Ucs root zertifikat getauscht: office365 connector synct nicht mehr zu MS365 // changed ucs root vertificate: office365 connector does not sync new user to MS365

[english below]

Das UCS Root Certificate wäre abgelaufen, wir hatten es vorher getauscht, was im Großen und Ganzen auch funktioniert hat. Wir hatten auch ein univention-app update-certificates aufgerufen, damit auch alle Apps das neue Zertifikat einlesen (für uns besonders wichtig o365). Hier hatte es auch keine Fehler gegeben. Man konnte sich auch an MS365 anmelden.

Heute haben wir aber einen neuen Account angelegt und wollten den zu MS365 syncen und das funktioniert nicht mehr.

Im Log erschien aber “Reason - The key used is expired.” (s.u. Logfileauszug[1]).

Unter /etc/univention-office365/defaultadconnection und /etc/univention-office365/ liegen cert.pem, cert.key und cert.fp, die nicht aktualisiert worden waren. Es handelte sich hier um die alten Zertifikate.

Wir haben die Zertifikate von simplesaml genommen:

cp /etc/simplesamlphp/ucs-sso.intern.izt.de-idp-certificate.crt /etc/univention-office365/cert.pem

cp /etc/simplesamlphp/ucs-sso.intern.izt.de-idp-certificate.crt /etc/univention-office365/defaultadconnection/cert.pem

(genauso sind wir mit dem .key-file vorgegangen).

Dann haben wir den Fingerprint ausgelesen und in cert.fp gespeichert:

openssl x509 -in cert.pem -fingerprint -noout |sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64 > cert.fp

Im Anschluss haben wir den directory-listener neu gestartet. Man kann sich immer noch an MS365 anmelden, aber immer noch nicht einen neuen Account dorthin syncen, Fehlermeldung nun “Key was not found” (s.u. Protokollauszug [2]).

Die Frage ist, wie tauschen wir am einfachsten das Zertifikat und den Key für den Office-Connector? Und welchen key und welches Zertifikat müssen wir dafür genau verwenden?

[english --sorry I’m not a native speaker]

Since the UCS root certificate would have expired we changed it which in the end seemed to work. We did invoke univention-app update-certificates in order for all apps (esp. office365-connector) to also get the new cert. No errors with this step either. It was (and is) possible to log into an MS365 account.

Today we added a new account in UMC and wanted to also sync it to MS365 but this did not work. listerner.log had “Reason - The key used is expired.” at the end, see below log file excerpt [1].

Files/certs cert.pem, cert.key and cert.fp under /etc/univention-office365/defaultadconnection and /etc/univention-office365/ had not been renewed. The files contained still the old certificates.

We took the certificates from simplesaml:

cp /etc/simplesamlphp/ucs-sso.intern.izt.de-idp-certificate.crt /etc/univention-office365/cert.pem

cp /etc/simplesamlphp/ucs-sso.intern.izt.de-idp-certificate.crt /etc/univention-office365/defaultadconnection/cert.pem

(We did the same thing with the .key-file).

Then we took the fingerprint of the new certificate and stored it in cert.fp:

openssl x509 -in cert.pem -fingerprint -noout |sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64 > cert.fp

The last step was to restart the directory-listener. We are now still able to log in to a MS365 account, but still not able to sync an account to MS365, the listener.log now ends in “Key was not found” (s.u. see listener.log excerpt [2]).

Our questions are now: How to change the UCS root certificate and the key for the office365-connector. And: Which key and certificate do we have to use for this?

[1]

13.05.22 10:59:55.822  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:359  office365-user.handler() command: 'm' dn: 'uid=XXXXXXXXXXXXX,cn=users,dc=intern,dc=izt,dc=de'
13.05.22 10:59:55.822  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:373  adconnection_alias_old=set([]) adconnection_alias_new=set([])
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=pdc.intern.izt.de port=7389 base=dc=intern,dc=izt,dc=de
UNIVENTION_DEBUG_END    : uldap.__open host=pdc.intern.izt.de port=7389 base=dc=intern,dc=izt,dc=de
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=XXXXXXXXXXXXX,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=XXXXXXXXXXXXX,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:390  new is enabled.
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:393  new Azure AD connection is enabled.
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:396  new_enabled=True old_enabled=False
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:433  No ad connection defined, using default (defaultADconnection | uid=XXXXXXXXXXXXX,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:444  new_enabled and not old_enabled -> NEW or REACTIVATED (set(['defaultADconnection']) | uid=XXXXXXXXXXXXX,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(D): listener.__init__:113  adconnection_alias='defaultADconnection'
13.05.22 10:59:56.050  LISTENER    ( ERROR   ) : o365(I): api_helper.get_http_proxies:42  proxy settings: {}
13.05.22 10:59:56.050  LISTENER    ( ERROR   ) : o365(I): graph._check_token_validity:169  The access token for `defaultADconnection` looks similar to: `eyJ0eXAiOi-trimmed-7o8HkHe8qg`. It is valid until 2022-05-03 17:55:54
13.05.22 10:59:56.086  LISTENER    ( ERROR   ) : o365(D): graph._call_graph_api:216  GraphAPI: POST https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token
13.05.22 10:59:56.447  LISTENER    ( ERROR   ) : o365(I): graph._call_graph_api:252  status: 401 (FAIL) (POST https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token)
13.05.22 10:59:56.447  LISTENER    ( ERROR   ) : o365(D): graph._call_graph_api:273  retries left: -1
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/office365-user.py", line 446, in handler
    ol = Office365Listener(listener, name, _attrs, ldap_cred, dn, conn)
  File "/usr/lib/python2.7/dist-packages/univention/office365/listener.py", line 125, in __init__
    self.ah = Graph(self.ucr, name, self.adconnection_alias, logger=logger)
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 58, in __init__
    self.access_token_json = self._login(connection_alias)
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 131, in _login
    retry=0
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 279, in _call_graph_api
    raise self._generate_error_message(response, "Unable to (re-)login")
univention.office365.api.exceptions.GraphError: Unable to (re-)loginHTTP response status: 401
> request url: https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token

> request header: {
  "Content-Length": "1023", 
  "Accept-Encoding": "gzip, deflate", 
  "Accept": "*/*", 
  "User-Agent": "Univention Microsoft 365 Connector", 
  "Connection": "keep-alive", 
  "Content-Type": "application/x-www-form-urlencoded"
}

> request body: scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&grant_type=client_credentials&client_assertion=eyJ4NXQiOiAibFZEbXhJb1crSnhFZ0NsMWNrRzhJM0lmWktnPVxuIiwgImFsZyI6ICJSUzI1NiJ9.eyJhdWQiOiAiaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL2FhMzAwYWE2LTNlM2ItNDEwYS04OTQ4LWViM2EyZjM5N2IxOS9vYXV0aDIvdjIuMC90b2tlbiIsICJpc3MiOiAiYjY1ZjA1NTUtODBlNi00ZjdiLWFmMjMtMzQyYjNiNzA2ZTBmIiwgImp0aSI6ICI3YmYzZWNkNS00ZDU1LTRiZjEtODVmMC0wMmI3NjNhNmM0MzAiLCAiZXhwIjogMTY1MjQzMjk5NiwgIm5iZiI6IDE2NTI0MzIwOTYsICJzdWIiOiAiYjY1ZjA1NTUtODBlNi00ZjdiLWFmMjMtMzQyYjNiNzA2ZTBmIn0.bRu1tXNROypqfkx23RioqsZV6pMrvbAGY1GK3I3w55n7gtWerwtZtt24l-4MB9tZ1pBpF5xDfW5u14bQAPfDbC5SIsSzH3e2VDNJTs7nz-Z05Boj8EQNEwv83uz46g_jS3mK-toXMYpRItm7-GEVE3smndRjLi2_SsJePNWxzHMc9rw6rzrsoX8OST6IPmrDrug0NOBJ07p20vc3762RJmZ9ywEH9si1WjwdZ_ndwQkvh6r5sVVUswBpy2braW4RPVE42ZeMF-lfaZrK6YcSZROpr9i49ddkFyUWdVFPqzi-RLhjLTSu9Bv3-i6708mfkBApNeDE9yyemuBksdjaWg&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_id=b65f0555-80e6-4f7b-af23-342b3b706e0f

> response header: {
  "Content-Length": "1149", 
  "Expires": "-1", 
  "X-Content-Type-Options": "nosniff", 
  "Set-Cookie": "fpc=AorkXx8rQoJDjBGLAB6e0NhhmeRhAQAAAPgUENoOAAAA; expires=Sun, 12-Jun-2022 08:59:37 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly", 
  "x-ms-request-id": "e3f50c98-ad26-4d8e-840c-da9997c31000", 
  "Strict-Transport-Security": "max-age=31536000; includeSubDomains", 
  "Date": "Fri, 13 May 2022 08:59:37 GMT", 
  "x-ms-ests-server": "2.1.12707.12 - NEULR2 ProdSlices", 
  "Pragma": "no-cache", 
  "Cache-Control": "no-store, no-cache", 
  "X-XSS-Protection": "0", 
  "P3P": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"", 
  "Content-Type": "application/json; charset=utf-8"
}

> response body: {
  "error_uri": "https://login.microsoftonline.com/error?code=700027", 
  "timestamp": "2022-05-13 08:59:37Z", 
  "trace_id": "e3f50c98-ad26-4d8e-840c-da9997c31000", 
  "correlation_id": "5f79be96-d305-4c80-a3b3-db032f447f53", 
  "error_description": "AADSTS700027: Client assertion contains an invalid signature. [Reason - The key used is expired., Thumbprint of key used by client: '9550E6C48A16F89C448029757241BC23721F64A8', Found key 'Start=05/05/2017 19:57:29, End=05/04/2022 19:57:29', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'b65f0555-80e6-4f7b-af23-342b3b706e0f'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/b65f0555-80e6-4f7b-af23-342b3b706e0f'].\r\nTrace ID: e3f50c98-ad26-4d8e-840c-da9997c31000\r\nCorrelation ID: 5f79be96-d305-4c80-a3b3-db032f447f53\r\nTimestamp: 2022-05-13 08:59:37Z", 
  "error": "invalid_client", 
  "error_codes": [
    700027
  ]
}


13.05.22 10:59:56.450  LISTENER    ( WARN    ) : handler: office365-user (failed)

[2]

13.05.22 17:03:16.726  LDAP        ( PROCESS ) : connecting to ldap://pdc.intern.izt.de:7389
13.05.22 17:03:16.736  LISTENER    ( PROCESS ) : updating 'uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de' command m
13.05.22 17:03:16.738  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:359  office365-user.handler() command: 'm' dn: 'uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de'
13.05.22 17:03:16.739  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:373  adconnection_alias_old=set([u'defaultADconnection']) adconnection_alias_new=set([u'defaultADconnection'])
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
13.05.22 17:03:16.742  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:381  old was enabled.
13.05.22 17:03:16.742  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:384  old Azure AD connection is enabled.
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:390  new is enabled.
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:393  new Azure AD connection is enabled.
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:396  new_enabled=True old_enabled=True
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:402  new_enabled and adconnection_alias_old=set([u'defaultADconnection']) and adconnection_alias_new=set([u'defaultADconnection']) -> MODIFY (DELETE old, CREATE new) (uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:404  DELETE (set([]) | uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:413  CREATE (set([]) | uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:474  old_enabled and new_enabled -> MODIFY (set([u'defaultADconnection']) | uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 17:03:16.746  LISTENER    ( ERROR   ) : o365(D): listener.__init__:113  adconnection_alias=u'defaultADconnection'
13.05.22 17:03:16.751  LISTENER    ( ERROR   ) : o365(I): api_helper.get_http_proxies:42  proxy settings: {}
13.05.22 17:03:16.751  LISTENER    ( ERROR   ) : o365(I): graph._check_token_validity:169  The access token for `defaultADconnection` looks similar to: `eyJ0eXAiOi-trimmed-7o8HkHe8qg`. It is valid until 2022-05-03 17:55:54
13.05.22 17:03:16.787  LISTENER    ( ERROR   ) : o365(D): graph._call_graph_api:216  GraphAPI: POST https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token
13.05.22 17:03:17.040  LISTENER    ( ERROR   ) : o365(I): graph._call_graph_api:252  status: 401 (FAIL) (POST https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token)
13.05.22 17:03:17.047  LISTENER    ( ERROR   ) : o365(D): graph._call_graph_api:273  retries left: -1
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/office365-user.py", line 476, in handler
    ol = Office365Listener(listener, name, _attrs, ldap_cred, dn, conn)
  File "/usr/lib/python2.7/dist-packages/univention/office365/listener.py", line 125, in __init__
    self.ah = Graph(self.ucr, name, self.adconnection_alias, logger=logger)
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 58, in __init__
    self.access_token_json = self._login(connection_alias)
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 131, in _login
    retry=0
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 279, in _call_graph_api
    raise self._generate_error_message(response, "Unable to (re-)login")
univention.office365.api.exceptions.GraphError: Unable to (re-)loginHTTP response status: 401
> request url: https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token

> request header: {
  "Content-Length": "1023", 
  "Accept-Encoding": "gzip, deflate", 
  "Accept": "*/*", 
  "User-Agent": "Univention Microsoft 365 Connector", 
  "Connection": "keep-alive", 
  "Content-Type": "application/x-www-form-urlencoded"
}

> request body: scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&grant_type=client_credentials&client_assertion=eyJ4NXQiOiAiT0czSDA2VG5QWWNxNUtUbWtWQUgvUDlEYmtjPVxuIiwgImFsZyI6ICJSUzI1NiJ9.eyJhdWQiOiAiaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL2FhMzAwYWE2LTNlM2ItNDEwYS04OTQ4LWViM2EyZjM5N2IxOS9vYXV0aDIvdjIuMC90b2tlbiIsICJpc3MiOiAiYjY1ZjA1NTUtODBlNi00ZjdiLWFmMjMtMzQyYjNiNzA2ZTBmIiwgImp0aSI6ICIxZGExNjA4MS0zOTIzLTQ5NmMtODVmMy1jMzA4NmFlMTQ1M2UiLCAiZXhwIjogMTY1MjQ1NDc5NiwgIm5iZiI6IDE2NTI0NTM4OTYsICJzdWIiOiAiYjY1ZjA1NTUtODBlNi00ZjdiLWFmMjMtMzQyYjNiNzA2ZTBmIn0.Mb9ArWm2fZHdsQ4RvRkbd4sdnL8h-JRtwwJ1CzcDlY4FMysM3t3ZM20QrEUBgr8cC_wnNdyew3aKy4qPZGcvfwb2-ob_tlH2A056HviLXTPH77ull-TAy9yyGSS1geqyV0h8ISUy1kqRwBx_glug20_pOiTkK3Hf4qw0z7kifK8vGHNDaoHV4Df_BnyK5e0YMNdKCHghx4z7FzbuehyAEVcw4Ss4QE_HXrRrH7MSqB-huNqU93shHSLkxdEF3YoAV8iBQF9z-nO9Uu5FpG2lXLYFszb-9QW_MZoJ7u9h4gTYkXihMXmOUR2AC128uIs1wfsfBz5D4ptzpOWizFjWqw&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_id=b65f0555-80e6-4f7b-af23-342b3b706e0f

> response header: {
  "Content-Length": "1083", 
  "Expires": "-1", 
  "X-Content-Type-Options": "nosniff", 
  "Set-Cookie": "fpc=Ao7NgUy_VoBCuesYDbmYow5hmeRhAQAAACFqENoOAAAA; expires=Sun, 12-Jun-2022 15:02:57 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly", 
  "x-ms-request-id": "03d8e1f0-6e32-4f94-8ad1-216b0f7b1900", 
  "Strict-Transport-Security": "max-age=31536000; includeSubDomains", 
  "Date": "Fri, 13 May 2022 15:02:57 GMT", 
  "x-ms-ests-server": "2.1.12707.12 - NEULR1 ProdSlices", 
  "Pragma": "no-cache", 
  "Cache-Control": "no-store, no-cache", 
  "X-XSS-Protection": "0", 
  "P3P": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"", 
  "Content-Type": "application/json; charset=utf-8"
}

> response body: {
  "error_uri": "https://login.microsoftonline.com/error?code=700027", 
  "timestamp": "2022-05-13 15:02:57Z", 
  "trace_id": "03d8e1f0-6e32-4f94-8ad1-216b0f7b1900", 
  "correlation_id": "e76dc181-f9a1-48c5-a7ca-b4c047abaf37", 
  "error_description": "AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: '386DC7D3A4E73D872AE4A4E6915007FCFF436E47', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'b65f0555-80e6-4f7b-af23-342b3b706e0f'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/b65f0555-80e6-4f7b-af23-342b3b706e0f'].\r\nTrace ID: 03d8e1f0-6e32-4f94-8ad1-216b0f7b1900\r\nCorrelation ID: e76dc181-f9a1-48c5-a7ca-b4c047abaf37\r\nTimestamp: 2022-05-13 15:02:57Z", 
  "error": "invalid_client", 
  "error_codes": [
    700027
  ]
}


13.05.22 17:03:17.049  LISTENER    ( WARN    ) : handler: office365-user (failed)