cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Nender Frequent Visitor
Frequent Visitor

Unable to log-in because of missing device certificate

Hi,

 

When I try to log-in at PowerBI desktop I am receiving a message that I am unable to do it (everyone in my organization receives this message). By logging my session I do get the following error. Does annyone know how to solve this or what is happening? Thanks in advace!

 

Error in the trace log:

AcquireTokenHandlerBase.cs: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: Device Certificate was not found for Cert AuthoritiesSmiley SurprisedU=XXXXXXXX-XXXX-XXXX-XXXXX-0950c1eaca97,CN=MS-Organization-Access,DC=windows,DC=net\r\n 
at Microsoft.IdentityModel.Clients.ActiveDirectory.DeviceAuthHelper.FindCertificate(IDictionary`2 challengeData)\r\n at Microsoft.IdentityModel.Clients.ActiveDirectory.DeviceAuthHelper.

 

Error-message in PowerBI:

error2.png

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Nender Frequent Visitor
Frequent Visitor

Re: Unable to log-in because of missing device certificate

Hi all,

 

The IT guys solved the problem. The issue was a bug in the Microsoft Azure AD, related to Conditional Access Policies. Azure introduced a new “Device State” feature.  If you enable that feature it will apply on all users and devices even if the users/computers are not in scope.  After they disabled the feature instead of the whole policy everything worked as expected.

 

Thanks all for the help!

9 REPLIES 9
Community Support Team
Community Support Team

Re: Unable to log-in because of missing device certificate

@Nender,

 

You may take a look at https://docs.microsoft.com/en-us/power-bi/desktop-troubleshooting-sign-in.

Community Support Team _ Sam Zha
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Nender Frequent Visitor
Frequent Visitor

Re: Unable to log-in because of missing device certificate

Hi @v-chuncz-msft ,

 

Thanks, because of the logging error I think it has to do with certifications. Now waiting for the IT-department to check it. Looks like a certification which is needed to connect with the Azure Active Directory Library (ADAL) (for logging in) is not valid or missing. Do you maybe know or the certificate in the error-message the one PowerBI is expecting on my PC (the exact name of it)?

 

Regards,

Nico

Nender Frequent Visitor
Frequent Visitor

Re: Unable to log-in because of missing device certificate

More detailed error message (from the tracing log) is:

 

DataMashup.Trace Information: 24579 : {
Start: 2018-06-04T17:21:28.2419252Z,

Action: PowerBIService/Authentication,

Message : Error: 2018-06-04T17:21:28.3305983Z: XXXXXXXX-XXXX-XXXX-XXXX-23129ab72b8c - AcquireTokenHandlerBase.cs: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: Device Certificate was not found for Cert AuthoritiesSmiley SurprisedU=XXXXXXXX-XXXX-XXXX-XXXX-0950c1eaca97,CN=MS-Organization-Access,DC=windows,DC=net

at Microsoft.IdentityModel.Clients.ActiveDirectory.DeviceAuthHelper.FindCertificate(IDictionary`2 challengeData) 

at Microsoft.IdentityModel.Clients.ActiveDirectory.DeviceAuthHelper.<CreateDeviceAuthChallengeResponse>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient.<HandleDeviceAuthChallenge>d__24`1.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient.<GetResponseAsync>d__21`1.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\

   at Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient.<GetResponseAsync>d__20`1.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<SendHttpMessageAsync>d__67.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<SendTokenRequestAsync>d__64.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<RunAsync>d__55.MoveNext()

ErrorCode: device_certificate_not_found,

ProductVersion: 2.58.5103.501 (PBIDesktop),

ActivityId: 00000000-0000-0000-0000-000000000000,

Process: PBIDesktop ,

Pid: 13364,

Tid: 27,

Duration: 00:00:00.0000318 }

Re: Unable to log-in because of missing device certificate

@Nender,

This would be my suggestion. 

1. Was PowerBI desktop working before ? If yes, then I would suggest connecting to a sample datasource such as a cvs by doing this you can determine that the issue is more so with the DataSource not the desktop.

2. Also can you let me know how you're connecting to the DataSource i.e which authenication mechanism it seem you're using some form windows authenication which is replying on AD hence the error of a missing cert.

 

Thank you,

Conarl_On_BI

Nender Frequent Visitor
Frequent Visitor

Re: Unable to log-in because of missing device certificate

Hi @Conarl_on_BI ,

 

First of all thanks for your reply. 

1. PowerBI desktop was working before, I am able to connect datasources without anny problem. 

2. I am able to log-in with a mail which is not in our domain (in PowerBI Desktop). But when I logging in with a email which is in our domain I am receiving this message. We are using our Office365 credentials for this (message is refering to the ADAL, this is the Azure Active Directory Library if I'm correct?). Is it possible to find-out which certificate is missing or which certificate PowerBI is trying to refering to?

 

I also just saw that some Microsoft.IdentityModel.Clients.ActiveDirectory.DeviceAuthHelper.dll 's are recently updated. Can this be related to this problem? Is PowerBI trying to reach the certificates with this dll? After a re-installation of PowerBI Desktop I am still receiving the same errors.

 

Thanks.

 

Best regards,

Nico

Re: Unable to log-in because of missing device certificate

@Nender,

 

Signing to Power BI desktop is really important when you're publishing your contents to the Power BI services. With that said you need to use the same UPN(Unique Principal Name i.e e-mail ID) that was used in creating your Power BI account to log into the Desktop or the Services. 
Before anything can work, the Local AD users need to be in sync with the respective Office 365 users. This can be done using Office 365 DirSync (no longer supported), or the Azure AD Connect application. This allows the synchronization of users’ email addresses, aliases, Service Principal Names, Distinguished Names, GUIDs and UDIDs, which will be needed to pass through and match authentication identifiers from Office 365 to DataSource.

Can let me know if you can log onto the Power BI service with the same UPN(e-mail ID) you're using for the desktop?

 

Thanks,

Conarl_On_BI

 

Nender Frequent Visitor
Frequent Visitor

Re: Unable to log-in because of missing device certificate

Hi @Conarl_on_BI ,

 

I am siging in with the same credentials as I do on the Services. Looks like the MS-Organization-Access certificate is never installed. I am only having this problem on our server. When I try to log-in with my crendentials on another network, I receive a message to accept the MS-Organization-Access certificate, it shows up in my certificates and am I able to log in. How can this certificate be blocked from installation, what can causing this issue?

 

Best regards,

Nico

Re: Unable to log-in because of missing device certificate

@Nender

If that is the case, then I believe you need admin privileges to be able to install things at the OS level. I would suggest you ask

someone from your IT team admin privileges install this access certificate for you. 

 

Thanks,

Conarl_On_BI

Nender Frequent Visitor
Frequent Visitor

Re: Unable to log-in because of missing device certificate

Hi all,

 

The IT guys solved the problem. The issue was a bug in the Microsoft Azure AD, related to Conditional Access Policies. Azure introduced a new “Device State” feature.  If you enable that feature it will apply on all users and devices even if the users/computers are not in scope.  After they disabled the feature instead of the whole policy everything worked as expected.

 

Thanks all for the help!