AADSTS700016: Application with identifier 'my.name' was not found in the directory

[sam-wheat]

As I was stepping through the tutorials I got the error shown below exactly one time. I thought I fixed it by enclosing my domain names in single quotes because it went away when I did that.

I went on to go through all the steps in the tutorial and got everything working. I generated some certs against the staging and live servers and observed the files in the Posh-ACME folder. When I was ready to generate a real cert I deleted the contents of the Posh-ACME folder and ran my script and got the error shown below. This time I can not make it go away.

Application with identifier 'my.name'

I do not understand how this error message is created. The actual error message is my real first and last name. Why is it looking for an app named 'my.name'?. How does it even get those values? The only thing I could think of is my email address which is '[email protected]'. I tried wrapping my email address in single quotes but that didn't help.

Here is my script which ran many times and actually generated certs.

#Set-PAServer LE_PROD
Set-PAServer LE_STAGE
$az = Connect-AzAccount
$acct = Get-PAAccount

$azParams = @{
  AZSubscriptionId=$az.Context.Subscription.Id
  AZTenantId=$az.Context.Subscription.TenantId
  AZAppCred=(Get-Credential)
}
new-pacertificate 'mydomain.com', 'www.mydomain.com' -accepttos -contact [email protected] -dnsplugin Azure -pluginargs $azParams -verbose 

Error message:

VERBOSE: Using directory https://acme-staging-v02.api.letsencrypt.org/directory                                         VERBOSE: POST https://acme-staging-v02.api.letsencrypt.org/acme/acct/15493341 with -1-byte payload                      VERBOSE: received 339-byte response of content type application/json                                                    VERBOSE: Using account 15493341
VERBOSE: POST https://acme-staging-v02.api.letsencrypt.org/acme/order/15493341/142974700 with -1-byte payload
VERBOSE: received 344-byte response of content type application/json
VERBOSE: Creating a new order for mydomain.com, www.mydomain.com
VERBOSE: POST https://acme-staging-v02.api.letsencrypt.org/acme/order/15493341/142974700 with -1-byte payload
VERBOSE: received 344-byte response of content type application/json
VERBOSE: POST https://acme-staging-v02.api.letsencrypt.org/acme/new-order with -1-byte payload
VERBOSE: received 486-byte response of content type application/json
VERBOSE: POST https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/105496960 with -1-byte payload
VERBOSE: received 809-byte response of content type application/json
VERBOSE: POST https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/105496961 with -1-byte payload
VERBOSE: received 813-byte response of content type application/json
VERBOSE: POST https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/105496960 with -1-byte payload
VERBOSE: received 809-byte response of content type application/json
VERBOSE: POST https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/105496961 with -1-byte payload
VERBOSE: received 813-byte response of content type application/json
WARNING: Fewer DnsPlugin values than names in the order. Using Azure for the rest.
VERBOSE: Publishing DNS challenge for mydomain.com
VERBOSE: POST https://login.microsoftonline.com/22914068-b6f0-4fee-a0e6-e8df19bb78a1/oauth2/token with -1-byte payload
Invoke-RestMethod : {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier
'my.name' was not found in the directory '22914068-b6f0-4fee-a0e6-e88a1'. This can happen if the application
has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent
your authentication request to the wrong tenant.\r\nTrace ID: 67af773a-502a-4e0f-aa07-5b9b29273800\r\nCorrelation ID:
5b302a2e-00f8-4c29-9d82-253005c11ebf\r\nTimestamp: 2020-09-05
00:13:48Z","error_codes":[700016],"timestamp":"2020-09-05 00:13:48Z","trace_id":"67af773a-502a-4e0f-aa07-5b9b29273800",
"correlation_id":"5b302a2e-00f8-4c29-9d82-253005c11ebf","error_uri":"https://login.microsoftonline.com/error?code=70001
6"}
At C:\Users\sam\Documents\WindowsPowerShell\Modules\Posh-ACME\3.16.0\DnsPlugins\Azure.ps1:435 char:22
+ ...    $token = Invoke-RestMethod "https://login.microsoftonline.com/$($A ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	+ CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc
   eption
	+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

EDIT: I searched all the tickets and found this one that suggests:

Import-Module -Name .\Posh-ACME -Force

I tried it, and I removed the Azure DNS plug in just to try to reduce the number of variables. It looks like remnants of prior scripts are persisted somehow and not cleaned up (??):

PS C:\Users\sam> Import-Module -Name Posh-ACME -Force
PS C:\Users\sam> new-pacertificate 'mydomain.com', 'www.mydomain.com' -accepttos -contact [email protected]
WARNING: Fewer DnsPlugin values than names in the order. Using Azure for the rest.
Invoke-RestMethod : {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier
'my.name' was not found in the directory '22914068-b6f0-4fee-a0e6-e8bb78a1'. This can happen if the application
has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent
your authentication request to the wrong tenant.\r\nTrace ID: 55c4540e-cb6c-40b3-ba35-50bfb6a64100\r\nCorrelation ID:
9dbe29ce-d00e-4bbb-be42-0504f13f3e03\r\nTimestamp: 2020-09-05
12:56:51Z","error_codes":[700016],"timestamp":"2020-09-05 12:56:51Z","trace_id":"55c4540e-cb6c-40b3-ba35-50bfb6a64100",
"correlation_id":"9dbe29ce-d00e-4bbb-be42-0504f13f3e03","error_uri":"https://login.microsoftonline.com/error?code=70001
6"}
At C:\Users\sam\Documents\WindowsPowerShell\Modules\Posh-ACME\3.16.0\DnsPlugins\Azure.ps1:435 char:22
+ ...    $token = Invoke-RestMethod "https://login.microsoftonline.com/$($A ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	+ CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc
   eption
	+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

[rmbolger]

Hey @sam-wheat. Thanks for the report. Azure is definitely one of the more complicated plugins to deal with because there are so many authentication options. It looks like you followed the guide perfectly, so no worries there.

The error being thrown is from the Azure authentication process. It's picking up the 'my.name' value from the AzAppCred value in your $azParams variable because I'm assuming you supplied your [email protected] personal credentials when prompted by Get-Credential. The problem is that it seems like it doesn't allow personal credentials there and you specifically need to setup an App Registration. I know the guide implies you can use your personal credentials and I swear it used to work that way, but it's possible Microsoft may have changed something since the guide was written.

I'm going to need to do some testing to figure out whether it's still possible to use personal credentials and if so, it might require a code change. In the mean time, do you have access to create the custom Role and App Registration as described in the usage guide? That would be the most reliable way forward. If not, you can still use your personal credentials via the "Existing Access Token" method described in the guide. But you won't be able to auto renew unless you add some additional scripting to re-login and re-get the access token each time you need to renew.

[sam-wheat]

Hi Ryan, thanks for the Saturday-before-Labor-day response. I will investigate the Role and App Registration options.