[BUG] Cannot Connect-PnPOnline when MFA uses PKI/client certificates

[mikevasiloff]

Reporting an Issue

Regardless if -UseWebLogin or -Interactive is used, when MFA is used and requires selection of a PKI/client certificate, the pop-up browser window never shows the certificate selection window.

Expected behavior

When connecting to a tenant that requires PKI/client certificate to authenticate, accessing in a normal browser correctly displays a PKI/client certificate selection window and facilitates successful authentication. This same behavior is what's expected of the PowerShell module.

Actual behavior

Using the PowerShell module, although the pop-up browser window does initially seem to work as it loads the authentication page, when it comes to selecting a PKI/client certificate it never actually shows the certificate selection window and the spinning icon just freezes. You can click on "Sign in with other options" but that just returns you to the screen where you had to click to sign in with a PKI/client certificate. All you can do then is just close the authentication pop up window which of course fails to connect to the site.

Steps to reproduce behavior

Connect-PnPOnline https://dod365.sharepoint-mil.us -UseWebLogin

At the sign-in prompt, when asked for an email address enter: some.user@mail.mil
When redirected to the sign-in prompt, click on the "Sign in with CAC/PIV" link below the sign-in button.

What should happen is that a client certificate (smart card) selection window is displayed, but nothing happens.

What is the version of the Cmdlet module you are running?

1.9.0

Which operating system/environment are you running PnP PowerShell on?

• Windows
• Linux
• MacOS
• Azure Cloud Shell
• Azure Functions
• Other : please specify

Potential fix

What we've found is that if you change the default value for scriptErrorsSuppressed to false in the GetWebLoginClientContext function, then the pop-up browser window is able to show the PKI/client certificate selection. But it is unclear why this parameter was set to true in the first place.

[gautamdsheth]

@mikevasiloff - is the issue still there after the PR ? Can you try with the latest version and let us know ?

[mikevasiloff]

@gautamdsheth, sorry for the delay. Yes, the issue has been fixed when using -UseWebLogin but when using -Interactive it persists. Based on the discussion in the pull request with @KoenZomers, it seems the source of that problem may be in the PnP.Framework/AuthenticationManager.cs file. If the issue with -Interactive is ultimately coming from the PnP Framework instead, does that mean I need to open a bug in that repo?

[KoenZomers]

I've traced it down to this line where the issue lies with -Interactive:

powershell/src/Commands/Utilities/BrowserHelper.cs

Line 194 in 2f6acf1

ScriptErrorsSuppressed = true,

I can update this one to become false as well. I forgot how you tested this last time. Are you able to build your own PnP PowerShell build off of my branch to test it or did one of us provide you with a downloadable build?

[mikevasiloff]

Oh snap, thanks @KoenZomers for that quick find! Last time I did my own build to test it and could try to do the same for this as well. I'll report back, might be a few days unfortunately. If that ends up being the fix, do you want me to go ahead and submit another pull request for it?

[KoenZomers]

Just created a PR for it already. If you don't mind, can you build a PnP PowerShell version off of that and try this out? It should work for Interactive and DeviceLogin now as well.

PR #1933

[mikevasiloff]

@KoenZomers using your Issue1706 build from the referenced PR I was able to confirm the issue is resolved!
Using the -Interactive parameter now correctly prompts for a client certificate. Thank you for tracking this down.

[gautamdsheth]

Thanks for confirming @mikevasiloff !
PR has been merged, it will be available in tomorrow's nightly !