IMAP fails with A3 BAD User is authenticated but not connected error in Jira server integrated with Office365
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
Problem
The following appears in the atlassian-jira.log:
2014-09-12 07:40:48,051 ERROR [365 IMAP] QuartzScheduler_Worker-3 ServiceRunner Help Desk Handler[10100]: Messaging Exception in service 'com.atlassian.jira.service.services.mail.MailFetcherService$MessageProviderImpl' when getting mail: A3 BAD User is authenticated but not connected.
javax.mail.MessagingException: A3 BAD User is authenticated but not connected.;
nested exception is:
com.sun.mail.iap.BadCommandException: A3 BAD User is authenticated but not connected.
at com.sun.mail.imap.IMAPFolder.open(IMAPFolder.java:961)
at com.atlassian.jira.service.services.mail.MailFetcherService$MessageProviderImpl.getAndProcessMail(MailFetcherService.java:254)
at com.atlassian.jira.service.services.mail.MailFetcherService.runImpl(MailFetcherService.java:401)
at com.atlassian.jira.service.services.file.AbstractMessageHandlingService.run(AbstractMessageHandlingService.java:257)
at com.atlassian.jira.service.JiraServiceContainerImpl.run(JiraServiceContainerImpl.java:61)
at com.atlassian.jira.service.ServiceRunner.execute(ServiceRunner.java:48)
at org.quartz.core.JobRunShell.run(JobRunShell.java:195)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
Caused by: com.sun.mail.iap.BadCommandException: A3 BAD User is authenticated but not connected.
Cause
Cause 1
O365 configuration to allow IMAP over OAuth2.0 is incomplete as Client Access Rules is missing "IMAP4" rule. See Microsoft Documentation.
Cause 2
When following the steps to configure your Jira incoming mail server to use OAuth 2.0, the request to "Authorize" was not completed by the user account for the mailbox.
For example:
- A user is attempting to configure Jira's incoming mail server to use OAuth 2.0 for the account support@atlassian.com
- A user authenticated to Jira with the username charlie@altassian.com and re-directed to Google or Microsoft Office365 when they click "Authorize"
- A user enters their charlie@atlassian.com username and password to authorize the OAuth 2.0 connection between Jira and the email service provider.
The problem is caused because charlie@atlassian.com cannot allow the OAuth connection between Jira and support@atlassian.com.
Resolution
Resolution 1
Make sure "IMAP4" is added to Client Access Rules in O365, and when testing the input in O365 using Jira context, the test is completed successfully.
Resolution 2
You can solve this problem by using OAuth 2.0, which is supported in Jira 8.10 and later. For more info on how to integrate your Shared Mailbox, see Integrating with OAuth 2.0. A note on creating your integration: If you’re using a shared email address, set the username (or email field in Jira Service Management) to this address and then authorize as the delegated user during the OAuth 2.0 authorization flow.
Alternatively, if you are not using a version of Jira that supports OAuth 2.0 you can use POP3 instead:
Protocol: SECURE_POP
Host: outlook.office365.com
Port: 995
Username: licenseduser@mydomain.com\sharedmailboxalias
Password: (licensed user password)Resolution 3
Complete the "Authorize" request using OAuth2.0 with username and password for the required email account
For example, when the user support@atlassian.com is re-directed to Google or Microsoft Office365, and allows the OAuth connection between Jira and the mail box for support@atlassian.com the connection will succeed.