OAuth2 Microsoft Not Working: Page 7

OAuth2 Microsoft Not Working

atahaynah

i have a problem with configuring remote mail box , after submitting all my entries the application keeps loading endlessly .
SMTP is working pretty great can you please hint me what mistake might be happened ?

KevinTheJedi

atahaynah

You’ll need to check your logs for any related errors.

Cheers.

atahaynah

KevinTheJedi

this is the error that i am receiving
/Osticket/scp/ajax.php/email/4/auth/config/mailbox/oauth2:msmail:1 Failed to load resource: the server responded with a status of 500 ()

Request URL: https://"localserver"/osTicket/scp/ajax.php/email/4/auth/config/mailbox/oauth2:msmail
Request Method: POST
Status Code: 500
Remote Address: **********:443
Referrer Policy: strict-origin-when-cross-origin

atahaynah

KevinTheJedi

it worked for now with fresh installation of App and Plugin .

now when configuring Remote Mailbox
cannot connect to host ; error = fsockopen(): Unable to connect to outlook.office365.com:143 (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond) (errno = 0 )

DvDaf

Hi All,

I configured OAuth2 with osTicket 1.17 (1d8b790) with Microsoft AzureAD per the osTicket documentation Documentation

The logs within AD was indicating that the end-user was successfully authenticating, however it kept redirecting back to the login page! It turns out that the cURL SSL certificate for PHP was missing. After installing the certificates, the authentication worked fine!

Try these steps, hopefully it'll save someone an headache!

Open up your PHP.ini configuration.
Ensure you have your CA cert installed for cURL. You can also use this one for testing Certificate
Place the certificate within a directory which PHP has READ access to.
Edit your PHP.ini configuration and point to the .PEM certificate files (see entry below).

curl.cainfo = "C:\PHP\v8_1_11\certs\cacert.pem"
openssl.cafile= "C:\PHP\v8_1_11\certs\cacert.pem"

Restart Internet Information Services (IIS).

Staging Server Configuration:
osTicket Version: v1.17 (1d8b790)
Web Server: Microsoft-IIS/10.0
MySql: 5.7.17
PHP version: 8.1.11

mika_y

DvDaf Thx mate! That did it! I had added CA cert file and edited php.ini file, adding line

curl.cainfo = "C:\PHP\v8_1_11\certs\cacert.pem"

but I was missing the second one,

openssl.cafile= "C:\PHP\v8_1_11\certs\cacert.pem"

I also thought I was editing the right .ini file, but after double checking I realized it was using a different .ini since our server is full of PHP folders of older installations. Now everything seems to be working properly.

lstrom

KevinTheJedi
DvDaf

Can confirm that this has not fixed my issue. I have been working with MS support as well, but they have not been able to see any issues with my app registration or other parts of the setup.

toann

DvDaf

Thank you so much. It worked for me.

For future reference, I set up osTicket with IIS and Window Server 2019. I was struggling with this error because I wasn't too familiar with language in the php.ini file. As the solution, I removed the semicolon in the front of curl.cainfo to uncommented it.

Kind regards,

megatronic79

Hi,

I have managed to get this to work fine when users can consent, however, when the admin consent request is enabled i keep getting the following after it's been approved and redirected. (Rewrite is correct on Apache2 and working)

This is returned from Azure.
=AADSTS65004%3a+User+declined+to+consent+to+access+the+app.

Ive tried the fixes mentioned above:

grant admin consent twice, once on the API Permissions and again under Enterprise Applications > click app > click Permissions > grant admin consent.

However, the same occurs.

I've just tried this on a separate tenancy's with the same admin flow to replicate the issues and I see the same.

Has anyone else seen this or have any insight to get this to work?

I can of course give that user admin rights and it succeeds but I cannot do this in a production environment.

Thanks.

KevinTheJedi

megatronic79

User+declined+to+consent+to+access+the+app. as the error states a User denied the consent to the app. You will need to consent in order to get a Token.

Cheers.

megatronic79

KevinTheJedi

Thats the prob thou, user cannot do that, it's sent to the admin for approval.

When the approval is done BY the admin the user clicks on the return and redirects back to osticekts, however it seems you are dropping the client-side approval... hence the returned message from azure. The user cannot do any more than that, and all settings are applied on the azure side.

I've tested this on two separate tenancies. if I turn of the approval flow it works as expected, when it's on this part breaks it doesn't appear you can complete the auth.

megatronic79

In this specific backend scenario - are you able to test on ur instance?

KevinTheJedi

megatronic79

Yea that won't work, you'll need to allow them access to grant consent. We have some updates coming soon that shouldn't force prompt=consent which might help in your case. In the meantime you can download the plugin raw files from github, hydrate them, and make the change yourself to not force the prompt or you can wait for the next set of updates to be released.

Cheers.

megatronic79

KevinTheJedi

thanks mate! will give that a crack. appreciate the quick response.

megatronic79

KevinTheJedi

I changed consent to login and rehydrated, I can confirm it works as expected in this stricter setup.

Thanks for your help, mate.

travisn

@KevinTheJedi having a similar issue. After O365 auth is complete, i click 'save' and it gives this message. I've triple checked to verify imap/pop still enabled on the account and followed your guide for the O365 Aure AD application. A little stuck

KevinTheJedi

travisn

Then you’ll need to contact MS for further assistance.

Cheers.

travisn

KevinTheJedi Changing to pop and 993 gives an error saying : last request failed

KevinTheJedi

travisn

Because port 993 is IMAP, not POP.

Cheers.

travisn

KevinTheJedi Whoops. Its Monday. Changing it to IMAP (still 993) gives "AUTHENTICATE failed." And this is after getting through the O365 auth process.

KevinTheJedi

travisn

Then either you didn’t configure the App in Azure correctly which you can follow our documentation to ensure you did everything correctly or you need to contact MS for further assistance.

Cheers.

KevinTheJedi

lstrom

Your initial issue was that URL Rewriting is not enabled on your webserver or if it is it's not running correctly. Did you ever solve that issue?

Cheers.

« Previous Page Next Page »