401 Unauthorized when accessing /messages api using client credentials grant flow

%3CLINGO-SUB%20id%3D%22lingo-sub-362461%22%20slang%3D%22en-US%22%3E401%20Unauthorized%20when%20accessing%20%2Fmessages%20api%20using%20client%20credentials%20grant%20flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-362461%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20mailbox%20in%20on%20prem%20exchange%20server%20(which%20is%20in%20hybrid%20mode)%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eabc%40onprem.com%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20i%20am%20trying%20to%20access%20this%20via%20graph%20api%20(%2Fmessages).%20This%20works%20perfectly%20if%20i%20do%20this%20in%20graph%20explorer%2C%20but%20fails%20when%20i%20do%20via%20postman.%3C%2FP%3E%3CP%3ERequired%20application%20permission%20is%20given%20in%20Azure%20app%20registration%20portal.%20Implementation%2Fpostman%20uses%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Egrant_type%20as%20client_credentials%20with%20certificate%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20this%20works%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Eperfectly%20for%20cloud%20users.%3C%2FSTRONG%3E%3C%2FP%3E%3CH1%20id%3D%22toc-hId-1875328545%22%20id%3D%22toc-hId-1929871930%22%20id%3D%22toc-hId-1929871930%22%20id%3D%22toc-hId-1929871930%22%20id%3D%22toc-hId-1929871930%22%20id%3D%22toc-hId-1929871930%22%3EResponse%20of%20API%3C%2FH1%3E%3CPRE%3E%7B%20'error'%3A%20%7B%0A%20%20%20%20'innerError'%3A%20%7B%0A%20%20%20%20%20%20%20%20'date'%3A%20'2019-02-28T14%3A17%3A45'%2C%20%0A%20%20%20%20%20%20%20%20'request-id'%3A%20'6a85f8c3-4e13-4cf0-84b2-ddc934241afd'%0A%20%20%20%20%7D%2C%0A%20%20%20%20'message'%3A%20''%2C%20%0A%20%20%20%20'code'%3A%20'UnknownError'%0A%20%20%20%20%7D%7D%3C%2FPRE%3E%3CH1%20id%3D%22toc-hId--676828416%22%20id%3D%22toc-hId--622285031%22%20id%3D%22toc-hId--622285031%22%20id%3D%22toc-hId--622285031%22%20id%3D%22toc-hId--622285031%22%20id%3D%22toc-hId--622285031%22%3EIIS%20Logs%3C%2FH1%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdded%20some%20headers%20like%20www-authenticate%20for%20logging%20and%20found%20that%20below%20is%20the%20error%20in%20IIS%20Log%20for%20on%20prem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2019-03-04%2004%3A05%3A13%20172.31.10.98%20GET%20%2Fapi%2FV2.0%2FUsers('abc%40onprem.com')%2FMessages%20%26amp%3BCorrelationID%3D%3B%26amp%3BcafeReqId%3D2823c302-3c84-4847-b586-accced4b6dd5%3B%20443%20-%2020.190.145.177%20PostmanRuntime%2F7.6.0%20-%20401%200%200%20332%20Bearer%2BeyJ0%20blah%20blah.....blah%20blah.....hSd%20mail.onprem.com%20-%20-%20-%20Bearer%2Bclient_id%3D%2200000002-0000-0ff1-ce00-000000000000%22%2C%2Btoken_types%3D%22app_asserted_user_v1%2Bservice_asserted_app_v1%22%2C%2Bauthorization_uri%3D%22%3CA%20href%3D%22https%3A%2F%2Flogin.windows.net%2Fcommon%2Foauth2%2Fauthorize%26quot%3B%2C%2Berror%3D%26quot%3Binvalid_token%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.windows.net%2Fcommon%2Foauth2%2Fauthorize%22%2C%2Berror%3D%22invalid_token%3C%2FA%3E%22%202000001%3Breason%3D%22This%2Btoken%2Bprofile%2B'V1S2SAppOnly'%2Bis%2Bnot%2Bapplicable%2Bfor%2Bthe%2Bcurrent%2Bprotocol.%22%3Berror_category%3D%22invalid_token%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3COL%3E%3CLI%3EWhat%20would%20be%20reason%20for%20this%20authentication%20failure%20%3F%3C%2FLI%3E%3CLI%3EIs%20there%20something%20worng%20with%20client%20credentials%20grant%20flow%20(in%20graph%20explorer%20as%20we%20sign%20in%20and%20do%20query%20auth%20flow%20might%20not%20be%20client%20credentials)%20%3F%26nbsp%3BFor%20graph%20explorer%20calls%20i%20see%20cs-username%20like%20%60S-1-5-21-1392771109-4043059535-3934338706-1147%60%26nbsp%3B%20in%20IIS%20Log%20which%20doesn't%20come%20for%20postman%20calls.%3C%2FLI%3E%3CLI%3EWe%20are%20using%20self%20signed%20certificate%20on%20exchange%20server%20%2C%20can%20this%20lead%20to%20this%20issue%20%3F%20If%20so%20wondering%20how%20everything%20is%20working%20from%20graph%20explorer.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CH1%20id%3D%22toc-hId-1065981919%22%20id%3D%22toc-hId-1120525304%22%20id%3D%22toc-hId-1120525304%22%20id%3D%22toc-hId-1120525304%22%20id%3D%22toc-hId-1120525304%22%20id%3D%22toc-hId-1120525304%22%3E%26nbsp%3B%3C%2FH1%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-560595%22%20slang%3D%22en-US%22%3ERe%3A%20401%20Unauthorized%20when%20accessing%20%2Fmessages%20api%20using%20client%20credentials%20grant%20flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-560595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F296647%22%20target%3D%22_blank%22%3E%40Karthik_Hebbar%3C%2FA%3E%26nbsp%3BWe%20are%20struggling%20with%20exactly%20the%20same.%20What%20I%20thought%20we%20could%20do%20was%20to%20use%20delegation%20(and%20using%20resource%20owner%20grant).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20going%20to%20take%20a%20look%20into%20the%20Exchange's%20binaries%20to%20see%20if%20I%20can%20figure%20what%20needs%20to%20be%20done.%20What%20I%20found%20so%20far%2C%20is%20that%20when%20you%20look%20at%20Get-PartnerApplications%2C%20there%20is%20Graph%20registered%2C%20but%20it%20doesn't%20have%20any%20AppOnlyPermissions%20set%20which%20could%20be%20the%20issue%20(but%20as%20per%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Forganization%2Fset-partnerapplication%3Fview%3Dexchange-ps%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Edocs%3C%2FA%3E%26nbsp%3Bit%20is%20internal%20field%20only%20for%20MS...).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-562605%22%20slang%3D%22en-US%22%3ERe%3A%20401%20Unauthorized%20when%20accessing%20%2Fmessages%20api%20using%20client%20credentials%20grant%20flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-562605%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F296647%22%20target%3D%22_blank%22%3E%40Karthik_Hebbar%3C%2FA%3E%26nbsp%3BI%20have%20found%20the%20resolution%2C%20please%20see%20following%20blog%20post%20if%20it%20helps%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblog.thenetw.org%2F2019%2F05%2F13%2Fusing-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.thenetw.org%2F2019%2F05%2F13%2Fusing-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

I have a mailbox in on prem exchange server (which is in hybrid mode) abc@onprem.com and i am trying to access this via graph api (/messages). This works perfectly if i do this in graph explorer, but fails when i do via postman.

Required application permission is given in Azure app registration portal. Implementation/postman uses grant_type as client_credentials with certificate and this works perfectly for cloud users.

Response of API

{ 'error': {
    'innerError': {
        'date': '2019-02-28T14:17:45', 
        'request-id': '6a85f8c3-4e13-4cf0-84b2-ddc934241afd'
    },
    'message': '', 
    'code': 'UnknownError'
    }}

IIS Logs

 

Added some headers like www-authenticate for logging and found that below is the error in IIS Log for on prem.

 

2019-03-04 04:05:13 172.31.10.98 GET /api/V2.0/Users('abc@onprem.com')/Messages &CorrelationID=;&cafeReqId=2823c302-3c84-4847-b586-accced4b6dd5; 443 - 20.190.145.177 PostmanRuntime/7.6.0 - 401 0 0 332 Bearer+eyJ0 blah blah.....blah blah.....hSd mail.onprem.com - - - Bearer+client_id="00000002-0000-0ff1-ce00-000000000000",+token_types="app_asserted_user_v1+service_asserted_app_v1",+authorization_uri="https://login.windows.net/common/oauth2/authorize",+error="invalid_token" 2000001;reason="This+token+profile+'V1S2SAppOnly'+is+not+applicable+for+the+current+protocol.";error_category="invalid_token"

 

 

  1. What would be reason for this authentication failure ?
  2. Is there something worng with client credentials grant flow (in graph explorer as we sign in and do query auth flow might not be client credentials) ? For graph explorer calls i see cs-username like `S-1-5-21-1392771109-4043059535-3934338706-1147`  in IIS Log which doesn't come for postman calls.
  3. We are using self signed certificate on exchange server , can this lead to this issue ? If so wondering how everything is working from graph explorer.

 

 

 

2 Replies

@Karthik_Hebbar We are struggling with exactly the same. What I thought we could do was to use delegation (and using resource owner grant).

 

I am going to take a look into the Exchange's binaries to see if I can figure what needs to be done. What I found so far, is that when you look at Get-PartnerApplications, there is Graph registered, but it doesn't have any AppOnlyPermissions set which could be the issue (but as per docs it is internal field only for MS...).

www.000webhost.com