Skip to content

Certificate Authentication Fails with Passwordless Certificates #2

Description

@JCalles5

Bug Report: Certificate Authentication Fails with Passwordless Certificates

Context

This bug report is from Claude and I am a novice (who has an experienced human review code before deployment), so this may be flawed in some way. I thought it would be helpful to let you know, just in case.

Description

The MCP server's configuration validation logic incorrectly rejects valid certificate authentication when using passwordless certificates (such as those generated in Azure Key Vault).

Environment

  • Node.js Version: 22.14.0
  • MCP Server Version: Latest from main branch
  • OS: Windows Server 2025
  • Certificate Source: Azure Key Vault (passwordless certificate)

Steps to Reproduce

Primary Scenario: Cursor MCP Configuration (Fails with Empty Password)

  1. Create a certificate in Azure Key Vault without password protection
  2. Download and install the certificate locally
  3. Configure Cursor's mcp.json:
    {
      "mcpServers": {
        "sharepoint": {
          "command": "node",
          "args": ["(path to the server)\\server-sharepoint\\build\\src\\index.js"],
          "env": {
            "AZURE_APPLICATION_ID": "your-app-id",
            "AZURE_APPLICATION_CERTIFICATE_THUMBPRINT": "your-thumbprint", 
            "AZURE_APPLICATION_CERTIFICATE_PASSWORD": "",
            "M365_TENANT_ID": "your-tenant-id"
          }
        }
      }
    }
  4. Restart Cursor
  5. Result: MCP server reports "No tools, prompts, or resources" available

Workaround: Any Non-Empty Password Works

  1. Change the configuration to use any arbitrary password:
    "AZURE_APPLICATION_CERTIFICATE_PASSWORD": "dummy"
    (Or literally any string: "banana", "this-shouldnt-work-omg-lol-oops-its-fine-😂", etc.)
  2. Restart Cursor
  3. Result: Authentication succeeds and all SharePoint tools are registered

Additional Testing: Direct PowerShell Execution & MCP Inspector

The same behavior can be confirmed by running the server directly:

# Fails with empty password
$env:AZURE_APPLICATION_CERTIFICATE_PASSWORD = ""
node build/src/index.js

# Works with any non-empty password  
$env:AZURE_APPLICATION_CERTIFICATE_PASSWORD = "literally-anything"
node build/src/index.js

Testing with MCP Inspector also confirms the server connects but reports "The connected server does not support any MCP capabilities" when using empty passwords.

**This behavior suggests the password validation is purely cosmetic and the actual authentication ignores the password field entirely for passwordless certificates.**literally-anything"
node build/src/index.js


**This behavior suggests the password validation is purely cosmetic and the actual authentication ignores the password field entirely for passwordless certificates.**

## Expected Behavior
The server should recognize valid certificate authentication credentials and register SharePoint tools.

## Actual Behavior
The server reports:

Azure Certificate Auth Credentials Available: No
Client Secret Auth Credentials Available: No
Using Client Secret Authentication
ERROR: Missing SharePoint credentials!
❌ SharePoint credentials are invalid. No tools will be registered.


## Root Cause
In `src/config.ts`, line ~60:
```typescript
const useAzureCert = Boolean(azureAppId && azureCertThumbprint && azureCertPassword);

The issue is that an empty string "" evaluates to false in JavaScript, causing the validation to fail even when valid credentials are present.

Workaround

Set a dummy password value:

$env:AZURE_APPLICATION_CERTIFICATE_PASSWORD = "dummy"

This allows the validation to pass, and authentication works correctly with the passwordless certificate.

Suggested Fix

Update the validation logic to properly handle passwordless certificates:

// Before (broken)
const useAzureCert = Boolean(azureAppId && azureCertThumbprint && azureCertPassword);

// After (fixed)
const useAzureCert = Boolean(azureAppId && azureCertThumbprint && (azureCertPassword !== undefined));

Or alternatively:

const useAzureCert = Boolean(azureAppId && azureCertThumbprint) && azureCertPassword !== undefined;

Impact

This affects users who follow Microsoft's recommended security practices by using passwordless certificates from Azure Key Vault. The current implementation forces users to either:

  1. Use the workaround with dummy passwords
  2. Switch to less secure client secret authentication
  3. Manually add passwords to their certificates

Additional Context

Azure Key Vault certificates are commonly generated without passwords as they're stored securely in the vault. The authentication process works correctly with these certificates - only the validation logic is flawed.

Human note: Thanks for your hard work with this project!! I'm excited to try it out!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions