Office 365 : Read: 4 BAD User is authenticated but not connected.

[gbulfon]

We have accounts that can be accessed through Thunderbird using imap and oauth2 correctly.
We tried using your solution with oauth2_office365 to create the tokens, uploaded to the imapsync server, but running imapsync with oauth always breaks with the error:

Read: 4 BAD User is authenticated but not connected.

Any way to solve this?

Gabriele

[gilleslamiral]

Read: 4 BAD User is authenticated but not connected.

A user reported me the same issue recently.
I have no clue.

There is this old FAQ item but it seems unrelated:

https://imapsync.lamiral.info/FAQ.d/FAQ.Office365.txt
...

======================================================================
Q. Office365 fails with "User is authenticated but not connected".

R1. "The message User is authenticated but not connected is due to a 
   bug in the Office365 server's IMAP implementation. If the client 
   presents a valid user name but an invalid password, the server 
   accepts the login, but subsequent commands fail with the 
   aforementioned error message." Source:
https://unix.stackexchange.com/questions/164823/user-is-authenticated-but-not-connected-after-changing-my-exchange-password
Thanks to James Abbottsmith for this link and explanation at
https://github.com/imapsync/imapsync/issues/32#issuecomment-153561647

R2. Miguel Alameda reported understanding and solving this issue 
    like this, the context was admin/authuser:
    "The admin user had not permission in the target mailbox."

======================================================================

[gbulfon]

R2. Miguel Alameda reported understanding and solving this issue

Is it possible to use "--authuser1 admin-user" and oauth creating the token for admin?

[gilleslamiral]

Is it possible to use "--authuser1 admin-user" and oauth creating the token for admin?

I don't know

[DoubiTe]

Hi,

We got same issue there.

Token process is OK :
Host1: success login on [outlook.office.com] with user [x@x.com] auth [XOAUTH2 accesstoken] or [LOGIN]
Host2: success login on [outlook.office.com] with user [x@x.com] auth [XOAUTH2 accesstoken] or [LOGIN]

And after :
Host1: state Authenticated Host2: state Authenticated Host1 capability once authenticated: IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CLIENTACCESSRULES CLIENTNETWORKPRESENCELOCATION BACKENDAUTHENTICATE CHILDREN IDLE NAMESPACE LITERAL+ AUTH Host2 capability once authenticated: IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CLIENTACCESSRULES CLIENTNETWORKPRESENCELOCATION BACKENDAUTHENTICATE CHILDREN IDLE NAMESPACE LITERAL+ AUTH

Host1: found ID capability. Sending/receiving ID, presented in raw IMAP for now. In order to avoid sending/receiving ID, use option --noid Sending: 4 ID ("name" "imapsync" "version" "2.229" "os" "linux" "vendor" "Gilles LAMIRAL" "support-url" "https://imapsync.lamiral.info/" "date" "14-Sep-2022 18:08:24 +0000" "side" "host1") Sent 181 bytes

Read: 4 BAD User is authenticated but not connected. ERROR: 4 BAD User is authenticated but not connected. at /usr/share/perl5/Mail/IMAPClient.pm line 1388. Mail::IMAPClient::__ANON__("4 BAD User is authenticated but not connected.\x{d}\x{a}") called at /usr/share/perl5/Mail/IMAPClient.pm line 1424 Mail::IMAPClient::_get_response(Mail::IMAPClient=HASH(0x557e905ff7d0), 4, undef) called at /usr/share/perl5/Mail/IMAPClient.pm line 1350 Mail::IMAPClient::_imap_command_do(Mail::IMAPClient=HASH(0x557e905ff7d0), "ID (\"name\" \"imapsync\" \"version\" \"2.229\" \"os\" \"linux\" \"vendor\""...) called at /usr/share/perl5/Mail/IMAPClient.pm line 1248 Mail::IMAPClient::_imap_command(Mail::IMAPClient=HASH(0x557e905ff7d0), "ID (\"name\" \"imapsync\" \"version\" \"2.229\" \"os\" \"linux\" \"vendor\""...) called at /usr/share/perl5/Mail/IMAPClient.pm line 1195 Mail::IMAPClient::tag_and_run(Mail::IMAPClient=HASH(0x557e905ff7d0), "ID (\"name\" \"imapsync\" \"version\" \"2.229\" \"os\" \"linux\" \"vendor\""...) called at ./imapsync line 5817 main::imap_id(HASH(0x557e8f78dff8), Mail::IMAPClient=HASH(0x557e905ff7d0), "Host1") called at ./imapsync line 5791 main::imap_id_stuff(HASH(0x557e8f78dff8)) called at ./imapsync line 2079 main::single_sync(HASH(0x557e8f78dff8), HASH(0x557e8d8904b8), HASH(0x557e8f79cef8)) called at ./imapsync line 1367

ERROR: 4 BAD User is authenticated but not connected. at /usr/share/perl5/Mail/IMAPClient.pm line 1298. Mail::IMAPClient::_imap_command(Mail::IMAPClient=HASH(0x557e905ff7d0), "ID (\"name\" \"imapsync\" \"version\" \"2.229\" \"os\" \"linux\" \"vendor\""...) called at /usr/share/perl5/Mail/IMAPClient.pm line 1195 Mail::IMAPClient::tag_and_run(Mail::IMAPClient=HASH(0x557e905ff7d0), "ID (\"name\" \"imapsync\" \"version\" \"2.229\" \"os\" \"linux\" \"vendor\""...) called at ./imapsync line 5817 main::imap_id(HASH(0x557e8f78dff8), Mail::IMAPClient=HASH(0x557e905ff7d0), "Host1") called at ./imapsync line 5791 main::imap_id_stuff(HASH(0x557e8f78dff8)) called at ./imapsync line 2079 main::single_sync(HASH(0x557e8f78dff8), HASH(0x557e8d8904b8), HASH(0x557e8f79cef8)) called at ./imapsync line 1367

Host2: found ID capability. Sending/receiving ID, presented in raw IMAP for now. In order to avoid sending/receiving ID, use option --noid Sending: 4 ID ("name" "imapsync" "version" "2.229" "os" "linux" "vendor" "Gilles LAMIRAL" "support-url" "https://imapsync.lamiral.info/" "date" "14-Sep-2022 18:08:24 +0000" "side" "host2") Sent 181 bytes Read: 4 BAD User is authenticated but not connected.

Note :

It's a pro emails with and admin account that should authorize the componement validation to get the token.
The admin account have no email boxes. Just admin rights.

Maybe it can help @gilleslamiral ?

Hope this issue will be fixed soon !

Best,

[gbulfon]

It should work also with a normal account.
I can make it work on Thunderbird with OAuth2, should work the same with imapsync.

[DoubiTe]

So, i've found the solution :

On Office 365 pro account
If user have no "ADMIN" rights, you can't get the token generated by @gilleslamiral apps.
You need to connect with the ADMIN tenant account and get the app on this account.
After that, you need to go to https://portal.azure.com > then "Azure Active Directory" > then "Entreprise App" > click on "imapsync" app freshly accepted > then select "Authorization" > Then click on Blue button "Author right by admin from company"
After that, reconnect with the account with no rights an you can now accept imapsync app from this account and get the good token for this account and list folder.

@gilleslamiral, i'm thinking on line 510 on that file "oauth2_office365_with_imap" you should to test listing folder and put error if listing is empty (or catch the error "User is authenticated but not connected" and redirect to FAQ or help about this right issue.
It's typically a good token, but not for the good user called. I'am not a perl dev BTW... :(

On public account
Globaly, i think the issue is due that the app is not verified/signed by Microsoft and directly not accepted by a "Normal account" that you try @gbulfon

PS @gilleslamiral : more generaly, why you don't publish anymore your release on Github ? We are now on 2.253.

Hope this addon, mandatory for 365 now, will be added to imapsync a day ;)

Best,

[gbulfon]

On Office 365 pro account If user have no "ADMIN" rights, you can't get the token generated by @gilleslamiral apps. You need to connect with the ADMIN tenant account and get the app on this account. After that, you need to go to https://portal.azure.com > then "Azure Active Directory" > then "Entreprise App" > click on "imapsync" app freshly accepted > then select "Authorization" > Then click on Blue button "Author right by admin from company" After that, reconnect with the account with no rights an you can now accept imapsync app from this account and get the good token for this account and list folder.

The admin user had 2FA, so I could not use it to get the token with oauth2_office365_with_imap.

On public account Globaly, i think the issue is due that the app is not verified/signed by Microsoft and directly not accepted by a "Normal account" that you try @gbulfon

I could correctly register the application and get the token using a normal account with oauth2_office365_with_imap.
Though that token could not list folders when used with imapsync.
That same normal account worked fine with Thunderbird imap/oauth2, infact I could solve my migration using Thunderbird manually.
Also, Thunderbird could manage token refresh automatically with no intervention.
On large accounts, with imapsync, I should have done token refresh using some kind of script, which is not very easy: oauth2_office365_with_imap works instantly on windows, tried on linux and illumos systems and it's a pain for the dependencies not always available on distros. So if you run the exe on windows and have imapsync running on linux or illumos, you have also to sync the resulting token from windows to the server.

[yly-git]

so,is this question already solution?

[gbulfon]

so,is this question already solution?

No, it does not. We abandoned the oauth2_office365_with_imap road and just solved our issue using Thunderbird and OAuth2.

[gilleslamiral]

#411 (comment)

That same normal account worked fine with Thunderbird imap/oauth2, infact I could solve my migration using Thunderbird manually.

You can use the refresh token found in Thunderbird and use it with oauth2_office365_with_imap to refresh the access token and use imapsync with it.