Ucs root zertifikat getauscht: office365 connector synct nicht mehr zu MS365 // changed ucs root vertificate: office365 connector does not sync new user to MS365

[english below]

Das UCS Root Certificate wäre abgelaufen, wir hatten es vorher getauscht, was im Großen und Ganzen auch funktioniert hat. Wir hatten auch ein univention-app update-certificates aufgerufen, damit auch alle Apps das neue Zertifikat einlesen (für uns besonders wichtig o365). Hier hatte es auch keine Fehler gegeben. Man konnte sich auch an MS365 anmelden.

Heute haben wir aber einen neuen Account angelegt und wollten den zu MS365 syncen und das funktioniert nicht mehr.

Im Log erschien aber “Reason - The key used is expired.” (s.u. Logfileauszug[1]).

Unter /etc/univention-office365/defaultadconnection und /etc/univention-office365/ liegen cert.pem, cert.key und cert.fp, die nicht aktualisiert worden waren. Es handelte sich hier um die alten Zertifikate.

Wir haben die Zertifikate von simplesaml genommen:

cp /etc/simplesamlphp/ucs-sso.intern.izt.de-idp-certificate.crt /etc/univention-office365/cert.pem

cp /etc/simplesamlphp/ucs-sso.intern.izt.de-idp-certificate.crt /etc/univention-office365/defaultadconnection/cert.pem

(genauso sind wir mit dem .key-file vorgegangen).

Dann haben wir den Fingerprint ausgelesen und in cert.fp gespeichert:

openssl x509 -in cert.pem -fingerprint -noout |sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64 > cert.fp

Im Anschluss haben wir den directory-listener neu gestartet. Man kann sich immer noch an MS365 anmelden, aber immer noch nicht einen neuen Account dorthin syncen, Fehlermeldung nun “Key was not found” (s.u. Protokollauszug [2]).

Die Frage ist, wie tauschen wir am einfachsten das Zertifikat und den Key für den Office-Connector? Und welchen key und welches Zertifikat müssen wir dafür genau verwenden?

[english --sorry I’m not a native speaker]

Since the UCS root certificate would have expired we changed it which in the end seemed to work. We did invoke univention-app update-certificates in order for all apps (esp. office365-connector) to also get the new cert. No errors with this step either. It was (and is) possible to log into an MS365 account.

Today we added a new account in UMC and wanted to also sync it to MS365 but this did not work. listerner.log had “Reason - The key used is expired.” at the end, see below log file excerpt [1].

Files/certs cert.pem, cert.key and cert.fp under /etc/univention-office365/defaultadconnection and /etc/univention-office365/ had not been renewed. The files contained still the old certificates.

We took the certificates from simplesaml:

cp /etc/simplesamlphp/ucs-sso.intern.izt.de-idp-certificate.crt /etc/univention-office365/cert.pem

cp /etc/simplesamlphp/ucs-sso.intern.izt.de-idp-certificate.crt /etc/univention-office365/defaultadconnection/cert.pem

(We did the same thing with the .key-file).

Then we took the fingerprint of the new certificate and stored it in cert.fp:

openssl x509 -in cert.pem -fingerprint -noout |sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64 > cert.fp

The last step was to restart the directory-listener. We are now still able to log in to a MS365 account, but still not able to sync an account to MS365, the listener.log now ends in “Key was not found” (s.u. see listener.log excerpt [2]).

Our questions are now: How to change the UCS root certificate and the key for the office365-connector. And: Which key and certificate do we have to use for this?

[1]

13.05.22 10:59:55.822  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:359  office365-user.handler() command: 'm' dn: 'uid=XXXXXXXXXXXXX,cn=users,dc=intern,dc=izt,dc=de'
13.05.22 10:59:55.822  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:373  adconnection_alias_old=set([]) adconnection_alias_new=set([])
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=pdc.intern.izt.de port=7389 base=dc=intern,dc=izt,dc=de
UNIVENTION_DEBUG_END    : uldap.__open host=pdc.intern.izt.de port=7389 base=dc=intern,dc=izt,dc=de
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=XXXXXXXXXXXXX,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=XXXXXXXXXXXXX,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:390  new is enabled.
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:393  new Azure AD connection is enabled.
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:396  new_enabled=True old_enabled=False
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:433  No ad connection defined, using default (defaultADconnection | uid=XXXXXXXXXXXXX,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:444  new_enabled and not old_enabled -> NEW or REACTIVATED (set(['defaultADconnection']) | uid=XXXXXXXXXXXXX,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 10:59:56.044  LISTENER    ( ERROR   ) : o365(D): listener.__init__:113  adconnection_alias='defaultADconnection'
13.05.22 10:59:56.050  LISTENER    ( ERROR   ) : o365(I): api_helper.get_http_proxies:42  proxy settings: {}
13.05.22 10:59:56.050  LISTENER    ( ERROR   ) : o365(I): graph._check_token_validity:169  The access token for `defaultADconnection` looks similar to: `eyJ0eXAiOi-trimmed-7o8HkHe8qg`. It is valid until 2022-05-03 17:55:54
13.05.22 10:59:56.086  LISTENER    ( ERROR   ) : o365(D): graph._call_graph_api:216  GraphAPI: POST https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token
13.05.22 10:59:56.447  LISTENER    ( ERROR   ) : o365(I): graph._call_graph_api:252  status: 401 (FAIL) (POST https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token)
13.05.22 10:59:56.447  LISTENER    ( ERROR   ) : o365(D): graph._call_graph_api:273  retries left: -1
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/office365-user.py", line 446, in handler
    ol = Office365Listener(listener, name, _attrs, ldap_cred, dn, conn)
  File "/usr/lib/python2.7/dist-packages/univention/office365/listener.py", line 125, in __init__
    self.ah = Graph(self.ucr, name, self.adconnection_alias, logger=logger)
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 58, in __init__
    self.access_token_json = self._login(connection_alias)
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 131, in _login
    retry=0
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 279, in _call_graph_api
    raise self._generate_error_message(response, "Unable to (re-)login")
univention.office365.api.exceptions.GraphError: Unable to (re-)loginHTTP response status: 401
> request url: https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token

> request header: {
  "Content-Length": "1023", 
  "Accept-Encoding": "gzip, deflate", 
  "Accept": "*/*", 
  "User-Agent": "Univention Microsoft 365 Connector", 
  "Connection": "keep-alive", 
  "Content-Type": "application/x-www-form-urlencoded"
}

> request body: scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&grant_type=client_credentials&client_assertion=eyJ4NXQiOiAibFZEbXhJb1crSnhFZ0NsMWNrRzhJM0lmWktnPVxuIiwgImFsZyI6ICJSUzI1NiJ9.eyJhdWQiOiAiaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL2FhMzAwYWE2LTNlM2ItNDEwYS04OTQ4LWViM2EyZjM5N2IxOS9vYXV0aDIvdjIuMC90b2tlbiIsICJpc3MiOiAiYjY1ZjA1NTUtODBlNi00ZjdiLWFmMjMtMzQyYjNiNzA2ZTBmIiwgImp0aSI6ICI3YmYzZWNkNS00ZDU1LTRiZjEtODVmMC0wMmI3NjNhNmM0MzAiLCAiZXhwIjogMTY1MjQzMjk5NiwgIm5iZiI6IDE2NTI0MzIwOTYsICJzdWIiOiAiYjY1ZjA1NTUtODBlNi00ZjdiLWFmMjMtMzQyYjNiNzA2ZTBmIn0.bRu1tXNROypqfkx23RioqsZV6pMrvbAGY1GK3I3w55n7gtWerwtZtt24l-4MB9tZ1pBpF5xDfW5u14bQAPfDbC5SIsSzH3e2VDNJTs7nz-Z05Boj8EQNEwv83uz46g_jS3mK-toXMYpRItm7-GEVE3smndRjLi2_SsJePNWxzHMc9rw6rzrsoX8OST6IPmrDrug0NOBJ07p20vc3762RJmZ9ywEH9si1WjwdZ_ndwQkvh6r5sVVUswBpy2braW4RPVE42ZeMF-lfaZrK6YcSZROpr9i49ddkFyUWdVFPqzi-RLhjLTSu9Bv3-i6708mfkBApNeDE9yyemuBksdjaWg&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_id=b65f0555-80e6-4f7b-af23-342b3b706e0f

> response header: {
  "Content-Length": "1149", 
  "Expires": "-1", 
  "X-Content-Type-Options": "nosniff", 
  "Set-Cookie": "fpc=AorkXx8rQoJDjBGLAB6e0NhhmeRhAQAAAPgUENoOAAAA; expires=Sun, 12-Jun-2022 08:59:37 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly", 
  "x-ms-request-id": "e3f50c98-ad26-4d8e-840c-da9997c31000", 
  "Strict-Transport-Security": "max-age=31536000; includeSubDomains", 
  "Date": "Fri, 13 May 2022 08:59:37 GMT", 
  "x-ms-ests-server": "2.1.12707.12 - NEULR2 ProdSlices", 
  "Pragma": "no-cache", 
  "Cache-Control": "no-store, no-cache", 
  "X-XSS-Protection": "0", 
  "P3P": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"", 
  "Content-Type": "application/json; charset=utf-8"
}

> response body: {
  "error_uri": "https://login.microsoftonline.com/error?code=700027", 
  "timestamp": "2022-05-13 08:59:37Z", 
  "trace_id": "e3f50c98-ad26-4d8e-840c-da9997c31000", 
  "correlation_id": "5f79be96-d305-4c80-a3b3-db032f447f53", 
  "error_description": "AADSTS700027: Client assertion contains an invalid signature. [Reason - The key used is expired., Thumbprint of key used by client: '9550E6C48A16F89C448029757241BC23721F64A8', Found key 'Start=05/05/2017 19:57:29, End=05/04/2022 19:57:29', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'b65f0555-80e6-4f7b-af23-342b3b706e0f'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/b65f0555-80e6-4f7b-af23-342b3b706e0f'].\r\nTrace ID: e3f50c98-ad26-4d8e-840c-da9997c31000\r\nCorrelation ID: 5f79be96-d305-4c80-a3b3-db032f447f53\r\nTimestamp: 2022-05-13 08:59:37Z", 
  "error": "invalid_client", 
  "error_codes": [
    700027
  ]
}


13.05.22 10:59:56.450  LISTENER    ( WARN    ) : handler: office365-user (failed)

[2]

13.05.22 17:03:16.726  LDAP        ( PROCESS ) : connecting to ldap://pdc.intern.izt.de:7389
13.05.22 17:03:16.736  LISTENER    ( PROCESS ) : updating 'uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de' command m
13.05.22 17:03:16.738  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:359  office365-user.handler() command: 'm' dn: 'uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de'
13.05.22 17:03:16.739  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:373  adconnection_alias_old=set([u'defaultADconnection']) adconnection_alias_new=set([u'defaultADconnection'])
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
13.05.22 17:03:16.742  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:381  old was enabled.
13.05.22 17:03:16.742  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:384  old Azure AD connection is enabled.
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_BEGIN  : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
UNIVENTION_DEBUG_END    : uldap.searchDn filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=513)) base= scope=sub unique=0 required=0
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:390  new is enabled.
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:393  new Azure AD connection is enabled.
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(D): office365-user.handler:396  new_enabled=True old_enabled=True
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:402  new_enabled and adconnection_alias_old=set([u'defaultADconnection']) and adconnection_alias_new=set([u'defaultADconnection']) -> MODIFY (DELETE old, CREATE new) (uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:404  DELETE (set([]) | uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:413  CREATE (set([]) | uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 17:03:16.745  LISTENER    ( ERROR   ) : o365(I): office365-user.handler:474  old_enabled and new_enabled -> MODIFY (set([u'defaultADconnection']) | uid=YYYYYYYYYYYYY,cn=users,dc=intern,dc=izt,dc=de)
13.05.22 17:03:16.746  LISTENER    ( ERROR   ) : o365(D): listener.__init__:113  adconnection_alias=u'defaultADconnection'
13.05.22 17:03:16.751  LISTENER    ( ERROR   ) : o365(I): api_helper.get_http_proxies:42  proxy settings: {}
13.05.22 17:03:16.751  LISTENER    ( ERROR   ) : o365(I): graph._check_token_validity:169  The access token for `defaultADconnection` looks similar to: `eyJ0eXAiOi-trimmed-7o8HkHe8qg`. It is valid until 2022-05-03 17:55:54
13.05.22 17:03:16.787  LISTENER    ( ERROR   ) : o365(D): graph._call_graph_api:216  GraphAPI: POST https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token
13.05.22 17:03:17.040  LISTENER    ( ERROR   ) : o365(I): graph._call_graph_api:252  status: 401 (FAIL) (POST https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token)
13.05.22 17:03:17.047  LISTENER    ( ERROR   ) : o365(D): graph._call_graph_api:273  retries left: -1
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/office365-user.py", line 476, in handler
    ol = Office365Listener(listener, name, _attrs, ldap_cred, dn, conn)
  File "/usr/lib/python2.7/dist-packages/univention/office365/listener.py", line 125, in __init__
    self.ah = Graph(self.ucr, name, self.adconnection_alias, logger=logger)
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 58, in __init__
    self.access_token_json = self._login(connection_alias)
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 131, in _login
    retry=0
  File "/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py", line 279, in _call_graph_api
    raise self._generate_error_message(response, "Unable to (re-)login")
univention.office365.api.exceptions.GraphError: Unable to (re-)loginHTTP response status: 401
> request url: https://login.microsoftonline.com/aa300aa6-3e3b-410a-8948-eb3a2f397b19/oauth2/v2.0/token

> request header: {
  "Content-Length": "1023", 
  "Accept-Encoding": "gzip, deflate", 
  "Accept": "*/*", 
  "User-Agent": "Univention Microsoft 365 Connector", 
  "Connection": "keep-alive", 
  "Content-Type": "application/x-www-form-urlencoded"
}

> request body: scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&grant_type=client_credentials&client_assertion=eyJ4NXQiOiAiT0czSDA2VG5QWWNxNUtUbWtWQUgvUDlEYmtjPVxuIiwgImFsZyI6ICJSUzI1NiJ9.eyJhdWQiOiAiaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL2FhMzAwYWE2LTNlM2ItNDEwYS04OTQ4LWViM2EyZjM5N2IxOS9vYXV0aDIvdjIuMC90b2tlbiIsICJpc3MiOiAiYjY1ZjA1NTUtODBlNi00ZjdiLWFmMjMtMzQyYjNiNzA2ZTBmIiwgImp0aSI6ICIxZGExNjA4MS0zOTIzLTQ5NmMtODVmMy1jMzA4NmFlMTQ1M2UiLCAiZXhwIjogMTY1MjQ1NDc5NiwgIm5iZiI6IDE2NTI0NTM4OTYsICJzdWIiOiAiYjY1ZjA1NTUtODBlNi00ZjdiLWFmMjMtMzQyYjNiNzA2ZTBmIn0.Mb9ArWm2fZHdsQ4RvRkbd4sdnL8h-JRtwwJ1CzcDlY4FMysM3t3ZM20QrEUBgr8cC_wnNdyew3aKy4qPZGcvfwb2-ob_tlH2A056HviLXTPH77ull-TAy9yyGSS1geqyV0h8ISUy1kqRwBx_glug20_pOiTkK3Hf4qw0z7kifK8vGHNDaoHV4Df_BnyK5e0YMNdKCHghx4z7FzbuehyAEVcw4Ss4QE_HXrRrH7MSqB-huNqU93shHSLkxdEF3YoAV8iBQF9z-nO9Uu5FpG2lXLYFszb-9QW_MZoJ7u9h4gTYkXihMXmOUR2AC128uIs1wfsfBz5D4ptzpOWizFjWqw&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_id=b65f0555-80e6-4f7b-af23-342b3b706e0f

> response header: {
  "Content-Length": "1083", 
  "Expires": "-1", 
  "X-Content-Type-Options": "nosniff", 
  "Set-Cookie": "fpc=Ao7NgUy_VoBCuesYDbmYow5hmeRhAQAAACFqENoOAAAA; expires=Sun, 12-Jun-2022 15:02:57 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly", 
  "x-ms-request-id": "03d8e1f0-6e32-4f94-8ad1-216b0f7b1900", 
  "Strict-Transport-Security": "max-age=31536000; includeSubDomains", 
  "Date": "Fri, 13 May 2022 15:02:57 GMT", 
  "x-ms-ests-server": "2.1.12707.12 - NEULR1 ProdSlices", 
  "Pragma": "no-cache", 
  "Cache-Control": "no-store, no-cache", 
  "X-XSS-Protection": "0", 
  "P3P": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"", 
  "Content-Type": "application/json; charset=utf-8"
}

> response body: {
  "error_uri": "https://login.microsoftonline.com/error?code=700027", 
  "timestamp": "2022-05-13 15:02:57Z", 
  "trace_id": "03d8e1f0-6e32-4f94-8ad1-216b0f7b1900", 
  "correlation_id": "e76dc181-f9a1-48c5-a7ca-b4c047abaf37", 
  "error_description": "AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: '386DC7D3A4E73D872AE4A4E6915007FCFF436E47', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'b65f0555-80e6-4f7b-af23-342b3b706e0f'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/b65f0555-80e6-4f7b-af23-342b3b706e0f'].\r\nTrace ID: 03d8e1f0-6e32-4f94-8ad1-216b0f7b1900\r\nCorrelation ID: e76dc181-f9a1-48c5-a7ca-b4c047abaf37\r\nTimestamp: 2022-05-13 15:02:57Z", 
  "error": "invalid_client", 
  "error_codes": [
    700027
  ]
}


13.05.22 17:03:17.049  LISTENER    ( WARN    ) : handler: office365-user (failed)

[english below]
Wir haben jetzt das neue Zertifikat eingespielt und es ist auch in Azure-AD.

Wir erhalten nun eine wachsende Liste von Fehlermeldungen der Art:

Error: user x.yyyyyyy is not correctly synced to Azure (missing univentionOffice365Data attribute)

Die .json -Dateien in pdc:/etc/univention-office365/defaultADconnection enthalten noch das alte Zertifikat.

Wie kann man die .json -Dateien so erneuern, dass sie das richtige Zertifikat beinhalten?

Wäre es eine Idee, einfach eine weitere ADconnection anzulegen?

[english]
We now managed to install the new certificate, it’s also in Azure-AD.

We now get an increasing list of error messages:

Error: user x.yyyyyyy is not correctly synced to Azure (missing univentionOffice365Data attribute)

The .json files under pdc:/etc/univention-office365/defaultADconnection still contain the old certificate.

How to regenerate the .json files in order to contain the new certificate?

How about creating an additional ADconnection?

Follow-Up:

Weil das UCS-Root Zertifikat abzulaufen drohte, mussten wir
es erneuern, dabei gingen wir nach folgenden Anleitungen vor:

Because the UCS root certificate would expire in the near future, we had
to renw it, we followed these guides:

Nach Folgen der obigen Anleitung hatten wir am Ende noch folgenden
Fehler:

After that we got the following error messages:

error_description": “AADSTS700027: Client assertion contains an invalid
signature. [Reason - The key was not found., Thumbprint of key used by
client: ‘9550E6C48A16F89C448029757241BC23721F64A8’, Please visit the
Azure Portal, Graph Explorer or directly use MS Graph to see configured
keys for app Id ‘b65f0555-80e6-4f7b-af23-342b3b706e0f’. Review the
documentation at National cloud deployments - Microsoft Graph | Microsoft Docs to
determine the corresponding service endpoint and
Get application - Microsoft Graph v1.0 | Microsoft Docs
to build a query request URL, such as
https://graph.microsoft.com/beta/applications/b65f0555-80e6-4f7b-af23-342b3b706e0f’].\r\nTrace
ID: 8aa6c0a0-f650-4030-8ea0-27cfa7a92d00\r\nCorrelation ID:
4754c740-01fb-4947-8eba-588c13a2524b\r\nTimestamp: 2022-05-23 04:25:39Z”,

Im Ergebnis konnten keine Accounts mehr nach MS365 gesynct
werden, die Anmeldung an MS365 funktionierte aber noch.

As a consequence we could not sync user accounts to MS365 any more, the
federated login to MS365 still worked, though.

Unter /etc/unvention-office365/defaultADconnetion/ waren weder das
Zertifikat noch die *.json Dateien (ids,manifest,tokens) aktualisiert.

We found that neither the certificate nore the *.json files under
/etc/unvention-office365/defaultADconnetion/ were new.

Warum ist das der Fall? Why is that the case?

Dann haben wir das Zertifikat (simplesamlphp) nach
/etc/univention-office365/defaultADconnection/ kopiert
und via opnssl den Fingerprint ausgelesen und in die Datei
/etc/univention-office365/defaultADconnection/cert.fp geschrieben.

We then copied the certificate (simplesamlphp) to
/etc/unvention-office365/defaultADconnetion/ and via openssl read it’s
fingerprint and wrote that to /etc/univention-office365/defaultADconnection/cert.fp

Daraufhin haben wir folgende Fehlermeldung erhalten:
Then we got the following error messages:

Fehler:
23.05.22 06:25:40.816 LDAP ( PROCESS ) : connecting to ldap://pdc.intern.xxx.de:7389
23.05.22 06:25:42.869 LISTENER ( ERROR ) : o365(D): azure_auth.is_initialized:408 adconnection_alias=‘defaultADconnection’
23.05.22 06:25:42.869 LISTENER ( ERROR ) : o365(D): azure_auth.is_initialized:408 adconnection_alias=‘xxxADconnection’
23.05.22 06:25:42.872 LISTENER ( ERROR ) : o365(I): office365-user.:136 Found AD connections in UCR: {‘defaultADconnection’: ‘aa300aa6-3e3b-410a-8948-eb3a2f397b19’, ‘xxxADconnection’: ‘uninitialized’}
23.05.22 06:25:42.872 LISTENER ( ERROR ) : o365(I): office365-user.:137 Found initialized AD connections: set([‘defaultADconnection’])
23.05.22 06:25:42.872 LISTENER ( ERROR ) : o365(I): office365-user.:144 office 365 user listener active with filter=’(&(objectClass=posixAccount)(objectClass=univentionOffice365)(uid=*))’
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:164 listener observing attributes: [‘displayName’, ‘employeeType’, ‘givenName’, ‘l’, ‘mail’, ‘mailAlternativeAddress’, ‘mailPrimaryAddress’, ‘mobile’, ‘postalCode’, ‘sn’, ‘st’, ‘street’, ‘telephoneNumber’]
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:165 listener is also observing: [‘krb5KDCFlags’, ‘krb5PasswordEnd’, ‘krb5ValidEnd’, ‘passwordexpiry’, ‘sambaAcctFlags’, ‘sambaKickoffTime’, ‘shadowExpire’, ‘shadowLastChange’, ‘shadowMax’, ‘univentionMicrosoft365Team’, ‘univentionOffice365ADConnectionAlias’, ‘univentionOffice365Enabled’, ‘userPassword’, ‘userexpiry’]
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:166 attributes mapping UCS->AAD: {‘telephoneNumber’: ‘telephoneNumber’, ‘employeeType’: ‘jobTitle’, ‘mailPrimaryAddress’: ‘otherMails’, ‘mobile’: ‘mobile’, ‘roomNumber’: ‘physicalDeliveryOfficeName’, ‘l’: ‘city’, ‘st’: ‘usageLocation’, ‘mailAlternativeAddress’: ‘otherMails’, ‘street’: ‘streetAddress’, ‘sn’: ‘surname’, ‘postalCode’: ‘postalCode’, ‘mail’: ‘otherMails’, ‘givenName’: ‘givenName’, ‘displayName’: ‘displayName’}
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:167 attributes to sync anonymized: []
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:168 attributes to never sync: []
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:169 attributes to statically set in AAD: {}
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:170 attributes to sync: [‘displayName’, ‘employeeType’, ‘givenName’, ‘l’, ‘mail’, ‘mailAlternativeAddress’, ‘mailPrimaryAddress’, ‘mobile’, ‘postalCode’, ‘sn’, ‘st’, ‘street’, ‘telephoneNumber’]
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): office365-user.:171 attributes to sync from multiple sources: {‘otherMails’: [‘mailPrimaryAddress’, ‘mailAlternativeAddress’, ‘mail’]}
23.05.22 06:25:42.873 LISTENER ( ERROR ) : o365(I): api_helper.get_http_proxies:42 proxy settings: {}
23.05.22 06:25:43.035 LISTENER ( ERROR ) : o365(D): azure_auth.is_initialized:408 adconnection_alias=‘defaultADconnection’
23.05.22 06:25:43.035 LISTENER ( ERROR ) : o365(D): azure_auth.is_initialized:408 adconnection_alias=‘xxxADconnection’
23.05.22 06:25:43.036 LISTENER ( ERROR ) : o365(I): office365-group.:49 Found adconnections in UCR: {‘defaultADconnection’: ‘aa300aa6-3e3b-410a-8948-eb3a2f397b19’, ‘xxxADconnection’: ‘uninitialized’}
23.05.22 06:25:43.036 LISTENER ( ERROR ) : o365(I): office365-group.:50 Found initialized adconnections: [‘defaultADconnection’]
23.05.22 06:25:43.036 LISTENER ( ERROR ) : o365(I): office365-group.:60 office 365 group listener active with filter=’(&(objectClass=posixGroup))’
23.05.22 06:25:43.036 LISTENER ( ERROR ) : o365(D): listener.init:113 adconnection_alias=‘defaultADconnection’
23.05.22 06:25:43.040 LISTENER ( ERROR ) : o365(I): api_helper.get_http_proxies:42 proxy settings: {}
23.05.22 06:25:43.044 LISTENER ( ERROR ) : o365(I): graph._check_token_validity:169 The access token for defaultADconnection looks similar to: eyJ0eXAiOi-trimmed-7o8HkHe8qg. It is valid until 2022-05-03 17:55:54
23.05.22 06:25:43.076 LISTENER ( ERROR ) : o365(D): graph._call_graph_api:216 GraphAPI: POST Sign in to your account 23.05.22 06:25:43.379 LISTENER ( ERROR ) : o365(I): graph._call_graph_api:252 status: 401 (FAIL) (POST Sign in to your account)
23.05.22 06:25:43.379 LISTENER ( ERROR ) : o365(D): graph._call_graph_api:273 retries left: -1
23.05.22 06:25:43.380 LISTENER ( ERROR ) : import of filename=/usr/lib/univention-directory-listener/system/office365-group.py failed Traceback (most recent call last): File “/usr/lib/univention-directory-listener/system/office365-group.py”, line 88, in ol = Office365Listener(listener, name,
dict(listener=attributes_copy), ldap_cred, None, conn)
File
“/usr/lib/python2.7/dist-packages/univention/office365/listener.py”,
line 125, in init
self.ah = Graph(self.ucr, name, self.adconnection_alias, logger=logger)
File
“/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py”,
line 58, in init
self.access_token_json = self._login(connection_alias)
File
“/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py”,
line 131, in _login
retry=0
File
“/usr/lib/python2.7/dist-packages/univention/office365/api/graph.py”,
line 279, in _call_graph_api
raise self._generate_error_message(response, “Unable to (re-)login”)
univention.office365.api.exceptions.GraphError: Unable to (re-)loginHTTP
response status: 401

request url:
Sign in to your account

In unserer Not haben wir dann eine neue, zusätzliche ADconnection
eingerichtet

In order to fix this, we established an additional, new ADconnection:

manage_adconnections:
/usr/share/univention-office365/scripts/manage_adconnections create neueverbindung

Dann haben wir den Office-365-Connector mit Hilfe des
Einrichtungsassistenten komplett neu aus der UMC-Oberfläche installiert.
Nur das simplesamlphp haben wir nicht noch mal installiert, es
funktionierte ja.

Then we used the Setup Wizard from the UMC web interface and completely
re-installed the Office-365-Connector. We did not re-install the
sinplsaml though, because this part was still working.

User-syncen ging immer noch nicht (gleiche Fehlermeldung).

We still could not sync new users to MS365.

Dann haben wir die *.json Dateien aus /etc/univention-office365/neueverbindung nach /etc/univention-office365/defaultADconnection kopiert und noch ein /etc/init.d/univention-directory-listener restart ausgeführt.

Then we copied th *.json files from
/etc/univention-office365/neueverbindung to
/etc/univention-office365/defaultADconnection and did a
/etc/init.d/univention-directory-listener restart.

Der Office-365-Connector synct nun wieder Accounts nach
MS365, allerdings erhalten wir noch diese Fehlermeldung:

Now we are able to sync Accounts to MS365 but we get this error message:

24.05.22 14:49:12.082 LISTENER ( ERROR ) : o365(I): office365-user.new_or_reactivate_user:267 User creation success. userPrincipalName: u’n.test@xxx.de’ objectId: u’36d33686-e321-49d2-9f90-a133b6dde570’ dn: uid=X.XXXXXXXX,cn=users,dc=intern,dc=xxx,dc=de adconnection: defaultADconnection
24.05.22 14:49:12.082 LISTENER ( ERROR ) : o365(I): office365-user.new_or_reactivate_user:272 Need to add user to group cn=Domain Users,cn=groups,dc=intern,dc=xxx,dc=de. UNIVENTION_DEBUG_BEGIN : uldap.searchDn filter=(&(objectClass=posixGroup)(uniqueMember=cn=Domain Users,cn=groups,dc=intern,dc=xxx,dc=de)) base= scope=sub unique=0 required=0 UNIVENTION_DEBUG_END : uldap.searchDn filter=(&(objectClass=posixGroup)(uniqueMember=cn=Domain Users,cn=groups,dc=intern,dc=xxx,dc=de)) base= scope=sub unique=0 required=0
24.05.22 14:49:12.084 LISTENER ( ERROR ) : o365(I): office365-user.new_or_reactivate_user:276 Need to create azure group cn=Domain Users,cn=groups,dc=intern,dc=xxx,dc=de for defaultADconnection first.

Die Gruppe Domian Users existiert in Azure AD seit 1/13/2020, 4:46:57
PM. The group Domain Users exists in Azure AD since 1/13/2020, 4:46:57 PM.

  • Fragen / Questions:
  • Warum werden die *.json -Dateien in
    /etc/univention-office365/defaultADconnection nicht
    aktualisiert?

    Why were the *.json files in
    /etc/univention-office365/defaultADconnection not renewed?

  • Wie kann man die *.json Dateien aktualisieren, ohne eine
    neue ADconnection anzulegen?

    How to renew these *.json files without adding a new ADconnection?

Für Antworten auf diese Fragen wäre ich dankbar. Any help appreciated.

Gregor