search

lithnet / googleapps-managementagent

Google Workspace Management Agent for MIM 2016
MIT License
12 stars 4 forks source link

Cannot create MA, unable to retrieve schema error. #28

Closed LukaszKrukowski closed 6 years ago

LukaszKrukowski commented 6 years ago

Since the last week I'm unable to create MA as it returns 'Unable to retrieve schema. Error: Exception from HRESULT: 0x80231343' This is the error from EventLog:

The extensible extension returned an unsupported error. The stack trace is:

"Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Client is unauthorized to retrieve access tokens using this method.", Uri:"" at Google.Apis.Requests.ClientServiceRequest1.Execute() in C:\Apiary\v1.25\Src\Support\GoogleApis\Apis\Requests\ClientServiceRequest.cs:line 101 at Lithnet.GoogleApps.ApiExtensions.ExecuteWithBackoff[T](ClientServiceRequest1 request, Int32 retryAttempts) at Lithnet.GoogleApps.ApiExtensions.ExecuteWithBackoff[T](ClientServiceRequest1 request) at Lithnet.GoogleApps.SchemaRequestFactory.HasSchema(String customerID, String schemaName) at Lithnet.GoogleApps.MA.SchemaBuilder.GetSchema(IManagementAgentParameters config) in D:\github\lithnet\googleapps-managementagent\src\Lithnet.GoogleApps.MA\Schema\SchemaBuilder.cs:line 31 at Lithnet.GoogleApps.MA.ManagementAgent.GetSchema(KeyedCollection2 configParameters) in D:\github\lithnet\googleapps-managementagent\src\Lithnet.GoogleApps.MA\ManagementAgent.cs:line 405 Forefront Identity Manager 4.4.1642.0"

I've tried with two different instances of GSuite and MIM with no luck. It used to work without issues earlier, please assist.

ryannewington commented 6 years ago

@LukaszKrukowski this is definitely a permissions issue. Does the user account have appropriate admin rights granted in Google Apps?

I'd run through and double check the steps in the following guide.

https://github.com/lithnet/googleapps-managementagent/wiki/Creating-and-authorizing-a-Google-Apps-service-account

Let me know if you have still having trouble after confirming those settings. What version of the MA are you running?

LukaszKrukowski commented 6 years ago

Hi @ryannewington ,

Thank you for your reply.

I have granted super admin rights in Google Apps for the user. I even granted all available roles for service account as a desperation try once, still no luck.

I'm always following steps in the guide (except for 'Service Account Actor' role which is now depreciated I believe). It did work for me with no issues until the last week or so when I was asked to create MA for GSuite instance.

I'm using latest release (v1.1.6520) of MA, however I did give it a try with v1.1.6451 too.

Kind regards, Lukasz

ryannewington commented 6 years ago

@LukaszKrukowski can you try the build located here

https://github.com/lithnet/googleapps-managementagent/issues/26

and change your scopes to

https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.userschema.readonly,https://apps-apis.google.com/a/feeds/emailsettings/2.0/,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/apps.groups.settings,https://www.googleapis.com/auth/admin.directory.domain.readonly,http://www.google.com/m8/feeds/contacts/,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/admin.directory.resource.calendar,https://www.googleapis.com/auth/admin.directory.resource.calendar,https://www.googleapis.com/auth/admin.directory.resource.calendar,https://www.googleapis.com/auth/admin.directory.domain.readonly

Domain-wide delegation is definitely enabled, right?

LukaszKrukowski commented 6 years ago

Thank you @ryannewington , it worked with this new build and changed API scopes.

Not sure if it's helpful but I went to the other server where I still have MA v1.1.6520 and it threw the same 'Unable to retrieve schema' error. I think that if you have working GSuite MA v1.1.6520 everything is fine, but if for whatever reason you decide to re-create MA (using the very same GSuite project) I think you'll get this schema error due to unathorized access.

Anyway, thank you very much for your help Ryan, appreciate it!

Kind regards, Lukasz

ryannewington commented 6 years ago

Great news. I think it's my fault. I've been tweaking the scopes required by the app so it doesn't need as many privileges, but I think I've gotten the documentation out if sync with the main build. Apologies for the inconvenience!

LukaszKrukowski commented 6 years ago

No worries mate, thank you for fixing it with the new build.

I've noticed possibly one more issue. I have no errors reading schema fixed types attribute values (i.e. phones_home or organizations_home_title) but when I'm trying to export values to these attributes I get:

An exception has occurred in PutCSEntryChange Type: Google.GoogleApiException

Message: Google.Apis.Requests.RequestError Invalid value for: custom is not a valid value [400] Errors [ Message[Invalid value for: custom is not a valid value] Location[ - ] Reason[invalid] Domain[global] ]

Source: Google.Apis TargetSite: Void MoveNext() StackTrace: at Google.Apis.Requests.ClientServiceRequest1.<ParseResponse>d__34.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Google.Apis.Requests.ClientServiceRequest1.Execute() at Lithnet.GoogleApps.ApiExtensions.ExecuteWithBackoff[T](ClientServiceRequest1 request, Int32 retryAttempts) at Lithnet.GoogleApps.ApiExtensions.ExecuteWithBackoff[T](ClientServiceRequest1 request) at Lithnet.GoogleApps.UserRequestFactory.Add(User item) at Lithnet.GoogleApps.MA.ApiInterfaceUser.ApplyChanges(CSEntryChange csentry, SchemaType type, IManagementAgentParameters config, Object& target, Boolean patch) in D:\github\lithnet\googleapps-managementagent\src\Lithnet.GoogleApps.MA\ApiInterfaces\ApiInterfaceUser.cs:line 99 at Lithnet.GoogleApps.MA.ExportProcessor.PutCSEntryChangeAdd(CSEntryChange csentry, CSEntryChange deltaCSEntry, MASchemaType maType, SchemaType type, IManagementAgentParameters config) in D:\github\lithnet\googleapps-managementagent\src\Lithnet.GoogleApps.MA\ExportProcessor.cs:line 97 at Lithnet.GoogleApps.MA.ExportProcessor.PutCSEntryChangeObject(CSEntryChange csentry, SchemaType type, IManagementAgentParameters config) in D:\github\lithnet\googleapps-managementagent\src\Lithnet.GoogleApps.MA\ExportProcessor.cs:line 58 at Lithnet.GoogleApps.MA.ExportProcessor.PutCSEntryChange(CSEntryChange csentry, SchemaType type, IManagementAgentParameters config) in D:\github\lithnet\googleapps-managementagent\src\Lithnet.GoogleApps.MA\ExportProcessor.cs:line 16

Kind regards, Lukasz

ryannewington commented 6 years ago

@LukaszKrukowski can you export the MA and email me the xml file?

LukaszKrukowski commented 6 years ago

@ryannewington I've sent you exported xml file via an e-mail.

Thank you, Lukasz

ryannewington commented 6 years ago

Hi @LukaszKrukowski

It’s a google limitation. The only supported types for ‘organization’ are as follows

"domain_only" "school" "unknown" "work"

If you change the organization ‘home’ to ‘work’, you should be able to export without problems.

Ryan

ryannewington commented 6 years ago

Reference : https://developers.google.com/admin-sdk/directory/v1/reference/users

LukaszKrukowski commented 6 years ago

Hi @ryannewington

You're right, my bad. Thank you for your support once again, I really appreciate it!

Kind regards, Lukasz