Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

EWS: "The remote server returned error (401) Unauthorized"

I'm trying to find a single item fronm all items in the current context, but I seem to constantly get this error message:

The request failed. The remote server returned an error: (401) Unauthorized.

First, I set everything up to access the exchange service:

var signInUserId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
var userObjectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

AuthenticationResult authenticationResult = null;
AuthenticationContext authenticationContext = new AuthenticationContext(
            SettingsHelper.Authority, new model.ADALTokenCache(signInUserId));

authenticationResult = authenticationContext.AcquireToken(
            SettingsHelper.ServerName, 
            new ClientCredential(SettingsHelper.ClientId, SettingsHelper.ClientSecret));

ExchangeService exchange = new ExchangeService(ExchangeVersion.Exchange2013);
exchange.Url = new Uri(SettingsHelper.ServerName + "ews/exchange.asmx");
exchange.TraceEnabled = true;
exchange.TraceFlags = TraceFlags.All;
exchange.Credentials = new OAuthCredentials(authenticationResult.AccessToken);

And then I define what Item I want to receive (by ID):

ItemView view = new ItemView(5);
view.PropertySet = new PropertySet(BasePropertySet.IdOnly);

var tempId = id.Replace('-', '/').Replace('_', '+');
SearchFilter.IsEqualTo searchid = new SearchFilter.IsEqualTo(ItemSchema.Id, tempId);

And last but not least, I try to search for this item, within my items:

FindItemsResults<Microsoft.Exchange.WebServices.Data.Item> results = exchange.FindItems(WellKnownFolderName.Inbox, searchid, view);

And this is where my error happens. I've tried various other ways of doing this, but no matter what I do, I get unauthorized.

Could someone maybe guide me in the correct way, in order to solve this issue?

EDIT

I do receive the access token from the:

authenticationResult = authenticationContext.AcquireToken(
            SettingsHelper.ServerName, 
            new ClientCredential(SettingsHelper.ClientId, SettingsHelper.ClientSecret));

as I can see by debugging the code.

enter image description here

No refresh token is present though, and I don't know if this has something to say?

EDIT

I just managed to debug all my way into the exchange.ResponseHeaders in where I saw this:

The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2

I decoded the JWT, as this is my result:

{
  typ: "JWT",
  alg: "RS256",
  x5t: "MnC_VZcATfM5pOYiJHMba9goEKY",
  kid: "MnC_VZcATfM5pOYiJHMba9goEKY"
}.
{
  aud: "https://outlook.office365.com/",
  iss: "https://sts.windows.net/d35f5b06-f051-458d-92cc-2b8096b4b78b/",
  iat: 1445416753,
  nbf: 1445416753,
  exp: 1445420653,
  ver: "1.0",
  tid: "d35f5b06-f051-458d-92cc-2b8096b4b78b",
  oid: "c5da9088-987d-463f-a730-2706f23f3cc6",
  sub: "c5da9088-987d-463f-a730-2706f23f3cc6",
  idp: "https://sts.windows.net/d35f5b06-f051-458d-92cc-2b8096b4b78b/",
  appid: "70af108f-5c8c-4ee4-a40f-ab0b6f5922e0",
  appidacr: "1"
}.
[signature]

Where to go from here?

like image 591
Detilium Avatar asked Oct 19 '15 07:10

Detilium


1 Answers

I already got this error while using EWS in the past "The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2"

What you need to do is to enforce your authentication with a certificate.

AuthenticationContext authContext = new AuthenticationContext(authority);

exchangeService.Credentials = new OAuthCredentials(authContext.AcquireToken("https://outlook.office365.com", new ClientAssertionCertificate(ConfigurationManager.AppSettings["ida:ClientId"], certificate)).AccessToken);

The key part is to define a new ClientAssertionCertificate as you ClientAssertion.

You will also have to modify the manifest of your Azure Active Directory Application.

Looks at this reference (the part about "Configuring a X.509 public cert for your application") : https://msdn.microsoft.com/en-us/office/office365/howto/building-service-apps-in-office-365

like image 171
Trysior Avatar answered Oct 20 '22 21:10

Trysior