Office 365 CCG always ends in ERR Authentication failure: unknown user name or bad password

[emmpetit]

Hi, I've spent long hours trying to configure the proxy using an Entra Application using permission POP.AccessAsApp. I've been following several articles like this one to correctly configure the app : https://www.limilabs.com/blog/oauth2-client-credential-flow-office365-exchange-imap-pop3-smtp

When I try to connect using Thunderbird as a test app, it always fails trying to authenticate.

Here is what I get : 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) --> [ Client connected ] 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-> [ Starting TLS handshake ] 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-> [ TLSv1.2 handshake complete ] 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'+OK The Microsoft Exchange POP3 service is ready. [UABBADcAUAAyADYANABDAEEAMAAxADMANwAuAEYAUgBBAFAAMgA2ADQALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'+OK The Microsoft Exchange POP3 service is ready. [UABBADcAUAAyADYANABDAEEAMAAxADMANwAuAEYAUgBBAFAAMgA2ADQALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) --> b'CAPA\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) --> b'CAPA\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'+OK\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'TOP\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'UIDL\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'SASL PLAIN XOAUTH2\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'USER\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'.\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'+OK\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'TOP\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'UIDL\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'SASL PLAIN\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'USER\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'.\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) --> b'USER confidential@toto.com\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'+OK\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) --> b'PASS mypasswordreplaced\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) --> b'AUTH XOAUTH2\r\n' 2024-03-17 23:58:54: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'+ \r\n' 2024-03-17 23:58:55: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995) --> b'IremovedIt\r\n' 2024-03-17 23:58:56: POP (127.0.0.1:57071-{127.0.0.1:1995}-outlook.office365.com:995; confidential@toto.com) <-- b'-ERR Authentication failure: unknown user name or bad password.\r\n'

When I decrypt the token, it seems good: { "aud": "https://outlook.office365.com", "iss": "https://sts.windows.net/dbc404a9-9ea7-402c-bdf9-ebee4db8d6f8/", ... "roles": [ "POP.AccessAsApp", "IMAP.AccessAsApp", "SMTP.SendAsApp" ], ... }

Any idea? I've tried everything I could...

[rcaloMMT]

Hi, could you tell me how you fixed? i have the same issue. Best

[emmpetit]

Hi, could you tell me how you fixed? i have the same issue. Best

Hi, I made a mistake configuring my Entra ID Application. I wrote an article (in french but easy to translate) to share how I made it work. You can find it here: https://www.epsight.fr/nos-expertises/articles-techniques/proxy-oauth2-ssl-tls-pop3-imap4/