Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Andrew,

In Microsoft Exchange; shared mailboxes don't have their own credentials.  Other users are granted access to a shared mailbox (either Send As or Full Access).  Those other users do need to be licensed users as only licensed users get username/passwords set.

I haven't used the B2B Mail Adapter in Sterling with Microsoft; so not sure if it can access Shared Mailboxes as reading the documentation; the username would represent that user's mailbox.  

Cheers, 

Vivek

------------------------------
Vivek Mittal

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Ram,

please try it with:

<assign to="URI" from="concat('/v1.0/drives/', graph/drive_id, '/root:/NewDocuments/Test/testD.txt:/content')"/>

Best regards

Manuel

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Ram,

please try it with:

<assign to="URI" from="concat('/v1.0/drives/', graph/drive_id, '/root:/NewDocuments/Test/testD.txt:/content')"/>

Best regards

Manuel

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Ram,

please try it with:

<assign to="URI" from="concat('/v1.0/drives/', graph/drive_id, '/root:/NewDocuments/Test/testD.txt:/content')"/>

Best regards

Manuel

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Ram,

please try it with:

<assign to="URI" from="concat('/v1.0/drives/', graph/drive_id, '/root:/NewDocuments/Test/testD.txt:/content')"/>

Best regards

Manuel

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Ram,

glad that it works now. The drive id is the unique identifier of the document library.

Best regards

Manuel

Hi Ram,

please try it with:

<assign to="URI" from="concat('/v1.0/drives/', graph/drive_id, '/root:/NewDocuments/Test/testD.txt:/content')"/>

Best regards

Manuel

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Ram,

glad that it works now. The drive id is the unique identifier of the document library.

Best regards

Manuel

Hi Ram,

please try it with:

<assign to="URI" from="concat('/v1.0/drives/', graph/drive_id, '/root:/NewDocuments/Test/testD.txt:/content')"/>

Best regards

Manuel

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Ram,

did you copy the URI from the message to service to Postman and there it works? Very odd.

And there is no new primary docment?

Best regards

Manuel

Hi Ram,

glad that it works now. The drive id is the unique identifier of the document library.

Best regards

Manuel

Hi Ram,

please try it with:

<assign to="URI" from="concat('/v1.0/drives/', graph/drive_id, '/root:/NewDocuments/Test/testD.txt:/content')"/>

Best regards

Manuel

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Manuel,

Yes, you're right - for the GET request, I'm not using the primary document in Postman. I'm just sending the message to the service URI, and it's working nicely. In Postman, I'm receiving the response as document content, but the same is not happening with the GET method in the actual implementation.

Thanks

Ram.

Hi Ram,

did you copy the URI from the message to service to Postman and there it works? Very odd.

And there is no new primary docment?

Best regards

Manuel

Hi Ram,

glad that it works now. The drive id is the unique identifier of the document library.

Best regards

Manuel

Hi Ram,

please try it with:

<assign to="URI" from="concat('/v1.0/drives/', graph/drive_id, '/root:/NewDocuments/Test/testD.txt:/content')"/>

Best regards

Manuel

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Ram,

what is the status report saying?

And do you see a primary document (MessageFromService) in the GET step?

Best regards

Manuel

Best regards

Manuel

Hi Manuel,

Yes, you're right - for the GET request, I'm not using the primary document in Postman. I'm just sending the message to the service URI, and it's working nicely. In Postman, I'm receiving the response as document content, but the same is not happening with the GET method in the actual implementation.

Thanks

Ram.

Hi Ram,

did you copy the URI from the message to service to Postman and there it works? Very odd.

And there is no new primary docment?

Best regards

Manuel

Hi Ram,

glad that it works now. The drive id is the unique identifier of the document library.

Best regards

Manuel

Hi Ram,

please try it with:

<assign to="URI" from="concat('/v1.0/drives/', graph/drive_id, '/root:/NewDocuments/Test/testD.txt:/content')"/>

Best regards

Manuel

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------

Hi Manual,

Report 302 found, empty primary document.

Thanks

Ram.

Hi Ram,

what is the status report saying?

And do you see a primary document (MessageFromService) in the GET step?

Best regards

Manuel

Best regards

Manuel

Hi Manuel,

Yes, you're right - for the GET request, I'm not using the primary document in Postman. I'm just sending the message to the service URI, and it's working nicely. In Postman, I'm receiving the response as document content, but the same is not happening with the GET method in the actual implementation.

Thanks

Ram.

Hi Ram,

did you copy the URI from the message to service to Postman and there it works? Very odd.

And there is no new primary docment?

Best regards

Manuel

Hi Ram,

glad that it works now. The drive id is the unique identifier of the document library.

Best regards

Manuel

Hi Ram,

please try it with:

<assign to="URI" from="concat('/v1.0/drives/', graph/drive_id, '/root:/NewDocuments/Test/testD.txt:/content')"/>

Best regards

Manuel

Hi Andrew,

I am not sure about which type of mailboxes you can connect here.

But one thing which you could try is to change the scope, our auth is working with "https://outlook.office365.com/.default".

Postman:

Thanks Manuel and Vivek. We have an application registered in Entra / Azure.

I was able to pass the request that the Sterling B2B Mail Client is making to obtain an access token through a proxy to see what is the content of the request, and can see that it makes the request to login.microsoftonline.com in the form  :

 Request Body (ASCII): grant_type=password&client_id=<client_id_value>&client_secret=<client_secret_value>&username=<myuser@domain_value>&password=<password_value>&scope=https://outlook.office365.com/.default

Which I believe is the equivalent of something like:

curl -v -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=<client_id_value>" \
     -d "client_secret=<client_secret_value>" \
     -d "grant_type=password" \
     -d "username=<myuser@domain_value>" \
     -d "password=<password_value>" \
     -d "scope=https://outlook.office365.com/.default"

(so I can test the token retrieval outside of Sterling using curl and get the output).

The response in the Sterling B2B Mail client logs indicates a HTTP 400 Bad Request.

The Response from MS includes a little more detail:

Response Body (ASCII): {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: d0ab*****a4e00 Correlation ID: 64db2*****8cc89a Timestamp: 2025-06-03 00:17:11Z","error_codes":[50126],"timestamp":"2025-06-03 00:17:11Z","trace_id":"d0abf4****6a4e00","correlation_id":"64db2****4e8cc89a","error_uri":"https://login.microsoftonline.com/error?code=50126"}

(I have masked the ID values in the output)

So it seems to indicate invalid user credentials, but I can login to the Outlook Web App using these credentials, So I believe the credentials are correct, and I have attempted this with passwords with and without special characters (https://www.ibm.com/support/pages/apar/IT41893), so that doesn't seem to be the problem.

From what I can gather, this type of token request where the grant_type=password is referred to as the "ROPC Flow" (Resource Owner Password Credentials Grant), and it appears it may not be compatible with some scenarios, like federated accounts.  (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc)

I will reach out to IBM support to see if they can confirm this is the case. 

Hi Andrew,

as Vivek wrote, you need an app registration first. Usually this is created by the Entra ID admin.

Here's one guide from MS on the needed steps:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-1-register-the-application-in-microsoft-entra-id

The created client id and secret is then used in the property file. Attached a screenshot from our config.

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Thu May 29, 2025 08:01 PM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Thanks for the input guys, that clears up regarding the CA certificates.

Another question regarding the IMAP for MS Exchange Online I have is regarding shared mailboxes.

It's not exactly clear to me if the "user" (identified by the username and password entered in the B2B Mail Client adapter, AND as I understand the URI settings within the B2B Mail Client Adapter) must have it's own separately licensed account in Exchange Online, or if it can access a shared mailbox. Apologies if that's not very clear, I'm not very azure/MS Exchange Online literate just yet, but am getting some questions from our email service administrators on this topic... 

If anyone has an insight of further details other than what is available on the IBM Sterling Integrator documentation pages, that would be appreciated.

Thanks.

------------------------------
Andrew

Original Message:
Sent: Mon March 17, 2025 04:46 AM
From: Manuel Frank
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Fabrizio,

for whatever reasons MS has sometimes 2 different certificate for the same endpoint, and with different CAs.

Even with SNI enabled your client receives both of them alternatively, which means you have to have both CAs certificates in the CA store.

Perhaps that is the reason you are getting the halted processes. I check then with openssl if the MS server responds with  different certs...

Best regards

Manuel

------------------------------
Manuel Frank
Integration Architect
Andreas STIHL AG & Co. KG
Waiblingen

Original Message:
Sent: Mon March 17, 2025 04:28 AM
From: Fabrizio Allegrini
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi Andrew,

I have had the same problem and often is still there. To resolve i loaded the CA certificate on Sterling B2b Integrator, the name of the certificate is:

• DigiCert Global Root G2 (root)

and you can download it from this site:
https://www.digicert.com/kb/digicert-root-certificates.htm

I have had it from Microsoft support. I alert you that also after this operation the problem is not out completally, because some proceses keep an halted  during the night.

------------------------------
Fabrizio Allegrini

Original Message:
Sent: Wed March 12, 2025 06:28 AM
From: Andrew Plumb
Subject: Oauth2.0 for B2B Mail Client in Sterling B2B Integrator

Hi all,

I'd like to use the oauth2 in Sterling B2B Integrator to access the B2B Mail client to retrieve email using IMAP.

The oauth2.properties file doesn't seem to have anywhere to specify the trusted CA certificates to use when connecting to login.microsoftonline.com to obtain an access token. Is there some way to specify trusted CA certificates ?

------------------------------
Andrew
------------------------------