Comments (20)
Hi @Expat1905,
There should be an error logged by the sync engine in the event log. Can you send me the details of that message?
ryan
from googleapps-managementagent.
from googleapps-managementagent.
Hi @Expat1905,
That error seems to indicate a timeout trying to connect to Google. Do you have any proxies in between you and Google that could be causing this?
Ryan
from googleapps-managementagent.
from googleapps-managementagent.
from googleapps-managementagent.
Hi Andy,
The correct API scopes are the ones on the wiki page.
Did you make sure that in the last step you put the client ID and not the service account name in the client name field? I've often found that updating this field doesn't work. You need to delete the entry and create a new one, and wait a few minutes for trying again.
If that doesn't work, I'd go through the process of creating a service account again from scratch. There may have been a step you missed along the way, and Google is very unforgiving with this setup if anything is wrong. Unfortunately, it doesn't give us a nice way to tell which part of the set up was wrong.
Let me know how you go.
Ryan
from googleapps-managementagent.
from googleapps-managementagent.
from googleapps-managementagent.
Hi @Expat1905,
This looks like either the 'User email address' or 'service account email address' is entered incorrectly on the MA 'connectivity' page. It should look something like this
from googleapps-managementagent.
Hello Ryan,
we have the same issue, do you have any further suggestion?
The extensible extension returned an unsupported error.
The stack trace is:
"Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Client is unauthorized to retrieve access tokens using this method.", Uri:""
at Google.Apis.Auth.OAuth2.Requests.TokenRequestExtenstions.d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Auth.OAuth2.ServiceAccountCredential.d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Auth.OAuth2.ServiceCredential.d__23.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Auth.OAuth2.ServiceAccountCredential.d__20.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Auth.OAuth2.ServiceCredential.d__21.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Http.ConfigurableMessageHandler.d__59.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Requests.ClientServiceRequest1.<ExecuteUnparsedAsync>d__33.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Google.Apis.Requests.ClientServiceRequest
1.Execute()
at Lithnet.GoogleApps.ApiExtensions.ExecuteWithBackoff[T](ClientServiceRequest1 request, Int32 retryAttempts) at Lithnet.GoogleApps.ApiExtensions.ExecuteWithBackoff[T](ClientServiceRequest
1 request)
at Lithnet.GoogleApps.SchemaRequestFactory.HasSchema(String customerID, String schemaName)
at Lithnet.GoogleApps.MA.SchemaBuilderAdvancedUsers.GetSchemaType(IManagementAgentParameters config) in C:\MIM\TUTTOGoogleMIM\googleapps-managementagent-master\src\Lithnet.GoogleApps.MA\Schema\SchemaBuilderAdvancedUsers.cs:line 11
at Lithnet.GoogleApps.MA.SchemaBuilder.GetSchema(IManagementAgentParameters config) in C:\MIM\TUTTOGoogleMIM\googleapps-managementagent-master\src\Lithnet.GoogleApps.MA\Schema\SchemaBuilder.cs:line 25
at Lithnet.GoogleApps.MA.ManagementAgent.GetSchema(KeyedCollection`2 configParameters) in C:\MIM\TUTTOGoogleMIM\googleapps-managementagent-master\src\Lithnet.GoogleApps.MA\ManagementAgent.cs:line 413
Forefront Identity Manager 4.3.2064.0"
from googleapps-managementagent.
@briuccio, it looks like you may have missed a step in setting up the service account. Did you enable domain wide delegation?
If not, go over the service account setup steps from the wiki again very carefully and make sure you didn't overlook something.
from googleapps-managementagent.
Hi Ryan,
Thank you for your quick answer.
The domain wide delegation is enabled.
Meanwhile I'm trying to re-create the API client access for the service account.
Thank you
from googleapps-managementagent.
@briuccio, these Google error messages can be very cryptic, so it's a bit hard for me to tell what was missed. The other thing I can think of is the account you created the service account for needs to be a super admin. Happy to get on a screen sharing session to see if I can help sometime next week if you still get stuck. Same offer goes to you @Expat1905
Ryan
from googleapps-managementagent.
Is there any insight on this? I am also having the same issue and error. Can't retrieve the schema and I get Client is unauthorized to retrieve access tokens using this method
from googleapps-managementagent.
Hello Ryan,
I'm trying to following your guide from scratch.
In the first step:
Step 1. Create a new user in your Google Apps instance, and make this user an administrator. This will be the account the FIM service uses to administrator the Google Apps instance.
What kind of permission does the user must have? The user with which I created the service account is NOT super admin.
Thank you.
from googleapps-managementagent.
@briuccio, I've only been able to get it to work with a super admin account. It may be possible to create a custom role for this, but it would be a process of elimination to determine the correct permissions.
Permissions-wise, the MA needs access to
- Read the list of domains in the tenant
- Read/write users
- Read/write contacts
- Read/write groups
- Read/write group settings
- Read/write group members
- Read/write user custom schema
- Read/write calendar resources
- Read/write calendar ACLs
from googleapps-managementagent.
Hi @briuccio @myFIMGithub @Expat1905 ,
I have to apologize, as this was a documentation fault.
In #26 I modified the MA to require reduced permissions in order to run. However, the wiki guide was not updated correctly at the time. Specifically, the MA was asking for read-only permission to the user schema (https://www.googleapis.com/auth/admin.directory.userschema.readonly) however, the scope was granting read/write (https://www.googleapis.com/auth/admin.directory.userschema). Google requires an exact match, and even though we were granting read as well as write access, it would fail with the message you all were seeing.
So the fix is to use the following scopes when authorizing your service account
https://www.googleapis.com/auth/admin.directory.domain.readonly,https://apps-apis.google.com/a/feeds/emailsettings/2.0/,http://www.google.com/m8/feeds/contacts/,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.userschema.readonly,https://www.googleapis.com/auth/apps.groups.settings,https://www.googleapis.com/auth/admin.directory.resource.calendar,https://www.googleapis.com/auth/calendar
My apologies again for the mix up and any inconvenience caused.
Ryan
from googleapps-managementagent.
Hi @ryannewington,
I did your guide from scratch, re-created service account and used the scopes that you wrote on this thread but still the same issue is given.
"Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Client is unauthorized to retrieve access tokens using this method.", Uri:""
I'm not sure if it means something but the user which I'm using for creating the service account on the console is not super admin, may this cause the issue?
thank you.
from googleapps-managementagent.
solved.. something in the autherization process failed. Thank you!
from googleapps-managementagent.
To others reading this issue, it is important to remember that it can take up to 24 hours for the granting of scopes to take effect. Sometimes it happens in 5 minutes. Other times it takes hours.
If you see this message and you have gone over the installation steps and are sure you haven't missed anything, then that it likely the cause. Changing a set of scopes can cause the same problem.
Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Client is unauthorized to retrieve access tokens using this method.", Uri:""```
from googleapps-managementagent.
Related Issues (20)
- Error exporting students to classroom/course HOT 14
- Update Shared Contacts HOT 4
- Cannot set access type on group HOT 3
- directMembersCount HOT 2
- Transient object HOT 11
- Unable to refresh the Lithnet connector in one specific environment since few days HOT 12
- Unable to configure lithnet MA HOT 2
- Change PrimaryEmail HOT 2
- Organization fixed types HOT 6
- Missing NuGet restore compiling v2.1.7857 HOT 1
- Too many requests HOT 6
- Full Imports fail every run since yesterday HOT 3
- Need to modify the "archived" attribute HOT 8
- Looking to get the givenName and familyName from the users Profile HOT 5
- no-start-ma failures on most delta imports HOT 3
- Miiserver crash on Export+Delta Import profile HOT 7
- Strange deletes on import HOT 3
- Error while configuring the MA in the attribute flow part : primary email is readonly" HOT 2
- Issues with setting password at account creation HOT 11
- Error importing group with a slash in the email address HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from googleapps-managementagent.