Unable to retrieve schema about googleapps-managementagent HOT 20 CLOSED

Hi @Expat1905,

There should be an error logged by the sync engine in the event log. Can you send me the details of that message?

ryan

from googleapps-managementagent.

from googleapps-managementagent.

Hi @Expat1905,

That error seems to indicate a timeout trying to connect to Google. Do you have any proxies in between you and Google that could be causing this?

Ryan

from googleapps-managementagent.

from googleapps-managementagent.

from googleapps-managementagent.

Hi Andy,

The correct API scopes are the ones on the wiki page.

https://github.com/lithnet/googleapps-managementagent/wiki/Creating-and-authorizing-a-Google-Apps-service-account

Did you make sure that in the last step you put the client ID and not the service account name in the client name field? I've often found that updating this field doesn't work. You need to delete the entry and create a new one, and wait a few minutes for trying again.

If that doesn't work, I'd go through the process of creating a service account again from scratch. There may have been a step you missed along the way, and Google is very unforgiving with this setup if anything is wrong. Unfortunately, it doesn't give us a nice way to tell which part of the set up was wrong.

Let me know how you go.

Ryan

from googleapps-managementagent.

from googleapps-managementagent.

from googleapps-managementagent.

Hi @Expat1905,

This looks like either the 'User email address' or 'service account email address' is entered incorrectly on the MA 'connectivity' page. It should look something like this

from googleapps-managementagent.

Hello Ryan,
we have the same issue, do you have any further suggestion?

The extensible extension returned an unsupported error.
The stack trace is:

"Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Client is unauthorized to retrieve access tokens using this method.", Uri:""
at Google.Apis.Auth.OAuth2.Requests.TokenRequestExtenstions.d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Auth.OAuth2.ServiceAccountCredential.d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Auth.OAuth2.ServiceCredential.d__23.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Auth.OAuth2.ServiceAccountCredential.d__20.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Auth.OAuth2.ServiceCredential.d__21.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Http.ConfigurableMessageHandler.d__59.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Google.Apis.Requests.ClientServiceRequest1.<ExecuteUnparsedAsync>d__33.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Google.Apis.Requests.ClientServiceRequest1.Execute()
at Lithnet.GoogleApps.ApiExtensions.ExecuteWithBackoff[T](ClientServiceRequest1 request, Int32 retryAttempts) at Lithnet.GoogleApps.ApiExtensions.ExecuteWithBackoff[T](ClientServiceRequest1 request)
at Lithnet.GoogleApps.SchemaRequestFactory.HasSchema(String customerID, String schemaName)
at Lithnet.GoogleApps.MA.SchemaBuilderAdvancedUsers.GetSchemaType(IManagementAgentParameters config) in C:\MIM\TUTTOGoogleMIM\googleapps-managementagent-master\src\Lithnet.GoogleApps.MA\Schema\SchemaBuilderAdvancedUsers.cs:line 11
at Lithnet.GoogleApps.MA.SchemaBuilder.GetSchema(IManagementAgentParameters config) in C:\MIM\TUTTOGoogleMIM\googleapps-managementagent-master\src\Lithnet.GoogleApps.MA\Schema\SchemaBuilder.cs:line 25
at Lithnet.GoogleApps.MA.ManagementAgent.GetSchema(KeyedCollection`2 configParameters) in C:\MIM\TUTTOGoogleMIM\googleapps-managementagent-master\src\Lithnet.GoogleApps.MA\ManagementAgent.cs:line 413
Forefront Identity Manager 4.3.2064.0"

from googleapps-managementagent.

@briuccio, it looks like you may have missed a step in setting up the service account. Did you enable domain wide delegation?

https://stackoverflow.com/questions/42784640/client-is-unauthorized-to-retrieve-access-tokens-using-this-method-gmail-api-c-s

If not, go over the service account setup steps from the wiki again very carefully and make sure you didn't overlook something.

from googleapps-managementagent.

Hi Ryan,
Thank you for your quick answer.
The domain wide delegation is enabled.
Meanwhile I'm trying to re-create the API client access for the service account.

Thank you

from googleapps-managementagent.

@briuccio, these Google error messages can be very cryptic, so it's a bit hard for me to tell what was missed. The other thing I can think of is the account you created the service account for needs to be a super admin. Happy to get on a screen sharing session to see if I can help sometime next week if you still get stuck. Same offer goes to you @Expat1905

Ryan

from googleapps-managementagent.

Is there any insight on this? I am also having the same issue and error. Can't retrieve the schema and I get Client is unauthorized to retrieve access tokens using this method

from googleapps-managementagent.

Hello Ryan,
I'm trying to following your guide from scratch.
In the first step:
Step 1. Create a new user in your Google Apps instance, and make this user an administrator. This will be the account the FIM service uses to administrator the Google Apps instance.
What kind of permission does the user must have? The user with which I created the service account is NOT super admin.

Thank you.

from googleapps-managementagent.

@briuccio, I've only been able to get it to work with a super admin account. It may be possible to create a custom role for this, but it would be a process of elimination to determine the correct permissions.

Permissions-wise, the MA needs access to

• Read the list of domains in the tenant
• Read/write users
• Read/write contacts
• Read/write groups
• Read/write group settings
• Read/write group members
• Read/write user custom schema
• Read/write calendar resources
• Read/write calendar ACLs

from googleapps-managementagent.

Hi @briuccio @myFIMGithub @Expat1905 ,

I have to apologize, as this was a documentation fault.

In #26 I modified the MA to require reduced permissions in order to run. However, the wiki guide was not updated correctly at the time. Specifically, the MA was asking for read-only permission to the user schema (https://www.googleapis.com/auth/admin.directory.userschema.readonly) however, the scope was granting read/write (https://www.googleapis.com/auth/admin.directory.userschema). Google requires an exact match, and even though we were granting read as well as write access, it would fail with the message you all were seeing.

So the fix is to use the following scopes when authorizing your service account

https://www.googleapis.com/auth/admin.directory.domain.readonly,https://apps-apis.google.com/a/feeds/emailsettings/2.0/,http://www.google.com/m8/feeds/contacts/,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.userschema.readonly,https://www.googleapis.com/auth/apps.groups.settings,https://www.googleapis.com/auth/admin.directory.resource.calendar,https://www.googleapis.com/auth/calendar

My apologies again for the mix up and any inconvenience caused.

Ryan

from googleapps-managementagent.

Hi @ryannewington,
I did your guide from scratch, re-created service account and used the scopes that you wrote on this thread but still the same issue is given.
"Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Client is unauthorized to retrieve access tokens using this method.", Uri:""
I'm not sure if it means something but the user which I'm using for creating the service account on the console is not super admin, may this cause the issue?
thank you.

from googleapps-managementagent.

solved.. something in the autherization process failed. Thank you!

from googleapps-managementagent.

To others reading this issue, it is important to remember that it can take up to 24 hours for the granting of scopes to take effect. Sometimes it happens in 5 minutes. Other times it takes hours.
If you see this message and you have gone over the installation steps and are sure you haven't missed anything, then that it likely the cause. Changing a set of scopes can cause the same problem.

Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Client is unauthorized to retrieve access tokens using this method.", Uri:""```

from googleapps-managementagent.