MS 365 Authentication with Office 365 Gov High

Notes:

Currently my organization has both a commercial and GovCloud High security deployment of Microsoft 365. We are migrating entirely to to the Gov High environment and I am trying to get Zammad MS 365 authentication to work with these accounts. I am able to authenticate via Commercial Office 365, but not Gov High.

I am expecting that the easiest solution might be to edit the Zammad source files to change the authentication URL to .us.
Any advice or info on where this authentication URL is stored in installation files, or other advice is greatly appreciated!

Infos:

  • Used Zammad version: 5.1.x
  • Used Zammad installation type: Package
  • Operating system: Amazon Linux 2 AMI [Similar to CentOS]
  • Browser + version: Edge 100.0.1185.44, Firefox 99.0.1

Expected behavior:

  • Enable Authentication via Microsoft within Admin Security Settings
  • Click Sign In Using Microsoft or add Linked Account under Profile > Linked Accounts
  • Enter Microsoft Sign-In Details
  • Successfully authenticate via Microsoft

Actual behavior:

  • Click sign-in or add linked accounts
  • Sign in prompt comes up
  • Enter Credentials
  • Consent to permissions on behalf of my organization
  • Get the following error: 422: The change you wanted was rejected.
    invalid_credentials
  • Note: Behavior works as expected when I register the app and sign in using Commercial Office365 account.

Steps to reproduce the behavior:

  • Following this guide: Microsoft — Zammad documentation
  • Create new App Registration within Azure Active Directory Gov High Portal
  • Select Accounts in this organizational directory only (Single Tenant) for support account types
  • Enter Callback/Redirect URL provided by Zammad
  • Add required API permissions (openid, User.Read, Contacts.Read)
  • Create a new client secret
  • Within Zammad, Settings > Security > Third-Party Applications
  • Enable Authentication via Microsoft
  • Enter App ID, Tenant ID, and Client Secret into Zammad and Submit
  • Attempt to authenticate via Microsoft and receive error.
  • The error persists when trying to Link Accounts and when “Automatic account link on initial logon” is enabled, both of which work with Commercial Office 365.

Production Log when trying to authenticate: {replaced FQDN with zammad.example}

I, [2022-04-21T21:33:14.692038 #1905-182380]  INFO -- : Started POST "/auth/microsoft_office365" for 192.168.111.43 at 2022-04-21 21:33:14 +0000
I, [2022-04-21T21:33:14.697658 #1905-182380]  INFO -- : (microsoft_office365) Request phase initiated.
I, [2022-04-21T21:33:15.782841 #1905-296400]  INFO -- : Started GET "/auth/microsoft_office365/callback?code=[FILTERED]&state=bd5eab23394f824d09dacffdba2337d94aa06b985198dd51" for 192.168.111.43 at 2022-04-21 21:33:15 +0000
I, [2022-04-21T21:33:15.790682 #1905-296400]  INFO -- : (microsoft_office365) Callback phase initiated.
E, [2022-04-21T21:33:16.184642 #1905-296400] ERROR -- : (microsoft_office365) Authentication failure! invalid_credentials: OAuth2::Error, invalid_request: AADSTS900432: Confidential Client is not supported in Cross Cloud request.^M
Trace ID: ce6518ac-76e6-4e49-bea1-8a4fe90d5200^M
Correlation ID: 59fd1808-8114-4978-b187-aac9c3023e01^M
Timestamp: 2022-04-21 21:33:16Z
{"error":"invalid_request","error_description":"AADSTS900432: Confidential Client is not supported in Cross Cloud request.\r\nTrace ID: ce6518ac-76e6-4e49-bea1-8a4fe90d5200\r\nCorrelation ID: 59fd1808-8114-4978-b187-aac9c3023e01\r\nTimestamp: 2022-04-21 21:33:16Z","error_codes":[900432],"timestamp":"2022-04-21 21:33:16Z","trace_id":"ce6518ac-76e6-4e49-bea1-8a4fe90d5200","correlation_id":"59fd1808-8114-4978-b187-aac9c3023e01"}
I, [2022-04-21T21:33:16.234536 #1905-296400]  INFO -- : Started GET "/auth/failure?message=invalid_credentials&origin=https%3A%2F%2Fzammad.example.com%2F&strategy=microsoft_office365" for 192.168.111.43 at 2022-04-21 21:33:16 +0000
I, [2022-04-21T21:33:16.240555 #1905-296400]  INFO -- : Processing by SessionsController#failure_omniauth as HTML
I, [2022-04-21T21:33:16.240698 #1905-296400]  INFO -- :   Parameters: {"message"=>"invalid_credentials", "origin"=>"zammad.example.com/", "strategy"=>"microsoft_office365"}
  • I believe the “Confidential Client is not supported in Cross Cloud request” message is the key, where it is trying to authenticate an Azure AD Gov High .us app and login using the Azure AD Commercial .com sign in URL.

Our documentation states the requirements we do have:
https://admin-docs.zammad.org/en/latest/channels/microsoft365/index.html

Whatever GovHigh is, if it’s similar to admin consent it’s not supported.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.