KevinTheJedi

Thats the prob thou, user cannot do that, it's sent to the admin for approval.

When the approval is done BY the admin the user clicks on the return and redirects back to osticekts, however it seems you are dropping the client-side approval... hence the returned message from azure. The user cannot do any more than that, and all settings are applied on the azure side.

I've tested this on two separate tenancies. if I turn of the approval flow it works as expected, when it's on this part breaks it doesn't appear you can complete the auth.

In this specific backend scenario - are you able to test on ur instance?

megatronic79

Yea that won't work, you'll need to allow them access to grant consent. We have some updates coming soon that shouldn't force prompt=consent which might help in your case. In the meantime you can download the plugin raw files from github, hydrate them, and make the change yourself to not force the prompt or you can wait for the next set of updates to be released.

Cheers.

KevinTheJedi

thanks mate! will give that a crack. appreciate the quick response.

@KevinTheJedi having a similar issue. After O365 auth is complete, i click 'save' and it gives this message. I've triple checked to verify imap/pop still enabled on the account and followed your guide for the O365 Aure AD application. A little stuck

travisn

Then you’ll need to contact MS for further assistance.

Cheers.

KevinTheJedi Changing to pop and 993 gives an error saying : last request failed

travisn

Because port 993 is IMAP, not POP.

Cheers.

travisn

Then either you didn’t configure the App in Azure correctly which you can follow our documentation to ensure you did everything correctly or you need to contact MS for further assistance.

Cheers.

KevinTheJedi

I changed consent to login and rehydrated, I can confirm it works as expected in this stricter setup.

Thanks for your help, mate.

KevinTheJedi

it worked for now with fresh installation of App and Plugin .

now when configuring Remote Mailbox
cannot connect to host ; error = fsockopen(): Unable to connect to outlook.office365.com:143 (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond) (errno = 0 )

KevinTheJedi
DvDaf

Can confirm that this has not fixed my issue. I have been working with MS support as well, but they have not been able to see any issues with my app registration or other parts of the setup.

DvDaf

DvDaf

Thank you so much. It worked for me.

For future reference, I set up osTicket with IIS and Window Server 2019. I was struggling with this error because I wasn't too familiar with language in the php.ini file. As the solution, I removed the semicolon in the front of curl.cainfo to uncommented it.

Kind regards,

lstrom

Your initial issue was that URL Rewriting is not enabled on your webserver or if it is it's not running correctly. Did you ever solve that issue?

Cheers.

KevinTheJedi

Sorry, I do not mean to be obtuse. This is fairly new territory for me. I have looked at a number of other posts in these forums and I am seeing the rewrite rules that others have shown:

Testing the "HTTP api" rule, I get the following result:

So that seems to be in-line with the result of being sent to the main /portal page

I'm guessing I may need to edit the rule to point to the agent panel or admin panel, is that thought in the right direction?

lstrom

No, we ship with web.config that your IIS should be loading but appears is not. You need to figure out why that file isn’t being loaded.

@ntozier Do you know how to force IIS to load the web.config properly?

Cheers.

KevinTheJedi

Okay, so the appearance of the rules does not indicate that the web.config file is loading. Good to know, thank you.

Does this have a solution? No matter what I try, I end up with:

Sorry, but we’re having trouble signing you in.
AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption.

KevinTheJedi Looks like I had the URLs messed - didn't know that URL and was "randomly" trying whatever I found in the forum.
However, this still doesn't work for me - after accepting Microsoft-side popup, Osticket shows: "invalid_client".

mangoo

Then you didn’t configure something right in your Email Config. Please post a screenshot and censor any sensitive info.

Cheers.

Here it is:

KevinTheJedi

Did you mean that screenshot?

KevinTheJedi

For the Client ID did you use the Application (client) id from Azure?

Yes.

Also, for the Client Secret did you use the Secret Value or ID from Azure?

Yes.

You should be using the Secret Value from Azure.

Both answers - yes.

mangoo

No you are pointing to the Secret ID which is not correct. You need to use the Secret Value.

Cheers.

mangoo

It is VALUE! Not Secret ID. Sorry, I was blind. Seems working now!

mailbox: OAuth2 Authorization Successful

mangoo Also, had to do this to enable SMTP:

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission

Use the Microsoft 365 admin center to enable or disable SMTP AUTH on specific mailboxes

Open the Microsoft 365 admin center and go to Users > Active users.

Select the user, and in the flyout that appears, click Mail.

In the Email apps section, click Manage email apps.

Verify the Authenticated SMTP setting: unchecked = disabled, checked = enabled.

When you're finished, click Save changes.

Otherwise, was getting:

5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit https://aka.ms/smtp_auth_disabled for more information. [AM5PR0502CA0017.eurprd05.prod.outlook.com]

KevinTheJedi
@ntozier

Just following up on this after the weekend. I am no IIS guru, but I did stumble upon the "configuration search" tool in the Configuration Editor and gathered the screenshot below. This appears to show that it is using the web.config shipped with OsTicket, but my attempts to learn how to verify this have not yielded anything to this point.

lstrom

Then it should be working. Look at the API rule in your screenshot.

Cheers.

Hi Kevin,
Appreciate the time you're taking here! I'm getting the issue where it appears I've successfully logged in (indeed, that's what the AAD logs say), but on the redirect with the token (.../api/auth/oauth2?code=0.AXQAR4n2dbeGy0mhH85OSahebLL3...) I end up at an nginx 404 page.

So, not an AAD issue; however, I am running osTicket in an Azure WebApp... Using the supplied web.config, App Service logs showing stuff like:

2022-10-24T17:45:28.614356442Z NOTICE: PHP message: PHP Deprecated: Return type of CachedResultSet::offsetSet($a, $b) should either be compatible with ArrayAccess::offsetSet(mixed $offset, mixed $value): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/site/wwwroot/include/class.orm.php on line 1754
2022-10-24T17:45:28.642531468Z NOTICE: PHP message: PHP Deprecated: Return type of CachedResultSet::offsetUnset($a) should either be compatible with ArrayAccess::offsetUnset(mixed $offset): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/site/wwwroot/include/class.orm.php on line 1751
2022-10-24T17:45:28.642629669Z NOTICE: PHP message: PHP Deprecated: Return type of ModelInstanceManager::getIterator() should either be compatible with IteratorAggregate::getIterator(): Traversable, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/site/wwwroot/include/class.orm.php on line 2002
2022-10-24T17:45:28.642641569Z NOTICE: PHP message: PHP Deprecated: Return type of CallbackSimpleIterator::current() should either be compatible with Iterator::current(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/site/wwwroot/include/class.orm.php on line 2046
2022-10-24T17:45:28.642655270Z NOTICE: PHP message: PHP Deprecated: Return type of CallbackSimpleIterator::next() should either be compatible with Iterator::next(): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/site/wwwroot/include/class.orm.php on line 2051
2022-10-24T17:45:28.642664670Z NOTICE: PHP message: PHP Deprecated: Return type of CallbackSimpleIterator::key() should either be compatible with Iterator::key(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/site/wwwroot/include/class.orm.php on line 2036
2022-10-24T17:45:28.642673270Z NOTICE: PHP message: PHP Deprecated: Return type of CallbackSimpleIterator::valid() should either be compatible with Iterator::valid(): bool, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/site/wwwroot/include/class.orm.php on line 2040
2022-10-24T17:45:28.642682770Z NOTICE: PHP message: PHP Deprecated: Return type of CallbackSimpleIterator::rewind() should either be compatible with Iterator::rewind(): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/site/wwwroot/include/class.orm.php on line 2031
2022-10-24T17:45:28.642693670Z NOTICE: PHP message: PHP Deprecated: Return type of FlatArrayIterator::getIterator() should either be compatible with IteratorAggregate::getIterator(): Traversable, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/site/wwwroot/include/class.orm.php on line 2076
2022-10-24T17:45:28.642702970Z NOTICE: PHP message: PHP Deprecated: Return type of HashArrayIterator::getIterator() should either be compatible with IteratorAggregate::getIterator(): Traversable, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/site/wwwroot/include/class.orm.php on line 2099
2022-10-24T17:45:28.642727470Z NOTICE: PHP message: PHP Deprecated: Return type of BaseMessageStorage::getIterator() should either be compatible with IteratorAggregate::getIterator(): Traversable, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/site/wwwroot/include/class.message.php on line 186

Any thoughts on this? I'm no PHP guy, so any guidance appreciated.

KevinTheJedi

Should be, yet no dice. Are you able to confirm what the URL should come back as for a working instance? I can only get it to redirect to the portal without changing how the rule is written.

lstrom

The URL should be correct it's just your webserver is not rewriting the URL to match. Once it's rewritten it should have http.php in between /api/ and /auth/ so /api/http.php/auth/oauth2?blah_blah.

Cheers.

KevinTheJedi

Thanks, just trying to keep myself from going down the wrong rabbit holes.

KevinTheJedi

Thank you again for your patience. It ended up being the YOURLs rewrite rule I had referenced prior had priority and had a wider scope, thus matching the redirect URI. Sending that URL rewrite rule to the bottom so that the API rule is processed first did indeed solve my issue.

So, of course, Azure Web Apps running Linux/PHP don't use the web.config file, and have recently started using nginx as the webserver technology... I don't suppose anyone has the rewrite rules specified in the web.config in nginx format?

<?xml version="1.0" encoding="UTF-8"?>
<configuration>

    <system.webServer>
        <directoryBrowse enabled="false" />
        <rewrite>
            <rules>
                <rule name="HTTP api" stopProcessing="true">
                    <match url="^(.*/)?api/(.*)$" ignoreCase="true"/>
                    <conditions>
                        <add input="{REQUEST_FILENAME}" matchType="IsFile"
                            ignoreCase="false" negate="true" />
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory"
                            ignoreCase="false" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="{R:1}api/http.php/{R:2}"/>
                </rule>
                <rule name="Site pages" stopProcessing="true">
                    <match url="^(.*/)?pages/(.*)$" ignoreCase="true"/>
                    <conditions>
                        <add input="{REQUEST_FILENAME}" matchType="IsFile"
                            ignoreCase="false" negate="true" />
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory"
                            ignoreCase="false" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="{R:1}pages/index.php/{R:2}"/>
                </rule>
                <rule name="Staff applications" stopProcessing="true">
                    <match url="^(.*/)?scp/apps/(.*)$" ignoreCase="true"/>
                    <conditions>
                        <add input="{REQUEST_FILENAME}" matchType="IsFile"
                            ignoreCase="false" negate="true" />
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory"
                            ignoreCase="false" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="{R:1}scp/apps/dispatcher.php/{R:2}"/>
                </rule>
            </rules>
        </rewrite>
        <defaultDocument>
            <files>
                <remove value="index.php" />
                <add value="index.php" />
            </files>
        </defaultDocument>
    </system.webServer>
    
</configuration>

parisb

Someone posted their NGINX config in one of the threads. You'll have to search around to find it.

Cheers.

I cannot for the life of me figure out how to make my test 365 email account be able to automatically consent to add the app when prompted. Every time I am prompted to submit for consent. And when I select "return to app" after requesting consent, it starts all over when I try again.

I even tried making app consent wide open for all users, and it still sent this up for admin consent. I have granted admin consent under the app config and in Enterprise Applications.

Can someone help me get over this hump - do I need to assign some admin role to the test user?

Just thought I'd throw my findings in the ring here. I updated OsTicket yesterday and setup the Oauth plugin. We had the issue where an agent signs in, and it redirects to the homepage. I knew it wasn't a problem with the setup as it worked fine for me, and at least one other agent, just not the rest. I checked the email fields matched up and was stumped otherwise. As a last resort, I went to assign the user a password so they could login locally. They were told they had maxed out their attempts so I thought I'd solved the issue! I changed the maximum attempt fields and the user then got an "Access denied" message. I went to the user account and changed it from "Use any available backend" to "Local authentication". User could sign in. Then I thought I wonder what happens if I change it to use "Microsoft" authentication, and then it worked!. The strange thing is, everyone is setup to "Use any available backend" and as I said, it works for at least 2 of us.

We previously used the LDAP plugin and whether this had some kind of effect on things, I don't know. It was disabled before I changed the authentication over anyway. Hopefully this might help other people who are in my position!