SharePoint Online Spoke: Error Fetching Token - Key Not Found, Thumbprint of Key Used by Client

edosky · ‎03-10-2025

Hi Everyone,

We are currently trying to setup our microsoft sharepoint online spoke, but we are getting the error below

OAuth flow failed. Verify the configurations and try again. Error detail:invalid_client, AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: 'XXXXX', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'XXXXXX'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/XXXXXX']. Trace ID: XXXXXXXXX Correlation ID: XXXXXXXX Timestamp: 2025-03-10 12:05:09Z, https://login.microsoftonline.com/error?code=700027

-We have followed the steps documented in Configure Microsoft SharePoint Online connection record

-We also saw this kba SharePoint Online Spoke: Error Fetching Token - Key Not Found, Thumbprint of Key Used by Client - Su... but we have already encoded the thumbprint uploaded to the application in azure to base64

-The certificates were also successfully validated after we uploaded them to System Definition > Certificates > Microsoft SharePoint Online Certificate (we even tried both .jks file and .pfx file and both were validated successfully)

-We also validated that the permissions provided was Select Sites.FullControl.All under application permissions as mentioned in the documentation and we also found this Solved: Re: Confused about Sharepoint Spoke setup - Page 2 - ServiceNow Community

If anyone has experienced this before and was able to fix the issue, we are keen on hearing what you did. Thank you

John Martin2 · ‎03-17-2025

Not sure if you have found a solution but...

DTech Apps DocIntegrator a certified application sold on the ServiceNow store can solve this "invalid_client, AADSTS700027" error by offering alternative authentication methods to SharePoint Online that may bypass the complexities and potential misconfigurations of certificate-based authentication used by the OOB spoke.

Instead of relying solely on managing certificates within ServiceNow and Azure AD for client assertion, DocIntegrator often supports OAuth 2.0 based authentication using Azure Active Directory. This approach typically involves:
Registering DocIntegrator as an application in Azure AD.
Granting DocIntegrator delegated permissions (on behalf of a user) or application permissions (directly to the application) to access SharePoint Online.
Authenticating through a standard OAuth 2.0 flow, which often involves user consent or relies on pre-configured application credentials (client ID and secret) managed within Azure AD.
By leveraging OAuth 2.0, DocIntegrator can establish a secure connection to SharePoint Online without the need for generating, uploading, and meticulously configuring certificates and their thumbprints in both ServiceNow and Azure AD, thus eliminating the common pitfalls that lead to the "AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application" error.

While DocIntegrator might also support certificate-based authentication, its flexibility in offering alternative methods provides a more streamlined and less error-prone way to integrate with SharePoint Online, especially for users encountering the specific certificate-related issues you are facing. You would need to configure DocIntegrator to use an OAuth 2.0 connection instead of relying on certificate authentication.

priytams · ‎03-21-2025

hi @edosky ,

This issue arises when the base64 value (converted from hex) is incorrect.

Please verify that the "client: 'XXXXX'," value matches the corresponding hex value, which you can find in your azure app manifest file. An incorrect conversion from hex to base64 is often the cause of this problem.

The correct base64 value should look like this:

YIXXXXXXXXXXXXXXXXXXXXXW=

edosky · ‎03-25-2025

Thank you @John Martin2 and @priytams , appreciate the help, we've figured out the issue was that the information for the client-id and secret that was provided was incorrect, how it was determined I don't know but when they gave me another one it worked.

John Martin2 · ‎04-07-2025

Glad you tracked down the solution!