I have an add-in in Outlook that has the ReadWriteMailbox permissions, but when I call getCallbackTokenAsync({ isRest: false }, callback), the token I get back has no signature. Basically, the token I'm getting is in the format xxxxxx.yyyyyy (instead of xxxxxx.yyyyyy.ZZZZZZ).
This appears to have just started happening in the last 2 days, however, the last time I worked on this project was about 4 months ago so it may have started happening sometime before now, but I'm just now seeing the error.
The EWS server is Office 365 (https://outlook.office365.com/EWS/Exchange.asmx).
I have also noticed that calling getCallbackTokenAsync has returned the same token, minus the signature the last 2 days.
After almost pulling my hair out with this, I got it to work.
The original problem of getting an invalid JWT was the culmination of several problems (or suspected problems). The JWT was actually valid, although expired, but when I dumped the value out to the F12 tools console while debugging, the value was truncated to 1024 characters. I discovered that here: https://stackoverflow.com/a/27844847/4520915. The JWT was expired because it was using a token from the cache instead of requesting a new one from EWS. I fixed that by by closing Outlook, clearing IE's cache, and re-opening Outlook as suggested by the Outlook Add-ins Team - MSFT.
The issue now was getting EWS to accept the token because I kept getting a 401 error ("Access is denied. Check your credentials and try again."). I discovered this was because I was running the add-in and the subsequent Azure Function that it utilizes on localhost. Apparently, EWS doesn't like localhost. After deploying the add-in to a development environment, we all good.
Thanks to the Outlook Add-ins Team - MSFT for their help.
Related
On a Terminal Server 2012R2, when logging into login.microsoftonline.com on Internet Explorer 11 IE11
…this is what comes up.
Cookie error
The reason this is being tested in IE11 is that it was worked out, that is what Outlook is using for Modern Authentication. (I don't know why as i thought Office 2016 was supposed to use Edge for authentication?)
Internet Explorer settings that have been tried…
Advanced Page - Reset all settings
Security Page – all zones to lowest and Enabled Protected Mode off
Trusted Sites – all Microsoft sites added
Privacy Tab – “Accept all cookies”, Turn on Pop-up Blocked disabled, Microsoft sites added
Have uninstalled IE 11 and reinstalled using “dism” command.
When trying to setup Exchange Online O365 email account in Outlook 2013 (we have since installed 2016 to see if it by passes IE but same thing) it won’t allow you to get to the sign on page for modern authentication as it comes up with the “Script Error” message as well as the “blocked cookies” error message.
Outlook/Cookie error
*"We can't sign you in
Your browser is currently set to block cookies. You need to allow cookies to use this service.
Cookies are small text files stored on your computer that tell us when you're signed in. To learn how to allow cookies, check the online help in your web browser. "*
This happens with both the 2013 and 2016 version.
This has only been a problem since “Basic Authentication” was turned off permanently by Microsoft since Jan 24th. Previously Internet Explorer was not used in any capacity.
O365 emails were working fine in this environment previously using "Basic Authentication"
All i need to do is get the email accounts authenticated in Outlook so everyone can get back to work and once IE11 gets disabled in the next few weeks i hope to never have to deal with it again! Not sure if this authentication will change to Edge automatically with the coming Windows/Edge Update but we cant wait that long.
Thanks in advance
Other things i have tried....
Changed “Default Browser” multiple times.
Tested if cookies are enabled on all web browsers and IE11 is the only one that reports that they are disabled.
Have deleted cookies and browsing history.
Tried opening login.microsoftonline.com in compatibility mode IE11
Login.microsoftonline.com works in all other browsers
IE Enhanced Security Configuration has been turned off
I can see the message using network capture tool Microsoft Message Analyzer. I can see the I receive Kerberos error "KDC_ERR_C_PRINCIPAL_UNKNOWN: Client not found in Kerberos database".
I can see all parts of the message, I have been searching online and tried a few things and did not work.
But in order to understand the problem, what does the "client" mean here?
- Is it the Server / Computer that is requesting
- Is it the Application that is requesting
The error is for KRB_TGS_REQ which means that its requesting for a token.
Would be great if anyone could help understand, which I believe can lead to a resolution.
Added more Details:
We have a SharePoint farm setup with SQL Reporting Services (SharePoint Integrated mode) and Excel Services. We have a datasource defined in Sharepoint which are used in SSRS Reports and Excel Reports. We use Windows Authentication from Sharepoint to SQL. When we test connection on Sharepoint datasource we get an error which says Cannot convert Windows token to Claims token. On opening the reports in SSRS we also receive error.
Strange part is that it works for some users which is why I'm not sure how to tackle this issue. If its SQL Server previlage issue, we have assigned sys admin role, this user also added as admin in SSRS. If AD or SPN issue it must not work for all users not for individual users.
I can see successful KRB_TGS_REQ for an admin user but fails for a normal user. No clue what to look for.
Kerberos Message :
KRB_TGS_ERROR, KDC_ERR_C_PRINCIPAL_UNKNOWN: Client not found in Kerberos database, Cname: nothing, Realm: SUB.DOMAIN.COM, Sname: SP_SVC_ACT
Does this mean that the delegation is not working?
I have setup SSO with Netsuite and Azure using the following instructions:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-netsuite-tutorial/.
The SSO works for users from Office 365 to NetSuite, however if a user clicks on a NetSuite link in an email they receive an invalid SAML protocol message from Azure during authentication.
For example:
Email Link is
"https:\system.netsuite.com/app/accounting/transactions/purchord.nl?id=167770&c={ACCOUNT_ID}"
Get redirected to (by NetSuite)
"https:\login.windows.net/9621cdc8-e1c4-4a3c-849e-35be6db5a45e/saml2"
which then redirects to :
"https:\login.microsoftonline.com/9621cdc8-e1c4-4a3c-849e-35be6db5a45e/saml2?RelayState=https%3A%2F%2Fsystem.netsuite.com%2Fapp%2Faccounting%2Ftransactions%2Fpurchord.nl%3Fid%3D167770%26c%3D{ACCOUNT_ID}"
which generates error:
Sign In
Sorry, but we’re having trouble signing you in.
We received a bad request.
Additional technical information:
Correlation ID: a8ceee9f-8507-4f55-aa56-e65266bf7d92
Timestamp: 2016-04-13 05:18:07Z
AADSTS75005: The request is not a valid Saml2 protocol message.
Does anyone have any ideas how to get further details on the error, or fix it?
I recently came across this issue and found a solution that works for me.
Try using the following format
https://account.activedirectory.windowsazure.com/applications/signin/{AZURE NETSUITE - APPLICATION_ID}?RelayState=https%3A%2F%2F{NetSuite_Account#}.app.netsuite.com%2Fapp%2Faccounting%2Ftransactions%2Fpurchord.nl%3Fid%3D{Purchae_Order_Record_ID}
I hope this helps.
Recently I faced this issue with Azure SSO, link does not work it fails # the SSO provider's(Azure) login URL. Issue is not with the Netsuite it is sending the request for authentication to Azure but Azure could not authenticate the user even though user is logged into the AD. You can resolve this issue by syncing Azure AD and source of authority. Also make sure your Azure SSo is setup correctly -by running zure Active Directory Module for Windows PowerShell as an admin.
Good luck
I'm trying to use an Office 365 organizational SharePoint site as a storage point through the SharePoint REST API for docx files generated in a Rails app. I've registered the app through https://<domain>.sharepoint.com/_layouts/15/appregnex.aspx and obtained a client_id and client_secret. Using https://<domain>.sharepoint.com/_layouts/15/appinv.aspx, I gave the app the following permissions:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>
Using the oauth2 gem, I've so far managed to obtain an access token using client_credentials:
client = OAuth2::Client.new(<client_id>, <client_secret>, site: "https://<domain>.sharepoint.com", token_url: "https://login.windows.net/<tenant_id>/oauth2/token")
token = client.get_token(grant_type: "client_credentials", client_id: client.id, client_secret: client.secret, resource: "https://<domain>.sharepoint.com")
The client_credentials strategy seems to work, as a token is received. However, trying to use it results in failure.
token.get("/_api/web/title") returns OAuth2::Error: { "error_description" : "The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs." }
RestClient.get("https://<domain>.sharepoint.com/_api/web/title", { "Authorization" => token.token }) returns RestClient::Unauthorized: 401 Unauthorized
I'm pretty much at my wits' end over this, and I'm this close to telling my boss that if it can somehow be done, I'm simply not knowledgeable enough to do it.
The IncludeExceptionDetailInFaults is a wcf service setting in the endpoint applications web.config. If you have access to the server https://.sharepoint.com then you can turn that on momentarily. Basically, this will send the exception trace dump to the client in the response. By default, any 500 status errors will come back with no information except for ...ooops an error occurred.
I don't know how that server is configured or that much about SharePoint at all. However, the error could be anything imaginable and not even related to oauth. Unless you can get the server log or have it spit back the exception then you are going to be spinning your wheels.
Very likely you don't have sufficient permissions. Try with different scopes.
I'm trying to connect from Team Explorer Everywhere command line client on Windows to a Team Foundation Service project at visualstudio.com, but I get "access denied" messages.
The username and password I'm passing are definitely correct, and are the email and password from my microsoft live ID used to create the account. I have no problems accessing the service through the website, or via Visual Studio 2012 on a different machine.
tf workspace /new /server:https://<something>.visualstudio.com/defaultcollection
Username: example#microsoft.com
Password: ********
Any ideas? One thought I had was that maybe the '#' character in the e-mail was causing the username to be interpreted as a Windows domain, or that maybe SSL wasn't being used correctly?
You cannot authenticate with a Live ID using the Team Explorer Everywhere command-line client. We cannot raise a web browser from the client and capture the Live ID authentication tokens in a secure way across platforms.
Instead, you need to set up alternate credentials as described at https://tfs.visualstudio.com/en-us/home/news/2012/aug-27/ .
If anyone is has received this error after March 18th 2014, this is because the password requirements for visualstudio.com have been tightened.
If all of a sudden you get this message 'Failed to erase credential: Element not found
fatal: Authentication failed for 'https://*.visualstudio.com/defaultcollection/_git/*/''
I was able to solve it by deleting my alternate credentials, and recreating them (at which point I also found out my old password wasn't usable anymore).