客户端凭据令牌不适用于本地交换服务器。 [英] Client credentials token is not working for on-prem exchange server.
问题描述
在混合设置中,如果客户端凭据授予类型用于获取令牌,并且该令牌用于获取本地用户消息(https://graph.microsoft.com/v1.0/users('onpremuser@onpremdomain) .com')/ messages /)使用graph api它失败了提供UnknownError。
在IIS日志上调试时显示的错误是"此令牌配置文件'V1S2SAppOnly'是不适用于现行议定书。" error_category = QUOT; INVALID_TOKEN" ;.摆脱 'V1S2SAppOnly' 的错误,我去,并添加当前web.config文件的V1S2SAppOnly纳的AppSettings
在C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rest\web .config
< add key =" OAuthHttpModule.Profiles"值= QUOT; S2SAppActAs | S2SAppOnly | V1AppActAs | V1AppOnly |回拨| V1S2SActAs | V1S2SAppOnly | CallbackV2" />
$
此后错误消失了,现在我在IIS日志中看到如下所示的新错误
<登记/>
HeaderName =英寸×毫秒的诊断" ;, HeaderValue = QUOT; 2000008;原因= QUOT;令牌应该与合作伙伴应用程序"00000003-0000-0000-C000-相关联的有效权限或关联的帐户000000000000'。" ;; error_category =" invalid_grant"",
Replace =" false"。但是解码后的令牌(jwt.io)有角色。
{
"aud":" https://graph.microsoft.com/" ;,
"iss":" https://sts.windows.net/ea6064aa-d6fc-48d3-abb8-1728e1f39e0b/" ;,
"iat":1552900163,
"nbf":1552900163,
"exp":1552904063,
"aio":" 42JgYHhwRC7Jf9HECQFuBmlfT + t0AgA =",
" app_displayname":" newtestapp",$
" appid":" fb461318-f95f-474f-9451-ad6b9952a5fe",
" appidacr":" 2",
" idp" ;:\"https://sts.windows.net/ea6064aa-d6fc-48d3-abb8-1728e1f39e0b/" ;,
"oid":" 301eb6c0-478a-407c-9493-7fa40c4cf9bc",
"角色":[
&NBSP; "Mail.ReadWrite",
&NBSP; "Mail.Read",
&NBSP; "Mail.Send"
],
"sub":"301eb6c0-478a-407c-9493-7fa40c4cf9bc","
"tid":"" ea6064aa-d6fc-48d3-abb8-1728e1f39e0b",
"uti":"XLiJVT7T8Eir7FsLkkvWAA","
"ver":"1.0","
" xms_tcdt" ;:1550570031
}
观察:
1.一切都适用于云用户
2.如果使用ROPC或授权代码auth flow,我可以检索该用户的邮件。
如何使Graph API调用(/ messages)与客户端凭证Oauth流一起工作?
您是否配置了内部部署Exchange服务器,以使用混合现代身份验证进行用户身份验证和授权。 请参阅以下文档 -
In hybrid setup if client credentials grant type is used to get token and if that token is used to get on-prem user messages (https://graph.microsoft.com/v1.0/users('onpremuser@onpremdomain.com')/messages/) using graph api it fails by providing UnknownError.
When debugged on IIS logs error shown was "This token profile 'V1S2SAppOnly' is not applicable for the current protocol." error_category="invalid_token". To get rid of 'V1S2SAppOnly' error i went and added V1S2SAppOnly uner appsettings
of web.config file present at C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rest\web.config
<add key="OAuthHttpModule.Profiles" value="S2SAppActAs|S2SAppOnly|V1AppActAs|V1AppOnly|Callback|V1S2SActAs|V1S2SAppOnly|CallbackV2" />
After this the error was gone and now i am seeing new error like below in IIS log
HeaderName="x-ms-diagnostics", HeaderValue="2000008;reason="The token should have valid permissions or linked account associated with partner application '00000003-0000-0000-c000-000000000000'.";error_category="invalid_grant"",
Replace="false". But however decoded token (jwt.io) has roles.
{
"aud": "https://graph.microsoft.com/",
"iss": "https://sts.windows.net/ea6064aa-d6fc-48d3-abb8-1728e1f39e0b/",
"iat": 1552900163,
"nbf": 1552900163,
"exp": 1552904063,
"aio": "42JgYHhwRC7Jf9HECQFuBmlfT+t0AgA=",
"app_displayname": "newtestapp",
"appid": "fb461318-f95f-474f-9451-ad6b9952a5fe",
"appidacr": "2",
"idp": "https://sts.windows.net/ea6064aa-d6fc-48d3-abb8-1728e1f39e0b/",
"oid": "301eb6c0-478a-407c-9493-7fa40c4cf9bc",
"roles": [
"Mail.ReadWrite",
"Mail.Read",
"Mail.Send"
],
"sub": "301eb6c0-478a-407c-9493-7fa40c4cf9bc",
"tid": "ea6064aa-d6fc-48d3-abb8-1728e1f39e0b",
"uti": "XLiJVT7T8Eir7FsLkkvWAA",
"ver": "1.0",
"xms_tcdt": 1550570031
}
Observations :
1. Everything works perfectly for cloud users
2. If ROPC or Authorization code auth flow is used i am able to retrieve that user's mail.
How to make Graph API calls (/messages) work for on prem with client credentials Oauth flow ?
Have you configured your on-premises Exchange server to use Hybrid Modern Authentication for user authentication and authorization. Please refer to the below documentations on the same -
这篇关于客户端凭据令牌不适用于本地交换服务器。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!