[MSAL NODE] SNI AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found #8339
Description
Core Library
MSAL Node (@azure/msal-node)
Core Library Version
5.0.4
Wrapper Library
Not Applicable
Wrapper Library Version
N/A
Public or Confidential Client?
Confidential
Description
We have a 1p app with SNI setup. We are using agents-hosting sdk which does the cert based auth for us https://github.com/microsoft/Agents-for-js/blob/aaa34c719adcb047e02a74633aeaea47b6878e7c/packages/agents-hosting/src/auth/msalTokenProvider.ts#L402
Here we are facing issue with x5c. We see sdk passing it but we see its still trying to search the thumbprint on the 1p app but not via SNI
Error Message
errorCode: 'invalid_client',
2026-02-18T11:42:13.840925495Z errorMessage: "Error(s): 700027 - Timestamp: 2026-02-18 11:42:13Z - Description: AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. Reason - The key was not found., Thumbprint of key used by client: '', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '<1pappId>'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as '[https://graph.microsoft.com/beta/applications/8ad61c39-5b6e-447c-b26a-a64eee436502']. Alternatively, SNI may be configured on the app. Please ensure that client assertion is being sent with the x5c claim in the JWT header using MSAL's WithSendX5C() method so that Azure Active Directory can validate the certificate being used. Trace ID: e70d2c40-46ab-4f6c-9447-7c6797ae6500 Correlation ID: c67ad973-7504-4459-8906-862520df946b Timestamp: 2026-02-18 11:42:13Z - Correlation ID: c67ad973-7504-4459-8906-862520df946b - Trace ID: e70d2c40-46ab-4f6c-9447-7c6797ae6500",
MSAL Logs
No response
Network Trace (Preferrably Fiddler)
- Sent
- Pending
MSAL Configuration
const cca = new ConfidentialClientApplication({
auth: {
clientId: authConfig.clientId || '',
authority: `${authConfig.authority}/${authConfig.tenantId || 'botframework.com'}`,
clientCertificate: {
privateKey: privateKey as string,
thumbprint: pubKeyObject.fingerprint.replaceAll(':', ''),
x5c: Buffer.from(authConfig.certPemFile as string, 'base64').toString()
}
},
system: this.sysOptions
})Relevant Code Snippets
const privateKeySource = fs.readFileSync(authConfig.certKeyFile as string)
const privateKeyObject = crypto.createPrivateKey({
key: privateKeySource,
format: 'pem'
})
const privateKey = privateKeyObject.export({
format: 'pem',
type: 'pkcs8'
})
const pubKeyObject = new crypto.X509Certificate(fs.readFileSync(authConfig.certPemFile as string))
const cca = new ConfidentialClientApplication({
auth: {
clientId: authConfig.clientId || '',
authority: `${authConfig.authority}/${authConfig.tenantId || 'botframework.com'}`,
clientCertificate: {
privateKey: privateKey as string,
thumbprint: pubKeyObject.fingerprint.replaceAll(':', ''),
x5c: Buffer.from(authConfig.certPemFile as string, 'base64').toString()
}
},
system: this.sysOptions
})
const token = await cca.acquireTokenByClientCredential({
scopes: [`${scope}/.default`],
correlationId: v4()
})
if (!token?.accessToken) {
throw new Error('Failed to acquire token using certificate')
}
return token.accessToken
}Reproduction Steps
- We are using agents-hosting sdk
- Setting up our custom engine agent
- Hitting our agent from bizchat we see the above error
Expected Behavior
- We are using agents-hosting sdk
- Setting up our custom engine agent
- we should be able to get app tokens
Identity Provider
Entra ID (formerly Azure AD) / MSA
Browsers Affected (Select all that apply)
Other
Regression
No response