IMAP fails with A3 BAD User is authenticated but not connected error in Jira server integrated with Office365
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
The following appears in the atlassian-jira.log:
2014-09-12 07:40:48,051 ERROR [365 IMAP] QuartzScheduler_Worker-3 ServiceRunner Help Desk Handler[10100]: Messaging Exception in service 'com.atlassian.jira.service.services.mail.MailFetcherService$MessageProviderImpl' when getting mail: A3 BAD User is authenticated but not connected.
javax.mail.MessagingException: A3 BAD User is authenticated but not connected.;
nested exception is:
com.sun.mail.iap.BadCommandException: A3 BAD User is authenticated but not connected.
at com.sun.mail.imap.IMAPFolder.open(IMAPFolder.java:961)
at com.atlassian.jira.service.services.mail.MailFetcherService$MessageProviderImpl.getAndProcessMail(MailFetcherService.java:254)
at com.atlassian.jira.service.services.mail.MailFetcherService.runImpl(MailFetcherService.java:401)
at com.atlassian.jira.service.services.file.AbstractMessageHandlingService.run(AbstractMessageHandlingService.java:257)
at com.atlassian.jira.service.JiraServiceContainerImpl.run(JiraServiceContainerImpl.java:61)
at com.atlassian.jira.service.ServiceRunner.execute(ServiceRunner.java:48)
at org.quartz.core.JobRunShell.run(JobRunShell.java:195)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
Caused by: com.sun.mail.iap.BadCommandException: A3 BAD User is authenticated but not connected.
Cause
Cause 1
O365 configuration to allow IMAP over OAuth2.0 is incomplete as Client Access Rules is missing "IMAP4" rule. See Microsoft Documentation.
Cause 2
When following the steps to configure your Jira incoming mail server to use OAuth 2.0, the request to "Authorize" was not completed by the mailbox owner or delegated user.
For example:
- A user is attempting to configure Jira's incoming mail server to use OAuth 2.0 for the account support@atlassian.com
- A user authenticated to Jira with the username charlie@altassian.com and re-directed to Google or Microsoft Office365 when they click "Authorize"
- A user enters their charlie@atlassian.com username and password to authorize the OAuth 2.0 connection between Jira and the email service provider.
The problem is caused because charlie@atlassian.com cannot allow the OAuth connection between Jira and support@atlassian.com.
Cause 3
When following the steps to configure your Jira incoming mail server to use OAuth 2.0, the OAuth client secret was not set correctly. In this case, the error may appear as the following in the logs:
- QBK3 BAD User is authenticated but not connected
- CSA3 BAD User is authenticated but not connected
Resolution
Resolution 1
Make sure "IMAP4" is added to Client Access Rules in O365 for both the mailbox and the OAuth account, and when testing the input in O365 using Jira context, the test is completed successfully.
Resolution 2
Complete the "Authorize" request using OAuth2.0 with username and password for the required email account
For example, when the user support@atlassian.com is re-directed to Google or Microsoft Office365, and allows the OAuth connection between Jira and the mail box for support@atlassian.com the connection will succeed.
Resolution 3
Use the steps from Generate an OAuth 2.0 key and secret in Azure to set the OAuth client secret in Jira.