Problem
After you renew the rootCA (ucsCA) from the system, you receive the following error message when setting up Office 365 with a new connection for Azure.
You will find the complete error message in the following log files:
/var/log/univention/management-console-module-office365.log
/var/log/univention/listener.log
> request body: client_id=67c9c997-3893-4e8a-a724-ee0e85526e9b&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiAiUlMyNTYiLCAieDV0IjogIlpPQmtTdTVsTk9acktodnlBeElTK29KcW9FQT1cbiJ9.eyJzdWIiOiAiNjdjOWM5OTctMzg5My00ZThhLWE3MjQtZWUwZTg1NTI2ZTliIiwgImlzcyI6ICI2N2M5Yzk5Ny0zODkzLTRlOGEtYTcyNC1lZTBlODU1MjZlOWIiLCAianRpIjogImI0Yjg2ZTliLWY4ZmMtNGFiYi05YmJlLTg2NDljNmM0NDkxZSIsICJleHAiOiAxNzIwMTcyMDUyLCAibmJmIjogMTcyMDE3MTE1MiwgImF1ZCI6ICJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vZjhmN2NkZWYtNWI5NS00NWY5LTgzMTctY2NiMTA0MjQ5MGY3L29hdXRoMi92Mi4wL3Rva2VuIn0.vuIvVFhHrYadb4e2vg5fmxugrOnNF-98BsBH2A3yqHWDX2Tok6J98YpzjLxHuNEx6-1rmIpKdR4jBfbjPGyJozbtAMhXCurLOqA0dfVxf6rhcSuEG4DVw4xkI_LyS0TA8vn-hn5Qwnc68eUBs2G9TBjYx6AxHdvjcZc893sXUwlpPtXGuWc7GuI_aS0npdsn8uFsMvpJtrMURId_m9dxASO_a20HsuJFBsxYtzzF20PWjuuzQ5FXefGRNUECO94OMxeA_4aw79uz7YsSseO5YPT4lD5wr6X7FYmofcq91iKW-SRfJ1_SUmHFQx3nZT8YM_2-j8-wjvrZa4D4eVATLg&grant_type=client_credentials&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
> response header: {
"Cache-Control": "no-store, no-cache",
"Pragma": "no-cache",
"Content-Type": "application/json; charset=utf-8",
"Expires": "-1",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"X-Content-Type-Options": "nosniff",
"P3P": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
"x-ms-request-id": "2d40fd8d-be3f-4671-bfed-01b0048b3300",
"x-ms-ests-server": "2.1.18399.9 - NEULR1 ProdSlices",
"x-ms-srs": "1.P",
"X-XSS-Protection": "0",
"Set-Cookie": "fpc=AhXdrAiGkKRIjjifQQKTjNzvX_POAQAAALGyGd4OAAAA; expires=Sun, 04-Aug-2024 09:24:02 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly",
"Date": "Fri, 05 Jul 2024 09:24:01 GMT",
"Content-Length": "1126"
}
> response body: {
"error": "invalid_client",
"error_description": "AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application.
Reason - The key was not found., Thumbprint of key used by client: '64E0644AEE6534E66B2A1BF2031212FA826AA040', Please visit the Azure Portal,
Graph Explorer or directly use MS Graph to see configured keys for app Id '67c9c997-3893-4e8a-a724-ee0e85526e9b'. Review the documentation at
https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL,
such as 'https://graph.microsoft.com/beta/applications/67c9c997-3893-4e8a-a724-ee0e85526e9b']. Trace ID: 2d40fd8d-be3f-4671-bfed-01b0048b3300 Correlation ID: 66033860-3137-45eb-8c31-956f95dbed94 Timestamp: 2024-07-05 09:24:02Z",
"error_codes": [700027],
"timestamp": "2024-07-05 09:24:02Z",
"trace_id": "2d40fd8d-be3f-4671-bfed-01b0048b3300",
"correlation_id": "66033860-3137-45eb-8c31-956f95dbed94",
"error_uri": "https://login.microsoftonline.com/error?code=700027"
}
Environment
univention-app info
UCS: 5.0-x
Installed: office365=5.10
Upgradable:
Solution
1. Check if the certificate from your Office 365 is guilty.
openssl x509 -noout -dates -in /etc/univention-office365/cert.pem
notBefore=Apr 19 11:27:00 2019 GMT
notAfter=Apr 18 11:27:00 2024 GMT
root@ucs5:/etc/univention-office365# ls -lah
insgesamt 52K
drwx------ 2 listener root 4,0K Jul 3 17:08 .
drwx------ 6 listener root 4,0K Jul 5 11:32 ..
-r-------- 1 listener root 29 Jul 25 2019 cert.fp
-r-------- 1 listener root 5,5K Jul 25 2019 cert.pem
-r-------- 1 root root 5,5K Jul 3 17:08 cert.pem.bak
-rw------- 1 listener root 3 Jan 18 2021 ids.json
-r-------- 1 listener root 1,7K Jul 25 2019 key.pem
-rw------- 1 listener root 1,4K Jan 10 2020 token.json
If the certificate has expired, you should renew it as described in the following article.
2. Check if the alias connections have updated their certificates.
root@ucs5:/etc/univention-office365# ls -lah defaultADconnection/
insgesamt 52K
drwx------ 2 listener root 4,0K Jul 3 17:08 .
drwx------ 6 listener root 4,0K Jul 5 11:32 ..
-r-------- 1 listener root 29 Jul 25 2019 cert.fp
-r-------- 1 listener root 5,5K Jul 25 2019 cert.pem
-r-------- 1 root root 5,5K Jul 3 17:08 cert.pem.bak
-rw------- 1 listener root 3 Jan 18 2021 ids.json
-r-------- 1 listener root 1,7K Jul 25 2019 key.pem
-rw------- 1 root root 9,5K Sep 25 2019 manifest.json
-rw------- 1 listener root 1,4K Jan 10 2020 token.json
If the certificate of the alias connection are also outdated, it should be removed and re-created, so the cert.pem
and the key.pem
will be updated.
root@ucs5:/etc/univention-office365# /usr/share/univention-office365/scripts/manage_adconnections --help
usage: manage_adconnections [-h] {list,create,remove,rename} ...
Manage Azure AD connection configuration for the Office 365 connector.
positional arguments:
{list,create,remove,rename}
optional arguments:
-h, --help show this help message and exit
root@ucs5:/etc/univention-office365# /usr/share/univention-office365/scripts/manage_adconnections remove defaultADconnection
Unsetting office365/adconnection/alias/defaultADconnection
Restarting univention-directory-listener service
root@ucs5:/etc/univention-office365# /usr/share/univention-office365/scripts/manage_adconnections create defaultADconnection
Create office365/adconnection/alias/defaultADconnection
Setting office365/adconnection/wizard
Restarting univention-directory-listener service
root@ucs5:/etc/univention-office365/defaultADconnection# ls -lah
drwx------ 2 listener root 4,0K Jul 12 18:32 .
drwx------ 7 listener root 4,0K Jul 12 15:48 ..
-r-------- 1 listener root 29 Jul 4 10:48 cert.fp
-r-------- 1 listener root 5,5K Jul 4 10:48 cert.pem
-rwx------ 1 listener nogroup 223 Jul 12 15:53 ids.json
-r-------- 1 listener root 1,7K Jul 4 10:48 key.pem
-rw------- 1 root root 9,7K Jul 12 15:51 manifest.json
-rwx------ 1 listener nogroup 1,8K Jul 12 18:32 token.json
openssl x509 -noout -dates -in /etc/univention-office365/cert.pem
notBefore=Apr 19 11:27:00 2024 GMT
notAfter=Apr 18 11:27:00 2029 GMT
Now you have to start the Office 365 setup wizard in the UMC and it should be able to complete this successfully for the alias connection you renewed without any failure!