA for my user and connect without the "-UseWebLogin" flag. Then Get-PnPSiteTemplate command worked without any issues.
I'm not sure why this is happening, but I'll use this workaround for now :)
I am trying to signing dlls using signtool.exe. The problem i am having is signing certificate is mapped to one AD account and had to login to any accessible machine and do the signing process. The code signing certificate is stored in local user store and not on machine level certificate store. Issue is that I am able to sign the dlls after login in manualy RDP into machine with the code signing AD account which is mapped with code signing certificate but not able to replicate the same procedure using power shell remote execution task.
While doing, it says it cannot find the certificate even though the AD account used to login is having the code signing certificate. Certificate is located under CurrentUser/My path
Any help on this would be much appreciated!
The code snippet i am using for signing is below
signtool.exe sign /s My /tr http://timestamp.entrust.net/TSS/RFC3161sha2TS "Test.ddl"
SignTool Error: No certificates were found that met all the given criteria.
At line:1 char:1
+ & 'C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoLogo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (SignTool Error:...given criteria.
:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Regards,
Renjith
I am trying to install a certificate through a PowerShell script. I am using the Import-Certificate method, as suggested in the Microsoft PowerShell documentation.
Here's my code:
$script = {
$file = ( Get-ChildItem -Path C:\Users\Administrator\Desktop\newCert.cer )
$file | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root
echo $file
}
invoke-command -Credential $clientCred -ComputerName $ClientIP -ScriptBlock $script
I get the following error:
UI is not allowed in this operation
+ CategoryInfo : InvalidArgument: (:) [Import-Certificate], ArgumentException
I'm not sure where is this going wrong - it would be really helpful if someone could point me in the right direction.
The problem here is that when you install the certificate to Cert:\CurrentUser\Root (Trusted Root CAs in the current user account), underlying CryptoAPI invokes the following dialog:
And this is why error message mentions UI. Since you are attempting to install the certificate in the remoting session it is impossible to press the button in the remote host's interactive session. This is why UI dialogs are prohibited.
What you can do is to install the certificate to Local Machine store. That is, install it to Cert:\LocalMachine\Root.
Note that when installing a root certificate to the local machine store, it is automatically propagated to all user accounts on that machine. That is, an unintentional trust can be established for users where such trust might not be supposed.
I'm trying to use powershell DSC for a few things. I wanted to have the passed credentials encrypted per the instructions at http://technet.microsoft.com/en-us/library/dn781430.aspx it all seems to work fine until I run start-DscConfiguration on the target node and i get the error:
The private key could not be acquired.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : DmitriyDev
Going back I checked to see that the mof contains the credentials encrypted and the meta.mof contains the matching thumbprint, etc.
going back to the original article i see the example code:
# Get the certificate that works for encryption
function Get-LocalEncryptionCertificateThumbprint
{
(dir Cert:\LocalMachine\my) | %{
# Verify the certificate is for Encryption and valid
if ($_.PrivateKey.KeyExchangeAlgorithm -and $_.Verify())
{
return $_.Thumbprint
}
}
}
When I test my certificate using this code (on the target node) I see that the PrivateKey of the certificate is null. I'm not sure how the certificate is null. Trying a few things with certutil and the technique mentioned http://blogs.technet.com/b/vishalagarwal/archive/2010/03/30/verifying-the-private-key-property-for-a-certificate-in-the-store.aspx it seems that I do indeed have a private key, however Powershell see it only as null.
On the target node, I even exported the public private key manually and reimported them, with no luck as outlined in another dsc tutorial.
I also tried using procmon to see what the problem was on the target node. I see the wmiprvse process and see that it runs as System (as expected), and I checked to make sure that the permissions on the private key allowed for system (all on the target node)
So my question is how do I get my private key to be used by DSC specifically the LCM on the target node? Or how do I diagnose the problem more?
I had a similar error when using New-SelfSignedCertificate to create my certificates. For anyone with similar issues, I suspect the problem is related to the storage provider used by New-SelfSignedCertificate (see http://blogs.technet.com/b/vishalagarwal/archive/2010/03/30/verifying-the-private-key-property-for-a-certificate-in-the-store.aspx, which talks about a problem with the Microsoft Software Key Storage Provider and .NET classes). There's a powershell script available on technet that creates self-signed certificates, and defaults to using a different storage provider, which solved the problem for me.
Okay, i'm not sure exactly why this works, but it does. Using the Computer template seems to work. In terms of work, powershell on the target node can see it's private key from
dir cert:\LocalMachine\My | ? PrivateKey -ne $null
Once that happens it all works as expected. So long story short is don't use the workstation Auth template but the Computer template.
I'm using "http://gallery.technet.microsoft.com/scriptcenter/Configures-Secure-Remote-b137f2fe" for configuring secure remote powershell access to my Azure VM. It works good.
I deleted my machine with keeping attached disks. I've recreated this machine with previous identical parameters, but from "my disk" option.
And after that my secure remote powershell access stop working. Every time I tried to use "http://gallery.technet.microsoft.com/scriptcenter/Configures-Secure-Remote-b137f2fe" for downloading certificate i recieved the following error:
Get-AzureCertificate : Cannot validate argument on parameter 'Thumbprint'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
At C:\Users\username\Desktop\InstallWinRMCertAzureVM.ps1:54 char:83
+ ... me -Thumbprint $WinRMCert -ThumbprintAlgorithm sha1
+ ~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-AzureCertificate], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.WindowsAzure.Commands.ServiceManagement.Certi
ficates.GetAzureCertificate
Actually, the option
(Get-AzureVM -ServiceName $CloudServiceName -Name $Name | select -ExpandProperty vm).DefaultWinRMCertificateThumbprint
is empty.
But in original machine it was a valid thumbprint.
Can someone point me in the right direction, please?
Problem was fixed. Partially :)
So, I connected to my virtual machine via RDP and manually export certificate from LocalMachine store. After that, I've imported certificate to my local machine to the "Trusted Root Certification Authorities" (!) section in Local Machine store. DefaultWinRMCertificateThumbprint field in Azure VM setting is still empty, but now I can connect to machine via Powershell without any problems.