Hi,
This topic has been touched lots of times, but it still lacks a clear list of requirements.
Followed https://www.znuny.org/en/blog/modern-au ... -microsoft to the letter, read other posts in this forum and tried their suggested solutions. yet I am still unable to fetch email. The logs show "2 bad user is authenticated but not connected", which means that:
1. I have successfully obtained a token
2. I have successfully authenticated
3. Have no rights to access the mailbox
My setup:
- Dedicated, fully licensed mailbox (NOT a shared mailbox with delegated access)
- Security Baseline disabled
- No Conditional Access Policies
- MFA is disabled on the mailbox
- IMAP access is allowed org-wide
- IMAP access is enabled on the mailbox
- Steps in above blog followed to the letter
Please provide a working and verified configuration with *all* moving parts.
Thank you.
OAuth2 error
Moderator: crythias
-
root
- Administrator
- Posts: 3968
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: OAuth2 error
Hi,
Does the user who obtains the initial token in the UI is the mailbox user or someone else? This user is the who requires access to the mailbox.
- Roy
Does the user who obtains the initial token in the UI is the mailbox user or someone else? This user is the who requires access to the mailbox.
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
-
zerszenyi
- Znuny newbie
- Posts: 17
- Joined: 27 Sep 2021, 12:41
- Znuny Version: 6.0
- Real Name: Zoltan Erszenyi
Re: OAuth2 error
Hi Roy,
Thank you for the quick reply, that was the issue indeed.
Three problems though:
1. It is a nicely written blog, however it is incomplete without the detail you've just given me. From what I can see there are lots of admins on this forum frustrated by OAuth2 problems. It only takes one additional line in the blog to streamline the setup, taking the guesswork out of the whole process, saving their time, and yours too because there will be fewer admins asking the same questions time and again. A note should also be made about disabling MFA on the mailbox, Security Baseline constraints (no longer relevant but worth mentioning), Conditional Access Policies that may regulate access, and enabling IMAP org-wide as well as on the mailbox. The same should be added to the documentation as well at https://doc.znuny.org/znuny_lts/admin/a ... index.html
2. If I use the wrong account to get the token, how do I delete the wrong token and force authentication with the correct account?
3. I wanted to delete and re-create from scratch my OAuth2 token configuration. There seems to be no option to delete it. Once created, you're stuck with it. It can be edited, but how about deleting it?
Re point 1, I am thinking of something like this:
... and in the documentation also:
Thanks again and have a great day
Thank you for the quick reply, that was the issue indeed.
Three problems though:
1. It is a nicely written blog, however it is incomplete without the detail you've just given me. From what I can see there are lots of admins on this forum frustrated by OAuth2 problems. It only takes one additional line in the blog to streamline the setup, taking the guesswork out of the whole process, saving their time, and yours too because there will be fewer admins asking the same questions time and again. A note should also be made about disabling MFA on the mailbox, Security Baseline constraints (no longer relevant but worth mentioning), Conditional Access Policies that may regulate access, and enabling IMAP org-wide as well as on the mailbox. The same should be added to the documentation as well at https://doc.znuny.org/znuny_lts/admin/a ... index.html
2. If I use the wrong account to get the token, how do I delete the wrong token and force authentication with the correct account?
3. I wanted to delete and re-create from scratch my OAuth2 token configuration. There seems to be no option to delete it. Once created, you're stuck with it. It can be edited, but how about deleting it?
Re point 1, I am thinking of something like this:
... and in the documentation also:
Thanks again and have a great day
You do not have the required permissions to view the files attached to this post.
-
root
- Administrator
- Posts: 3968
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: OAuth2 error
Hi,
Let me answer one by one:
1.) This is not related to Znuny, it is related to OAuth2 and Microsoft. Do not expect us to cover documentation that is part of the OAuth2 provider (MS). I'll put it on the list to but can't make a promise.
2. & 3.) As long as the token is used (see mailboxes_ you can't delete the token. But you can created a new token with the same settings just another name.
- Roy
Let me answer one by one:
1.) This is not related to Znuny, it is related to OAuth2 and Microsoft. Do not expect us to cover documentation that is part of the OAuth2 provider (MS). I'll put it on the list to but can't make a promise.
2. & 3.) As long as the token is used (see mailboxes_ you can't delete the token. But you can created a new token with the same settings just another name.
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?