-
Notifications
You must be signed in to change notification settings - Fork 660
Connect-PnPOnline throws "Exception has been thrown by the target of an invocation" #2752
Comments
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible. |
Hi @jagsridharan I'm seeing this much more consistently than you - basically every single time. It appears we are now routing the Connect-PnPOnline thumbprint auth method to an AuthenticationMangager(PnP-Sites-Core) function that wants the private key of the cert. Continued research pending. |
Hi again @jagsridharan and @KoenZomers With the help of my colleagues we isolated this issue to Disconnect-PnPOnline. After we call Disconnect-PnPOnline it removes the certificate private key file that is placed on disk here: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. Without this private key we will not be able to connect referencing the certs thumbprint. @jagsridharan Were you seeing the failure after calling Disconnect-PnPOnline? If you recreate a new certificate and don't call Disconnect-PnPOnline I would expect you to continue being able to connect. |
@fastlaneb You are absolutely right. Now it makes sense. The reason that it stops working the second time is to the fact that i have a Finally block that Disconnects the connection. Let me try and confirm if this is the behaviour. |
Thanks for reporting this guys. I however don't seem to be able to reproduce this on my end. I use a connect like this all the time without any issues. It's the most popular way of connecting, so we should have seen more reports if it really was broken. What also stumbles me a bit is the finding that it would copy the certificate to the temporary location. Didn't double check this in code, but to what I remember, this only happens if you point to a certificate file but not if you use the thumbnail to reference it from the Windows Certificate store, like you are doing. So something must be different in what you guys are doing vs what I am doing and we need to figure out what that is. One thing which is different, but validated "your way" of doing it and it still doesn't give me the same result ifI do the same, is that you are using the -ReturnConnection. I see that happen with many people. Not sure why because it's totally not necessary in 99% of the scenarios and clutters your code. Can you share more details on what you're doing? |
Thanks for the prompt attention @KoenZomers Did you call Disconnect-PnPOnline and then try? |
@fastlaneb I did. Here's the output I get: |
Thank you @KoenZomers I just ran the exact same code as yours and it deleted my private key from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. And it then fails. That being the case I'm wondering if this is somehow operating system related. I'm on Windows 10, build 1809. What OS are you on? And @jagsridharan what OS are you on? |
Is there a difference between the 2 commands? Disconnect-PnpOnline -Connection $c
Disconnect-PnPOnline Could the null Connection flag, trigger a blanket purge as opposed to just closing the session? |
There actually is. Did some further debugging with this. I was right on what I seemed to remember above: only when you use With regards to The only scenario I can think of which could be causing what you are describing is that you are connecting in the current context somewhere using Can you check if that could be the case? I'll submit a PR to get that bug from 2018 fixed in the next release, but don't put your hopes on that that will fix your issue, as it's very likely unrelated. And please also clarify what your reason is to make use of the |
Very good debugging and I'm sure not all connections scenarios have been worked thru. The cleanup of certs on disconnect was added due to disks being filled up with repeated connection's, to ensure people have a way to remove the temp files generated. |
If people on the thread are able to build and test a version with @KoenZomers fix which that would be appreciated. It's merged to the dev branch. |
Thanks @KoenZomers and @wobba for the update and a quick response. I checked my code now and I can confirm that there is only one |
Hi Team @KoenZomers @wobba @yumoraby @jagsridharan , I'm confused here. It is my understanding that if we delete these hashed private keys from disk we will never be able to connect with that particular certificate until returning the hashed private key back to disk. Koen, are you suggesting that connecting with the thumbprint doesn't need this key? Where is my logic flawed? |
@fastlaneb When connecting it should create a new version of the temp file I believe - for that scenario. |
It's like a temporary cache folder which is only used if you reference a certificate by its path on a file system. If its in the Windows Certificate Store, it doesn't need to go to or be in this local cache folder as it can read from the store directly. Believe to have read somewhere that the copy is done to ensure some Windows process dealing with the certificates will be able to access the location as it may not be able to access the original location. |
hmm interesting, i have never used the authentication specifying the certificationpath (always used the certificate store). |
@wobba We are not seeing the creation of the new temp file when using Connect-PnPOnline with the thumbprint method. If this did happen everything would work. @KoenZomers I am not seeing that behavior. We(@yumoraby and I) only see the temp file created on disk when we import the file into the certificate store. If the temp file is gone we are not able to use Connect-PnPOnline with the thumbprint method because there is no longer a private key associated with that cert in the store. This can be verified by interrogating the certificate's "PrivateKey" property with PowerShell. I believe this is the same behavior that @jagsridharan is seeing. |
This is the test we ran yesterday:
$cert = Get-ChildItem "cert:\LocalMachine\My" | Where-Object {$_.Thumbprint -eq $id.Thumbprint}
$cert.PrivateKey
$cert = Get-ChildItem "cert:\LocalMachine\My" | Where-Object {$_.Thumbprint -eq $id.Thumbprint}
$cert.PrivateKey
As @KoenZomers something was reintroduced into the code that triggered this issue, that @wobba addressed for issue #2101 is there anything i can do on my end to help test, debug let me know. |
Thanks for sharing these detailed steps @yumoraby. Still can't explain what technically could be causing this. Must almost be a difference in Windows 10. I just tried your steps and for me it does not add anything to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys when I import my PFX into the Windows Certificate store. What I will do to close this issue is the following. Since the file deletion from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys should only occur anyway when I'll compile a pre-release version once I'm done with the change so you can test it out to see if it really works as I can't test it myself due to not being able to reproduce the issue. |
Here's a version in which what I wrote in my previous comment has been applied:
Let me know if it fixes the issue for you. |
Will look to get this done later today. Should have a response on my findings in approx 5 hours. |
Hi Team, I tested and it no longer deletes file from the MachineKeys directory and I can connect and disconnect without error. Thanks @KoenZomers Another tidbit, I couldn't use the zip provided(didn't want to go in and unblock all the files) so I just grabbed the code changes from #2759 and rebuilt. |
Awesome, thanks for confirming @fastlaneb. I'll activate the PR. It will be merged and released in the July 2020 release around July 7th, 2020. |
Downloaded @KoenZomers module, closed and reopened PowerShell ISE: Import-Module MSOnline -ErrorAction SilentlyContinue
Import-Module C:\Users\yumoraby\Downloads\SharePointPnPPowerShellOnline\3.22.2006.3\SharePointPnP.PowerShell.Online.Commands.dll
Get-Module | Select-Object -Property Name, Version
Name Version
---- -------
CredentialManager 2.0
ISE 1.0.0.0
Microsoft.PowerShell.Management 3.1.0.0
Microsoft.PowerShell.Security 3.0.0.0
Microsoft.PowerShell.Utility 3.1.0.0
pki 1.0.0.0
SharePointPnP.PowerShell.Online.Commands 3.22.2006.2 My findings running the following: $id = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Microsoft Assessments\'
$cert = Get-ChildItem "cert:\LocalMachine\My" | Where-Object {$_.Thumbprint -eq $id.Thumbprint}
$cert.PrivateKey
$domainName = ($id.TenantDomain.split('.')[0])
Connect-PnPOnline -Tenant $id.TenantDomain -ClientId $id.ApplicationId -Thumbprint $id.Thumbprint -Url https://$domainName-admin.sharepoint.com
$masterList = Get-PnPList -Identity "DO_NOT_DELETE_SPLIST_TENANTADMIN_AGGREGATED_SITECOLLECTIONS"
$query = "<View Scope='RecursiveAll'><RowLimit>4000</RowLimit></View>"
$sites = Get-PnPListItem $masterList -Query $query
$counter = 0
Disconnect-PnPOnline Private Key was deleted, and am not able to reconnect. Did the new package actually get imported, as the module version number is the same. My Windows Version is: I have an issue where it does not upgrade to Windows 10 2004 |
@yumoraby It's correct that you still see 3.22.2006.2, I didn't update the version number in this build. I'm testing this from Windows 10 build 2004. Just double checked the IL of the version I shared and it's truly the updated version in which the certificate will not be deleted anymore. Not sure why you're still experiencing this, as the code line that deleted the certificate file will not be hit anymore unless you specify the -CertificatePath on Connect-PnPOnline. I'm pretty confident that with @fastlaneb his test we can conclude that it should work. |
thanks @KoenZomers will look to see what @fastlaneb did in his tests, and see if we can share this with the team to test. My machine maybe due a rebuild |
Yes, trying to get isolated modules working can certainly be a challenge. I'll sync with you tomorrow @yumoraby and we'll get you a good build to test. |
#2759 is now merged so I believe this issue can be closed? |
Let's do that for now indeed. @fastlaneb @yumoraby @jagsridharan feel free to reopen if your tests still show issues with the updated code. @fastlaneb you can compile an internal test version from the dev branch now if you wish. |
Reporting an Issue or Missing Feature
Connect-PnPOnline with Thumbprint throws error "Exception has been thrown by the target of an invocation"
Expected behavior
Successfully connect to the PnP site
Actual behavior
Connect-PnPOnline : Exception has been thrown by the target of an invocation.
Steps to reproduce behavior
Which version of the PnP-PowerShell Cmdlets are you using?
What is the version of the Cmdlet module you are running?
3.22.2006.2
How did you install the PnP-PowerShell Cmdlets?
The text was updated successfully, but these errors were encountered: