Troubleshooting Oauth configuration for mail server settings
Oauth in ServiceDesk Plus / AssetExplorer for Mail
SDP supports Oauth configuration for Office365 and GSuite mailboxes since 11106 build. Office365 mailboxes can be configured with Oauth authentication using EWS (since 11106) and IMAP / SMTP (since 13005 build).
- O365 configuration using Oauth - https://help.servicedeskplus.com/configure-azure-as-authentication-server
- Gsuite configuration using Oauth - https://help.servicedeskplus.com/configure-gsuite-as-authentication-server
- Default configurations of O365 and Gsuite - https://help.servicedeskplus.com/default-mail-server-configurations
- Oauth FAQs - https://help.servicedeskplus.com/oauth-faqs
Checklists
1. Follow the steps mentioned in the corresponding configuration doc mentioned above.
2. Make sure, the hostname in redirect url is same as in the url used to access the application.
3. If proxy is required from the application server to connect to Internet, configure Proxy in the application and enable them in the mail server settings.
4. Once saved the mail server settings with Oauth, a popup will be prompted. Enter the credentials of the mailbox (the one configured in the application) / choose the mailbox's login instead of choosing your personal account. If the personal account is chosen and fetching is started, mails from your personal account will be fetched into the application.
Troubleshooting
Misconfigured client secret field
Issue: Getting the below alert after entering the mailbox credentials in the popup.
Reason: The configured client secret in the application is incorrect. Either the value is incorrect (configured the value from different application) or users might have configured the secret id value in the client secret field.
Resolution: The text under "Value" should be configured in the client secret field. If this value isn't stored anywhere (viewable once and it will be masked after that), create a new client secret and configure it in the application.
Security error in Oauth popup
Issue: Security issue after entering the mailbox credential in the Oauth popup
Reason: The above error is due to few extra parameters like 'error', 'error_description' are being passed from the Auth server. This occurs if the Oauth isn't properly configured.
Resolution: Please check the Oauth configuration again especially the scope field. Verify the scope value with the default configurations. Even if issue persists, recreate the issue once and contact support@servicedeskplus.com with the logs.
Login page after Oauth popup
Issue: After entering the mailbox credentials in the popup dialog, popup doesn't close and landed in the application's login page.
Reasons:
1. Check whether the url used to access the application has the same hostname as the redirect url in the mail server settings page. If the url is different, then the above issue occurs. Access the application using the same url as redirect url. This should fix the issue.
2. In some environments, due to "SameSite" attributes in application cookies, the popup lands in application login page. Execute the below query from Reports tab >> New query report >> Enter the below SQL query and click "Run report"
- select * from globalconfig where parameter like 'SAMESITECOOKIE';
The value for the column "parameter" should be "none" (case insensitive) as shown in image below.
If the value isn't "none", execute the below update query and restart the application service.
- update globalconfig set paramvalue='none' where parameter like 'SAMESITECOOKIE' and category like 'SECURITY_SETTINGS';
Now, clear all the cookies of the application in the browser, login and try saving the settings. Even if issue persists, recreate the issue once and contact support@servicedeskplus.com with the logs and result of the first sql server (select query).
Refer the section for troubleshooting similar issues from logs.
Need admin approval
Issue: After entering the credentials of mailbox in the Oauth popup, "Need admin approval" message shown
Reason: In your organization, users aren't allowed to consent for applications. So, to approve consent for accessing the organisation data (mailbox), admin consent is needed.
Resolution: Go to Azure portal >> App registrations >> Application configured for SDP >> API Permissions (left panel) >> Grant admin consent for all the permissions.
Connectivity issue
Read timed out / Connection timed out
Issue: Getting read/connection timed out after entering credentials of the mailbox in the Oauth popup
Reason: One possible reason could be unable to connect to the token url/hostname/connect url internally from the application server due to proxy. If proxy server has been configured in your environment (say configured in the browser), the authorisation url will work (using proxy settings in browser), but the token url will not work as call to token url happens internally. This will throw the above error.
Resolution: Configure the proxy settings in the application. Refer - Proxy settings (servicedeskplus.com). If configured in application, check the proxy option in the mail server settings and save.
Expected JSON, not HTML
Issue: After entering the credentials of the mailbox in the popup, a failure alert is shown with the message as below
Reason: After entering the credentials of the mailbox in Oauth popup, application gets an authorization code. Using that code, application tries to generate tokens via the configured Token URL. The successful response from a proper Token URL will be in JSON format. If the Token URL is misconfigured, application may not receive the tokens in JSON format and throws error similar to the above screenshot.
Resolution: Check whether Token URL is properly configured. Please refer the Admin guide to know about Token URL configuration. Even if issue persists with proper Token URL, recreate the issue once and contact support@servicedeskplus.com with the
2. Screenshot of mail server settings (share the complete value of Token URL explicitly)
3. Screenshot of Application Endpoints in the Azure portal (as shown in Admin guide)
Invalid Client ID
Issue: After entering credentials of the mailbox in the Oauth popup, error as in below screenshot is thrown
Reason: The error code "AADSTS700016" corresponds to incorrect Application(Client) ID for the logged in mailbox's directory.
Resolution: Ensure the correctness of the Client ID value configured in the application. Please refer the Admin guide to know about the Client ID configuration. Even if issue persists with proper Client ID, contact support@servicedeskplus.com with the
1. Screenshot of error in Oauth popup
2. Screenshot of mail server settings of SDP (incoming / outgoing setting in which the error is faced)
3. Screenshot of Overview tab of corresponding application in Azure portal as shown in the Admin guide.
PKIX path building failed
Issue: The above alert is thrown once the oauth popup closes (After successfully entering mailbox credentials / choosing mailbox).
Reason: SSL encryption certificate might have applied in your environment (A certificate by internal CA is applied for the "login.microsoftonline.com" domain).
Resolution: Please follow the steps mentioned in the article https://pitstop.manageengine.com/portal/en/kb/articles/office365-certificate-for-oauth-ews-mail-configuration-in-sdp
Invalid Client
Issue: The above alert is thrown once the oauth popup closes (After successfully entering mailbox credentials / choosing mailbox).
Reason: The redirect URL configured in the Azure portal is misconfigured (Configured under different platform instead of "Web"). Say, it is configured under "Mobile and desktop applications" like below.
Resolution: Delete the above entry from different platform. Add the redirect url under "Web" platform and save the settings. Now try configure the mailbox in the application.
Troubleshooting from logs (serverout file)
Troubleshooting errors based on the information shown in the product UI is discussed above. This section discusses on troubleshooting errors from application log file ( logs\serverout(x).txt file ). To access the log file in UI, login as "SDAdmin" and navigate to "Community" >> "View Logs" >> serverout0.txt
Login page after Oauth popup
Issue: After entering mailbox credentials in the Oauth popup, login page of the application is shown.
Reason: Below are the possible reasons
1. Search for "UNAUTHORIZED_CORS_REQUEST" in the serverout0.txt file for "OauthServlet" url
- [14:06:08:349]|[07-26-2022]|[com.adventnet.iam.security.SecurityResponseWrapper]|[SEVERE]|[70]: CORS request "/servlet/OauthServlet" from origin : "https://login.microsoftonline.com" is not allowed|
- [14:06:08:349]|[07-26-2022]|[com.adventnet.iam.security.IAMSecurityException]|[INFO]|[70]: IAMSecurityException ErrorCode: UNAUTHORIZED_CORS_REQUEST, RequestURI: "/servlet/OauthServlet", RemoteAddr: "172.xx.xx.xx", Referrer: "https://login.microsoftonline.com/"|
- [14:06:08:349]|[07-26-2022]|[com.adventnet.iam.security.SecurityResponseWrapper]|[SEVERE]|[70]: CORS request "/servlet/OauthServlet" from origin : "https://login.microsoftonline.com" is not allowed|
- [14:06:08:349]|[07-26-2022]|[com.adventnet.iam.security.IAMSecurityException]|[INFO]|[70]: IAMSecurityException ErrorCode: UNAUTHORIZED_CORS_REQUEST, RequestURI: "/servlet/OauthServlet", RemoteAddr: "172.xx.xx.xx", Referrer: "https://login.microsoftonline.com/"|
Resolution: Login as "SDAdmin". Navigate to Security Settings >> Advanced. Check whether "Referrer-Policy" security response header is configured as strict-origin-when-cross-origin. If so, remove the security response header (or) add url https://login.microsoftonline.com as value for security response header "allow-control-origin". If no "Referrer-Policy" header was configured, contact support@servicedeskplus.com with logs and screenshot of Advanced Security Settings
New to ADSelfService Plus?
Related Articles
OAuth Mail fetching Error
While trying to configure the mails during OAuth Configuration if you get the following error in the logs -> microsoft.exchange.webservices.data.core.exception.service.remote.ServiceRequestException: The request failed. The request failed. The remote ...Mail fetching - deleted flag issue
This message will be thrown, when you have provided a shared mailbox. The concept here is, SDP MSP reads the mail from the configured mailbox and adds it as a request. During the time, if some other application fetches the mail from the same mailbox ...EWS Mail fetching issue - Proxy not enabled for ews. isIncoming: true
Issue: EWS Mail fetching issue using different tenants Error trace 1: [23:30:20:701]|[01-23-2023]|[com.adventnet.servicedesk.common.MailUtilities]|[INFO]|[73]: Proxy not enabled for ews. isIncoming: true| ...Mail Fetching: Inline Images Dropping Due to Invalid Extension
Issue: The inline image's file name from the email doesn't contain the extension. Example: filename = sys_attachment.dosys_id=5bb0751c8303b5dc96a238226daad371 As a result, the inline image gets stripped during the mail fetching process. The sender of ...Account based outgoing mail sever settings post build 14001
ACCOUNT-BASED OUTGOING MAIL SERVER FEATURE: Introduction: Account-based outgoing mail server feature was introduced in build 14001. This feature ensures that users receive notifications and responses from the specific email address associated with ...