Bug Report: Certificate Authentication Fails with Passwordless Certificates
Context
This bug report is from Claude and I am a novice (who has an experienced human review code before deployment), so this may be flawed in some way. I thought it would be helpful to let you know, just in case.
Description
The MCP server's configuration validation logic incorrectly rejects valid certificate authentication when using passwordless certificates (such as those generated in Azure Key Vault).
Environment
- Node.js Version: 22.14.0
- MCP Server Version: Latest from main branch
- OS: Windows Server 2025
- Certificate Source: Azure Key Vault (passwordless certificate)
Steps to Reproduce
Primary Scenario: Cursor MCP Configuration (Fails with Empty Password)
- Create a certificate in Azure Key Vault without password protection
- Download and install the certificate locally
- Configure Cursor's
mcp.json:
{
"mcpServers": {
"sharepoint": {
"command": "node",
"args": ["(path to the server)\\server-sharepoint\\build\\src\\index.js"],
"env": {
"AZURE_APPLICATION_ID": "your-app-id",
"AZURE_APPLICATION_CERTIFICATE_THUMBPRINT": "your-thumbprint",
"AZURE_APPLICATION_CERTIFICATE_PASSWORD": "",
"M365_TENANT_ID": "your-tenant-id"
}
}
}
}
- Restart Cursor
- Result: MCP server reports "No tools, prompts, or resources" available
Workaround: Any Non-Empty Password Works
- Change the configuration to use any arbitrary password:
"AZURE_APPLICATION_CERTIFICATE_PASSWORD": "dummy"
(Or literally any string: "banana", "this-shouldnt-work-omg-lol-oops-its-fine-😂", etc.)
- Restart Cursor
- Result: Authentication succeeds and all SharePoint tools are registered
Additional Testing: Direct PowerShell Execution & MCP Inspector
The same behavior can be confirmed by running the server directly:
# Fails with empty password
$env:AZURE_APPLICATION_CERTIFICATE_PASSWORD = ""
node build/src/index.js
# Works with any non-empty password
$env:AZURE_APPLICATION_CERTIFICATE_PASSWORD = "literally-anything"
node build/src/index.js
Testing with MCP Inspector also confirms the server connects but reports "The connected server does not support any MCP capabilities" when using empty passwords.
**This behavior suggests the password validation is purely cosmetic and the actual authentication ignores the password field entirely for passwordless certificates.**literally-anything"
node build/src/index.js
**This behavior suggests the password validation is purely cosmetic and the actual authentication ignores the password field entirely for passwordless certificates.**
## Expected Behavior
The server should recognize valid certificate authentication credentials and register SharePoint tools.
## Actual Behavior
The server reports:
Azure Certificate Auth Credentials Available: No
Client Secret Auth Credentials Available: No
Using Client Secret Authentication
ERROR: Missing SharePoint credentials!
❌ SharePoint credentials are invalid. No tools will be registered.
## Root Cause
In `src/config.ts`, line ~60:
```typescript
const useAzureCert = Boolean(azureAppId && azureCertThumbprint && azureCertPassword);
The issue is that an empty string "" evaluates to false in JavaScript, causing the validation to fail even when valid credentials are present.
Workaround
Set a dummy password value:
$env:AZURE_APPLICATION_CERTIFICATE_PASSWORD = "dummy"
This allows the validation to pass, and authentication works correctly with the passwordless certificate.
Suggested Fix
Update the validation logic to properly handle passwordless certificates:
// Before (broken)
const useAzureCert = Boolean(azureAppId && azureCertThumbprint && azureCertPassword);
// After (fixed)
const useAzureCert = Boolean(azureAppId && azureCertThumbprint && (azureCertPassword !== undefined));
Or alternatively:
const useAzureCert = Boolean(azureAppId && azureCertThumbprint) && azureCertPassword !== undefined;
Impact
This affects users who follow Microsoft's recommended security practices by using passwordless certificates from Azure Key Vault. The current implementation forces users to either:
- Use the workaround with dummy passwords
- Switch to less secure client secret authentication
- Manually add passwords to their certificates
Additional Context
Azure Key Vault certificates are commonly generated without passwords as they're stored securely in the vault. The authentication process works correctly with these certificates - only the validation logic is flawed.
Human note: Thanks for your hard work with this project!! I'm excited to try it out!
Bug Report: Certificate Authentication Fails with Passwordless Certificates
Context
This bug report is from Claude and I am a novice (who has an experienced human review code before deployment), so this may be flawed in some way. I thought it would be helpful to let you know, just in case.
Description
The MCP server's configuration validation logic incorrectly rejects valid certificate authentication when using passwordless certificates (such as those generated in Azure Key Vault).
Environment
Steps to Reproduce
Primary Scenario: Cursor MCP Configuration (Fails with Empty Password)
mcp.json:{ "mcpServers": { "sharepoint": { "command": "node", "args": ["(path to the server)\\server-sharepoint\\build\\src\\index.js"], "env": { "AZURE_APPLICATION_ID": "your-app-id", "AZURE_APPLICATION_CERTIFICATE_THUMBPRINT": "your-thumbprint", "AZURE_APPLICATION_CERTIFICATE_PASSWORD": "", "M365_TENANT_ID": "your-tenant-id" } } } }Workaround: Any Non-Empty Password Works
Additional Testing: Direct PowerShell Execution & MCP Inspector
The same behavior can be confirmed by running the server directly:
Testing with MCP Inspector also confirms the server connects but reports "The connected server does not support any MCP capabilities" when using empty passwords.
**This behavior suggests the password validation is purely cosmetic and the actual authentication ignores the password field entirely for passwordless certificates.**literally-anything"
node build/src/index.js
Azure Certificate Auth Credentials Available: No
Client Secret Auth Credentials Available: No
Using Client Secret Authentication
ERROR: Missing SharePoint credentials!
❌ SharePoint credentials are invalid. No tools will be registered.
The issue is that an empty string
""evaluates tofalsein JavaScript, causing the validation to fail even when valid credentials are present.Workaround
Set a dummy password value:
This allows the validation to pass, and authentication works correctly with the passwordless certificate.
Suggested Fix
Update the validation logic to properly handle passwordless certificates:
Or alternatively:
Impact
This affects users who follow Microsoft's recommended security practices by using passwordless certificates from Azure Key Vault. The current implementation forces users to either:
Additional Context
Azure Key Vault certificates are commonly generated without passwords as they're stored securely in the vault. The authentication process works correctly with these certificates - only the validation logic is flawed.
Human note: Thanks for your hard work with this project!! I'm excited to try it out!