Skip to content

Unable to Validate the Client Identity Token Error when Starting Add-In

Symptoms

  1. When starting SSI Add-In the following one of the error messages may be shown:

    • Unable to validate the client identity token. Please restart the e-mail client

    • Unable to load the identity token. Please restart Microsoft Outlook

  2. Customer is reporting that they cannot load the Add-In. It is saying Looks like your login session has expired. We will refresh it and then the Add-In is trying to load until it stops.

Restarting E-Mail client (MS Outlook) and resetting the MS Exchange password doesn’t help.

 


 

Causes

This issue is caused by a misconfiguration on the customer’s MS Exchange server\firewall. The identity token, which is used to authenticate a user in Add-In, contains an encoded Exchange MetaData URL, which is used to download Exchange meta-info and perform the validation process. Server-Side Integration is trying to connect to Exchange MetaData URL https://somehost.com:443/autodiscover/metadata/json/1, which is an internal resource in the customer’s network and can not be accessed from the internet.

 


 

Resolution

To resolve the issue, it is required properly configure Identity Token URL on the MS Exchange server to make it available from external networks.

Please note the items below to run SAP Cloud for Customer Server-Side Integration properly:

  • Make sure the MetaData URL https://somehost.com:443/autodiscover/metadata/json/1 (where somehost.com is an Exchange server external URL) is available from external networks or the firewall is set to allow the connection from IP addresses listed below. If there is any authentication enabled to access this URL, it should be disabled as well.
    For example, try accessing the same URL in Office 365 (<https://outlook.office365.com/autodiscover/metadata/json/1>), a similar response is expected.

  • The Exchange server must accept incoming EWS (Exchange Web Services) calls from SAP Cloud for Customer Server-Side Integration. AutoDiscover may have to be set up. More details on AutoDiscover are available here.

  • SAP Cloud for Customer Server-Side Integration IP addresses to authorize on the Exchange server side are documented below. Incoming EWS calls can be assessed for legitimacy by checking that they originate from within this IP range and contain a valid JWT (JSON Web Token). Details about JWT are available here.

  • The Exchange server is configured to generate JWTs properly, so they indicate the URL SAP Cloud for Customer Server-Side Integration utilized to connect to the Exchange server. That URL may be the same as the AutoDiscover URL and is referred to as the MetaData URL in the JWT. If SAP Cloud for Customer Server-Side Integration still doesn’t work, a standard check to conduct is to review Certificates on the Exchange server and ensure their validity.

  • Make sure that EWS is properly configured to be available inside and outside of the organization by executing the following command:

    C:\windows\system32>Get-WebServicesVirtualDirectory |Select name, *url* | fl

  • Exchange MetaData URL should be available from external networks, so if any proxy or firewall is used, make sure they are available from the internet.

 

Productive landscape (IP Addresses)

IP addresses of SAP Cloud for Customer Server-Side Integration

Scale Unit (s) name Production Landscape IP ranges
WDC
WDCPROD01
WDCPROD21
WDCTEST01

• 40.89.246.90/31
• 20.88.108.220/31
FRA
FRAPROD01
FRAPROD02
FRAPROD03
FRAPROD04
FRAPROD05
FRAPROD21
FRATEST01
FRATEST21

• 20.79.101.104/30
• 20.113.192.54/31
PER
PERPROD01
PERPROD21
PERTEST01

• 40.115.90.12/31
• 20.53.187.192/31

 

Getting Internal Server Error 500 when creating New-CsPartnerApplication for Exchange 2013

Server to Server communication is broken – how to fix it?