iTop 2.7.7 is already compatible with OAuth and iTop 3.0.2 which is about to be released to the community in the next few days as well.
The last version of MailToTicket Automation extension includes an update to to use Oauth authentication for IMAP.
Which means that if you need to use Oauth with this extension, you will have to upgrade to iTop either 2.7.7 or 3.0.2
HTH
Delphine
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm also getting this error, switching token options in Azure AD didn't help.
I can generate my access token no problem.
I can access the mailbox using IMAP with basic auth fine.
Same setup with OAuth causes the error "Failed to initialize the mailbox: **@****.onmicrosoft.com. Reason: cannot change folder, maybe it does not exist"
In the "Mailbox (for IMAP)" field, I've tried leaving it blank and using 'Inbox' (which is what the basic auth IMAP mailbox is using) with the same result.
Is there anywhere else I can check to see what's happening? Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm still hitting a wall with the IMAP / OAuth config to get tickets into iTop. I tried changing our Azure configs around several times, re-assigned the service principal permissions to the mailbox, etc. I just don't know where to look to find out where the issue is! Any help would be great.
Some examples of how others setup their OAuth/IMAP using Azure and O365 would be really helpful.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
At the bottom of Combodo's documentation, it explains how to add more logging for the OAuth authentication itself. Have you checked that out and enabled that log file?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I did and am seeing the error 'BAD User is authenticated but not connected.' which some Googling indicated may be related to a missing Client Access Rule to enable IMAP so I've added the rule and will wait the 24 hours and see if it helps.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We have tested the principal with a completely seperate implementation in python for accessing and processing IMAP based email for a non Itop related application.
Our problem (I believe) is due to us needing the specify the tenant id
I have editing the code to include our tenant ID rather than "common"
I can succesfully generate a token but I see that the IMAPOAuthEmailSource and other supporting libraries such as
have the tenant id hard coded as "common" and there isn't any way to override this without code changes and these libraries dont have any debugging
We can get the token successfully in the OAuth client for Microsoft Azure but are unable to authenticate and retrieve mail using the OAuth 2.0 Mail Inbox
I decided after no progress trying to ulitilise an explicit tenant ID, (necessitating chnaging code in two different libraries) I have up and decided to setup the service account as multi tenant, and rolled back anychanges to code reflecting the tenant id, (reverting back to common)
And unfortunately still cannot read mail using IMAP (can always generate a token)
2022-12-05 14:38:49 | Debug | 2 | IMAPOAuthEmailSource Start for outlook.office365.com | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Sending: TAG1 AUTHENTICATE XOAUTH2 dXNlcj1zdmMtaXR<snipped>| OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Oauth sending AUTHENTICATE XOAUTH2 user=svc-itopemail@rct-global.com auth=Bearer <snipped> | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Receive: TAG1 BAD Command received in Invalid state. | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Oauth receiving BAD Command received in Invalid state.
| OAuth |||
2022-12-05 14:38:50 | Error | 2 | Unable to authenticate for IMAP for provider Error: BAD Command received in Invalid state.
| OAuth |||
2022-12-05 14:38:50 | Error | 2 | Cannot login to IMAP OAuth for mailbox outlook.office365.com | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Sending: TAG2 LOGOUT | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Receive: * BYE Microsoft Exchange Server IMAP4 server signing off. | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Receive: TAG2 OK LOGOUT completed. | OAuth |||
2022-12-05 14:38:50 | Error | 2 | Failed to initialize the mailbox: svc-itopemail@rct-global.com. Reason: cannot login, user or tokens | IssueLog |||</snipped></snipped>
Just dont seem to be able to make progress on this.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Honestly, I applaud anyone that has gotten this to work.
We've been struggling with it since September; looped-in the devs from iTop (who were gracious enough to answer my emails and respond timely, thank you!), looped in our Microsoft support team, configured and re-configured and sadly never got the IMAP connection to work.
Due to this issue and this issue alone after six years we've had to move to Freshservice because they have implemented OAuth in a way that works easily; I literally just had to be logged-in as the user we wanted to have setup for IMAP, click a button, done.
I would recommend the iTop devs take a look at how others are implementing OAuth and simplify their process. I wish we didn't have to change...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Having a subscription contract would have definitively helped here. To my knowledge no clients had any service interruption on their Office 365 mailboxes.
And Combodo also has a saas service
Plus iTop being open source anyone can contribute or propose ideas... If anyone has tips for any better implementation they're more than welcome !
Regards
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I have installed version 3.6.0 of the extension : Mail to ticket automation .
Since today, I have this error :
Failed to initialize the mailbox: support@xxxxxx.fr. Reason: cannot change folder, maybe it does not exist
I only have it for this mailbox.
I didn't find anything wrong with it.
Any idea ?
Have you tried generating a new OAuth 2.0 token?
Oui j'ai déjà testé cette solution
Yes I have already tested this solution
Hi Emmanuel, in which iTop version are you?
iTop 2.7.7 is already compatible with OAuth and iTop 3.0.2 which is about to be released to the community in the next few days as well.
The last version of MailToTicket Automation extension includes an update to to use Oauth authentication for IMAP.
Which means that if you need to use Oauth with this extension, you will have to upgrade to iTop either 2.7.7 or 3.0.2
HTH
Delphine
Hello Delphine
I have already updated iTop to version 2.7.7.
I have already installed the latest version of the MailToTicket Automation extension.
It was already working but since Monday I have one of the mailboxes that is in error.
The second mailbox has no problem only the first one.
Best regards
Emmanuel
Hi Emmanuel,
It seems iTop can't access the folder specified in your Mailbox object, did you check that the value is correct ?
Regards
Stephen
Hi Stephen
Yes, I checked.
It's the same directory as the second mailbox.
That's why I don't understand what's going on.
Regards
Emmanuel
Is the second mailbox pointing to the same mailbox server, the same folder with the same protocol as the first one?
yes, absolutely
Hello,
I found out what the problem was.
In the application registration configuration and in the Authentication part.
The Implicit grant and hybrid flows part
Select the tokens you want issued by the authorization endpoint:
Access tokens (used for implicit flows)
ID Tokens (used for implicit and hybrid flows)
I had selected this option:
Access tokens (used for implicit flows)
This was the only setting that was different from the second mailbox.
This was the only setting that was different from the second mailbox.
Regards,
Emmanuel
Hi,
Glad you fixed it :)
Thanks for providing your solution, it might help others!
Regards
Stephen
I'm also getting this error, switching token options in Azure AD didn't help.
I can generate my access token no problem.
I can access the mailbox using IMAP with basic auth fine.
Same setup with OAuth causes the error "Failed to initialize the mailbox: **@****.onmicrosoft.com. Reason: cannot change folder, maybe it does not exist"
In the "Mailbox (for IMAP)" field, I've tried leaving it blank and using 'Inbox' (which is what the basic auth IMAP mailbox is using) with the same result.
Is there anywhere else I can check to see what's happening? Thanks!
I'm still hitting a wall with the IMAP / OAuth config to get tickets into iTop. I tried changing our Azure configs around several times, re-assigned the service principal permissions to the mailbox, etc. I just don't know where to look to find out where the issue is! Any help would be great.
Some examples of how others setup their OAuth/IMAP using Azure and O365 would be really helpful.
At the bottom of Combodo's documentation, it explains how to add more logging for the OAuth authentication itself. Have you checked that out and enabled that log file?
I did and am seeing the error 'BAD User is authenticated but not connected.' which some Googling indicated may be related to a missing Client Access Rule to enable IMAP so I've added the rule and will wait the 24 hours and see if it helps.
I've actually also seen this issue when the account used to create the OAuth token simply didn't have the correct mailbox permissions set on MS O365.
I am at the same point and getting the same error. We how ever are not multi-tenant
Really stuck
Have you verified if the account that you used to generate the OAuth 2.0 token has the proper privileges on the mailbox itself?
HI Jeffrey
Yes,
We have tested the principal with a completely seperate implementation in python for accessing and processing IMAP based email for a non Itop related application.
Our problem (I believe) is due to us needing the specify the tenant id
I have editing the code to include our tenant ID rather than "common"
I can succesfully generate a token but I see that the IMAPOAuthEmailSource and other supporting libraries such as
lib/thenetworg/oauth2-azure/src/Provider/Azure.php
sources/Core/Authentication/Client/OAuth/OAuthClientProviderAzure.php
have the tenant id hard coded as "common" and there isn't any way to override this without code changes and these libraries dont have any debugging
We can get the token successfully in the OAuth client for Microsoft Azure but are unable to authenticate and retrieve mail using the OAuth 2.0 Mail Inbox
I have spent most of the week going through this, and comparing with the working model
Some more details here https://sourceforge.net/p/itop/discussion/integrating-itop/thread/8008eb2263/
Last edit: Tim Hoffman 2022-12-02
Just as a reference for others (as Tim already participate in the ticket), using a non multi tenant application for now is not possible : see [#2107].
Related
Tickets:
#2107I decided after no progress trying to ulitilise an explicit tenant ID, (necessitating chnaging code in two different libraries) I have up and decided to setup the service account as multi tenant, and rolled back anychanges to code reflecting the tenant id, (reverting back to common)
And unfortunately still cannot read mail using IMAP (can always generate a token)
2022-12-05 14:38:49 | Debug | 2 | IMAPOAuthEmailSource Start for outlook.office365.com | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Sending: TAG1 AUTHENTICATE XOAUTH2 dXNlcj1zdmMtaXR<snipped>| OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Oauth sending AUTHENTICATE XOAUTH2 user=svc-itopemail@rct-global.com auth=Bearer <snipped> | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Receive: TAG1 BAD Command received in Invalid state. | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Oauth receiving BAD Command received in Invalid state.
| OAuth |||
2022-12-05 14:38:50 | Error | 2 | Unable to authenticate for IMAP for provider Error: BAD Command received in Invalid state.
| OAuth |||
2022-12-05 14:38:50 | Error | 2 | Cannot login to IMAP OAuth for mailbox outlook.office365.com | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Sending: TAG2 LOGOUT | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Receive: * BYE Microsoft Exchange Server IMAP4 server signing off. | OAuth |||
2022-12-05 14:38:50 | Debug | 2 | IMAP Receive: TAG2 OK LOGOUT completed. | OAuth |||
2022-12-05 14:38:50 | Error | 2 | Failed to initialize the mailbox: svc-itopemail@rct-global.com. Reason: cannot login, user or tokens | IssueLog |||</snipped></snipped>
Just dont seem to be able to make progress on this.
It's a concern because Microsoft is turning off basic auth for IMAP starting in January 2023.
Honestly, I applaud anyone that has gotten this to work.
We've been struggling with it since September; looped-in the devs from iTop (who were gracious enough to answer my emails and respond timely, thank you!), looped in our Microsoft support team, configured and re-configured and sadly never got the IMAP connection to work.
Due to this issue and this issue alone after six years we've had to move to Freshservice because they have implemented OAuth in a way that works easily; I literally just had to be logged-in as the user we wanted to have setup for IMAP, click a button, done.
I would recommend the iTop devs take a look at how others are implementing OAuth and simplify their process. I wish we didn't have to change...
Hello,
Sorry to see you go :/
Having a subscription contract would have definitively helped here. To my knowledge no clients had any service interruption on their Office 365 mailboxes.
And Combodo also has a saas service
Plus iTop being open source anyone can contribute or propose ideas... If anyone has tips for any better implementation they're more than welcome !
Regards