Microsoft 365 Channel Error 500: An unknown error occurred

derForest · December 19, 2024, 11:27am

Infos:

Used Zammad version: 6.4.1-1734476180.a187f3a5.bookworm
Used Zammad installation type: package
Operating system: Debian 6.1.119-1 (2024-11-22) x86_64 GNU/Linux
Browser + version: Microsoft Edge Version 131.0.2903.99 / Firefox 133.0.3

Expected behavior:

working M365 Channel

Actual behavior:

500: An unknown error occurred.

Steps to reproduce the behavior:

add account like described in Accounts — Zammad Admin Documentation documentation
Different Accounts tested, same behavior

All IDs and Secrets have been checked multiple times.
No hints for root cause found in logs

derForest · January 2, 2025, 1:22pm

I’ve checked in entra and it say my user has succesfully logged in on m365. So from my understanding it must be something on way back from MS to my Zammad installation

i’m really stuck here and would be grateful for any tips

dominikklein · January 6, 2025, 7:48am

It is difficult to say without any information related to the configuration permissions and so on.

YetAnotherGerrit · January 6, 2025, 2:45pm

Have you checked the production.log? The error should be in there as well, propably with a more detailed error message.

derForest · January 6, 2025, 2:58pm

Yes, I agree. It’s still an almost fresh installation followed by setup guideline.
Do you have a specific configuration in mind that would be helpful to share?

Modifications I’ve done:

ldap integration for the users,
adapted the apache config to use https
provide a ssl cert to apache2.
changed the Zammad http-mode to https.

For M365 channel I’ve done the app config in alignment of M365 (Client-Id, client-secret, uuid-name and callback-url.
If I try to add an account (exclusive m365 account for zammad) I get the error 500 after entering the password. If I look to the logon-log in m365 it says logon successfull.

The Online Dokumentation pointed on “Wrong or Expired Client Secret” but that has been checked multiple times now and also renewed. And even as M365 says logon successfull I couldn’t belive in that reason.

MrGeneration · January 6, 2025, 3:08pm

See Gerrits comment:

derForest · January 6, 2025, 3:12pm

Here whats in production log (a bit filltered and anonymized)

I, [2025-01-06T15:03:56.007341#521-184080] INFO – : Started GET “/api/v1/external_credentials/microsoft365/link_account” for XXX.XXX.XXX.XXX at 2025-01-06 15:03:56 +0100
I, [2025-01-06T15:03:56.014968#521-184080] INFO – : Processing by ExternalCredentialsController#link_account as HTML
I, [2025-01-06T15:03:56.015032#521-184080] INFO – : Parameters: {“provider”=>“microsoft365”}
I, [2025-01-06T15:03:56.028984#521-184080] INFO – : Redirected to Sign in to your account
I, [2025-01-06T15:03:56.030638#521-184080] INFO – : Completed 302 Found in 15ms (ActiveRecord: 3.7ms | Allocations: 5439)
I, [2025-01-06T15:04:04.599020#525-183640] INFO – : ProcessScheduledJobs running…
[…]
I, [2025-01-06T15:04:35.511021#521-184220] INFO – : Started GET “/api/v1/external_credentials/microsoft365/callback?code=[FILTERED]&session_state=b396e8d2-04f6-4384-8c42-9236574dbd7f” for XXX.XXX.XXX.XXX at 2025-01-06 15:04:35 +0100
I, [2025-01-06T15:04:35.519915#521-184220] INFO – : Processing by ExternalCredentialsController#callback as HTML
I, [2025-01-06T15:04:35.519980#521-184220] INFO – : Parameters: {“code”=>“[FILTERED]”, “session_state”=>“b396e8d2-04f6-4384-8c42-9236574dbd7f”, “provider”=>“microsoft365”}
E, [2025-01-06T15:04:35.536512#521-184220] ERROR – : Request failed! (code: 0)
E, [2025-01-06T15:04:35.536843#521-184220] ERROR – : Request failed! (code: 0) (RuntimeError)
I, [2025-01-06T15:04:35.555377#521-184220] INFO – : Completed 500 Internal Server Error in 35ms (Views: 1.4ms | ActiveRecord: 5.1ms | Allocations: 6913)

Maybe you see the reason of the error?

MrGeneration · January 6, 2025, 4:18pm

Zammad cannot reach Microsoft.

derForest · January 6, 2025, 4:42pm

yeah, but that confused me a bit.
If I do a curl fom linux to https://login.microsoftonline.com/… (copied the link from Add account) I got a response.

> <!-- Copyright (C) Microsoft Corporation. All rights reserved. -->
> <!DOCTYPE html>
> <html dir="ltr" class="" lang="en">
> <head>
>     <title>Sign in to your account</title>
>     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
>     <meta http-equiv="X-UA-Compatible" content="IE=edge">
>     <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
>     <meta http-equiv="Pragma" content="no-cache">
>     <meta http-equiv="Expires" content="-1">
>     <link rel="preconnect" href="https://aadcdn.msauth.net" crossorigin>
> <meta http-equiv="x-dns-prefetch-control" content="on">
> <link rel="dns-prefetch" href="//aadcdn.msauth.net">
> <link rel="dns-prefetch" href="//aadcdn.msftauth.net">
> 
>     <meta name="PageID" content="ConvergedSignIn" />
>     <meta name="SiteID" content="" />
>     <meta name="ReqLC" content="1033" />
>     <meta name="LocLC" content="en-US" />
> 
>         <meta name="referrer" content="origin" />
> 
>         <meta name="format-detection" content="telephone=no" />
> 
>     <noscript>
>         <meta http-equiv="Refresh" content="0; URL=https://login.microsoftonline.com/jsdisabled" />
>     </noscript>
> 
> 
> 
> <meta name="robots" content="none" />
> [...]

So from that point I would say the Server it self can reach microsoft.
Do you agree?

MrGeneration · January 6, 2025, 4:45pm

Proxy, IPv4 vs v6 is the magic word here. Applications might “shuffle”.
It’s an issue on your environment and not Zammad specific (technically).

derForest · January 15, 2025, 3:31pm

I’ve disabled IPv6 on my Server now

ens18: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.XX.XX.XX  netmask 255.255.255.0  broadcast 10.XX.XX.XX
        ether bc:24:11:5d:c4:49  txqueuelen 1000  (Ethernet)
        RX packets 73583  bytes 50978201 (48.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 35150  bytes 12993046 (12.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2116  bytes 5733227 (5.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2116  bytes 5733227 (5.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

and now my production log has some extra lines printed

 [2025-01-15T11:54:08.061316#530-183900]  INFO -- :   Parameters: {"code"=>"[FILTERED]", "session_state"=>"b396e8d2-04f6-4384-8c42-9236574dbd7f", "provider"=>"microsoft365"}
E, [2025-01-15T11:54:08.076215#530-183900] ERROR -- : Request failed! (code: 0)
E, [2025-01-15T11:54:08.076566#530-183900] ERROR -- : Request failed! (code: 0) (RuntimeError)
lib/external_credential/microsoft365.rb:209:in `authorize_tokens'
lib/external_credential/microsoft365.rb:46:in `link_account'
app/models/external_credential.rb:21:in `link_account'
app/controllers/external_credentials_controller.rb:43:in `callback'
app/controllers/application_controller/has_download.rb:17:in `block (4 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:16:in `block (3 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:15:in `block (2 levels) in <module:HasDownload>'
app/controllers/application_controller/handles_transitions.rb:16:in `handle_transaction'
I, [2025-01-15T11:54:08.079579#530-183900]  INFO -- : Completed 500 Internal Server Error in 18ms (Views: 1.3ms | ActiveRecord: 3.2ms | Allocations: 6676)

Thanks @MrGeneration for your proxy tip, it really seems to have IPv6 issues.

derForest · January 22, 2025, 4:01pm

Hello!

I was able to solve the Proxy issue - no forwardproxy in use anymore. And my HAPROXY seems to handle the request ok.
But I still get the error 500.

If it try to check the authentication to MS via curl after trying via browser it seems to work

curl -X POST "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token" \
  -d "client_id=MY_CLIENT_ID" \
  -d "client_secret=MY_CLIENT_SECRET" \
  -d "grant_type=authorization_code" \
  -d "code=CODE_FROM_LOG_OR_BROWSER" \
  -d "redirect_uri=MY_REDIRECT_URL"

Output:

{"token_type":"Bearer","scope":"https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send https://outlook.office.com/User.Read","expires_in":3939,"ext_expires_in":3939,"access_token":"eyJ0eXAiOiJKV1QiLCJub25jZSI6IktnNTZaTm5mME01MVNpdkdtbGRJWWZGZV ....

Any more tipps?
ChatGPT suggested to check the m365 settings via rails with Setting.get(‘microsoft365’) but the result is nil. Should this work and return the values I see in web GUI?

derForest · February 24, 2025, 8:10am

Hello!

It seems that something was messed up in my installation/database.
I reinstalled Zammad and now it works.

system · March 3, 2025, 8:11am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.