Skip to content

Unable to Validate the Client Identity Token Error when Starting Add-In

 

 

[ This article is work-in-progress ]

 

 

Symptoms

  1. When starting SSI Add-In the following error message is shown:
  • Unable to validate the client identity token. Please restart the e-mail client” or

 

  • Unable to load the identity token. Please restart Microsoft Outlook

 

  1. Customer is reporting that they cannot load the Add-In. It is saying “Looks like your login session has expired. We will refresh it” and then the Add-In is trying to load until it stops

 

Restarting E-Mail client (MS Outlook) and resetting the MS Exchange password doesn’t help.

 

 

Causes

This issue is caused by a misconfiguration on the customer’s MS Exchange server\firewall. The identity token, which is used to authenticate a user in Add-In, contains an encoded Exchange MetaData URL, which is used to download Exchange meta-info and perform the validation process. Server-Side Integration is trying to connect to Exchange MetaData URL https://somehost.com:443/autodiscover/metadata/json/1, which is an internal resource in the customer’s network and can not be accessed from the internet.

 

 

Resolution

To resolve the issue, it is required properly configure Identity Token URL on the MS Exchange server to make it available from external networks.

 

Please note the items below to run SAP Cloud for Customer Server-Side Integration properly:

  • Make sure the MetaData URL https://somehost.com:443/autodiscover/metadata/json/1 (where somehost.com is an Exchange server external URL) is available from external networks or the firewall is set to allow the connection from IP addresses listed below. If there is any authentication enabled to access this URL, it should be disabled as well.
    For example, try accessing the same URL in Office 365 (https://outlook.office365.com/autodiscover/metadata/json/1), a similar response is expected.

  • The Exchange server must accept incoming EWS (Exchange Web Services) calls from SAP Cloud for Customer Server-Side Integration. AutoDiscover may have to be set up. More details on AutoDiscover are available here.
    SAP Cloud for Customer Server-Side Integration IP addresses to authorize on the Exchange server side are documented below. Incoming EWS calls can be assessed for legitimacy by checking that they originate from within this IP range and contain a valid JWT (JSON Web Token). Details about JWT are available here.

  • The Exchange server is configured to generate JWTs properly, so they indicate the URL SAP Cloud for Customer Server-Side Integration utilized to connect to the Exchange server. That URL may be the same as the AutoDiscover URL and is referred to as the MetaData URL in the JWT. If SAP Cloud for Customer Server-Side Integration still doesn’t work, a standard check to conduct is to review Certificates on the Exchange server and ensure their validity.

  • Make sure that EWS is properly configured to be available inside and outside of the organization by executing the following command:

    • C:\windows\system32>Get-WebServicesVirtualDirectory |Select name, *url* | fl

  • Exchange MetaData URL should be available from external networks, so if any proxy or firewall is used, make sure they are available from the internet.

 

Productive landscape (IP Addresses)

>>> Click to see SSI IP addresses <<<
IP addresses of SAP Cloud for Customer Server-Side Integration

Location

SU

Resource

Main location

List of PIPs in IP range

DR location

List of PIPs in IP range

Website (public DNS)

WDC

Wdcprod01

web, worker

40.89.246.90/31

40.89.246.90,
40.89.246.91

Wdcprod-AKS
Wdcprod01

20.81.29.60/31

20.81.29.60,
20.81.29.61

sapcfc-sap-wdcprod01-sync.c4c.invisiblesolutions.com

WDC

Wdctest01

web, worker

52.186.90.126/31

52.186.90.126,
52.186.90.127

Wdctest-AKS
Wdctest01

20.84.212.112/31

20.84.212.112,
20.84.212.113

sapcfc-sap-wdctest01-sync.c4c.invisiblesolutions.com

WDC mod

20.121.86.250/31

20.121.86.250;
20.121.86.251

52.228.162.70/31

52.228.162.70;
52.228.162.71

FRA

FRA mod

Fraprod01-05

Fratest01

Fratest21

Fraprod21

web, worker

20.79.94.108/30



20.79.101.104/30



20.52.203.122/31

20.79.89.96/30

20.79.94.108,
20.79.94.109,
20.79.94.110,
20.79.94.111

20.79.101.104,
20.79.101.105,
20.79.101.106,
20.79.101.107

20.52.203.122,
20.52.203.123

20.79.89.96;
20.79.89.97;
20.79.89.98;
20.79.89.99

Fratest-AKS
Fratest01
Fraprod01
Fraprod‑AKS

Fraprod02
Fraprod03
Fraprod04
Fraprod05

Fratest21

Fraprod21

20.50.236.104/30



20.54.192.120/30



51.105.215.150/31

20.113.195.212/30

20.50.236.104,
20.50.236.105,
20.50.236.106,
20.50.236.107

20.54.192.120,
20.54.192.121,
20.54.192.122,
20.54.192.123

51.105.215.150,
51.105.215.151

20.113.195.212; 20.113.195.213; 20.113.195.214; 20.113.195.215

sapcfc-sap-fraprod[01..05]-sync.c4c.invisiblesolutions.com

sapcfc-sap-fratest01-sync.c4c.invisiblesolutions.com

sapcfc-sap-fratest21-sync.c4c.invisiblesolutions.com

sapcfc-sap-fraprod21-sync.c4c.invisiblesolutions.com

PER



PER mod

Perprod01

Pertest01

web, worker

40.115.90.12/31

20.53.187.192/31

20.70.88.90/31

40.115.90.12,
40.115.90.13

20.53.187.192,
20.53.187.193

20.70.88.90;
20.70.88.91

PerProd-AKS
PerProd01

Pertest-AKS
Pertest01

20.193.1.176/31

13.70.173.238/31

20.248.144.52/31

20.193.1.176,
20.193.1.177

13.70.173.238,
13.70.173.239

20.248.144.52;
20.248.144.53

sapcfc-sap-perprod01-sync.c4c.invisiblesolutions.com

sapcfc-sap-pertest01-sync.c4c.invisiblesolutions.com

 

Getting Internal Server Error 500 when creating New-CsPartnerApplication for Exchange 2013

Server to Server communication is broken – how to fix it?