cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dennis_reinhardt
Active participant

O365 token generation -"interaction_required" error

Hi community,

I want to connect O365 (FNMS 2019 R2) to a customer and get the following error "interaction_required". After starting the "Generate token" function the O365 login window opens and I enter the email. The next step should be the login at the company-AD/password entry. At this point the window closes and the error message appears. The necessary URLs are all unlocked at the proxy and a connection test via IE works

O365_2020-01-29 10_46_36.pngO365_2020-01-29 10_46_53.png

 

With reference to a ticket (#01952377), I also tried this solution, but still the same error PS script and IE closed after entering the email and move on to the next step

 

 

 

The alternate approach is to generate the token on a separate machine using Powershell and then save it on the beacon. This should work because once the beacon has the RefreshToken it will not be redirected to the custom authentication site. I've attached a zip file logic.zip which contains the powerhell script logic.ps1.  Here are the steps to generate the token from a machine which has access to the O365 and the authentication site --

# Copy the Logic.ps1 in Downloads folder. (logic.ps1 is attached to the case)

# Open an Administrator PowerShell window and navigate to Downloads folder.

# Execute the following commands:

# Load the script (Dot source the powershell script)

. .\Logic.ps1

# Launch the browser to login and generate refresh token

$res = Get-RefreshToken -AuthorizationEndpoint 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize' -TokenEndpoint 'https://login.microsoftonline.com/common/oauth2/v2.0/token' -ClientID '5bb1a5a2-0d97-4335-9448-119f7b27aff9' -RedirectUrl 'https://login.microsoftonline.com/common/oauth2/nativeclient'

# After successfully logging into the browser and consenting to permissions, the browser window closes

# Now get the returned token

$res.RefreshToken

# Copy the token and paste it in a notepad, remove line breaks, if any and then paste it in RefreshToken text box on Beacon along with other values and save it.

 

 

 

 

Thanks for your support!

Best, Dennis

10 Replies
Highlighted
Flexera mrichardson
Flexera

Re: O365 token generation -"interaction_required" error

Hi @dennis_reinhardt ,

I've not seen that particular error before but I know there were changes recently on the Microsoft side that required additional steps to be carried out.

We created https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/Office-365-Adapter-fails-with-an-err... as a result of this so may be worth trying those steps to see if it helps you also.

(Anything expressed here is my own view and not necessarily that of my employer, Flexera)
If the solution provided has helped, please mark it as such as this helps everyone to know what works.
0 Kudos
Highlighted
dennis_reinhardt
Active participant

Re: O365 token generation -"interaction_required" error

@mrichardson 

Thanks for your feedback. We have already taken this advice into account and set the permissions.

I have executed the instructions from the ticket (PS Script to receive the token) on a normal client PC in the customer network and have successfully received a token. So it seems to be either a firewall or access problem. We have unlocked the following URL at the proxy:

  • graph.microsoft.com
  • *.office.com
  • *.msftauth.net
  • *microsoftonline.com
  • access to internal ADFS server for authentication against O365 portal

I would be grateful for further information on troubleshooting, since the creation of the token outside the Beacon software does not represent a permanent solution.

In the next step I will first check the connection with the token to the O365 portal.

 

Best, Dennis

0 Kudos
Highlighted
jlu_tmg100_c
Active participant

Re: O365 token generation -"interaction_required" error

Hi, 

I'm having similar issues with a customer that needs to:

1) use a proxy, and

2) the proxy has a whitelist enforced, meaning no connection to outside sites unless they are explicitly approved in the proxy.

 

The problem here is that Microsoft O365 has a huge range of fqdns and subnets to approve, depending on what services you need to interact with.

The following web site listed the current ones, and as documented they may be updated every 30 days.

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

I've gotten ID sets 56, 59, and 147 whitelisted in the proxy, and this allows for login to O365, and then configuration of the token. (I'm still having some issues grabbing usage, but I'm missing one of the privileges on the service account).

The potential for these sets subnets and hostnames to change every 30 days is an issue. We're starting the process of getting the customers proxy owners to monitor and keep this updated (it may be possible to automate).

 

If the proxy was just using a blacklist we wouldn't have this problem.

 

j

Highlighted
dennis_reinhardt
Active participant

Re: O365 token generation -"interaction_required" error

@jlu_tmg100_c 

Thanks for your detailed answer. This is a huge list of url's and IP to allow in the proxy. Can't believe all of these are needed to get the adapter working ... o_?

@mrichardson @ChrisG 

Do you have any detailed information about the required URL/IP we've to allow in the proxy. The documentation is a bit limited in this case. Or could you confirm, that the ID 56,59 and 147 will work based on the latest Endpoint documentation by MS

https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a...

0 Kudos