IMAP fails with A3 BAD User is authenticated but not connected error in Jira server integrated with Office365
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
The following appears in the
2014-09-12 07:40:48,051 ERROR [365 IMAP] QuartzScheduler_Worker-3 ServiceRunner Help Desk Handler: Messaging Exception in service 'com.atlassian.jira.service.services.mail.MailFetcherService$MessageProviderImpl' when getting mail: A3 BAD User is authenticated but not connected. javax.mail.MessagingException: A3 BAD User is authenticated but not connected.; nested exception is: com.sun.mail.iap.BadCommandException: A3 BAD User is authenticated but not connected. at com.sun.mail.imap.IMAPFolder.open(IMAPFolder.java:961) at com.atlassian.jira.service.services.mail.MailFetcherService$MessageProviderImpl.getAndProcessMail(MailFetcherService.java:254) at com.atlassian.jira.service.services.mail.MailFetcherService.runImpl(MailFetcherService.java:401) at com.atlassian.jira.service.services.file.AbstractMessageHandlingService.run(AbstractMessageHandlingService.java:257) at com.atlassian.jira.service.JiraServiceContainerImpl.run(JiraServiceContainerImpl.java:61) at com.atlassian.jira.service.ServiceRunner.execute(ServiceRunner.java:48) at org.quartz.core.JobRunShell.run(JobRunShell.java:195) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520) Caused by: com.sun.mail.iap.BadCommandException: A3 BAD User is authenticated but not connected.
O365 configuration to allow IMAP over OAuth2.0 is incomplete as Client Access Rules is missing "IMAP4" rule. See Microsoft Documentation.
When following the steps to configure your Jira incoming mail server to use OAuth 2.0, the request to "Authorize" was not completed by the user account for the mailbox.
- A user is attempting to configure Jira's incoming mail server to use OAuth 2.0 for the account email@example.com
- A user authenticated to Jira with the username firstname.lastname@example.org and re-directed to Google or Microsoft Office365 when they click "Authorize"
- A user enters their email@example.com username and password to authorize the OAuth 2.0 connection between Jira and the email service provider.
Make sure "IMAP4" is added to Client Access Rules in O365, and when testing the input in O365 using Jira context, the test is completed successfully.
You can solve this problem by using OAuth 2.0, which is supported in Jira 8.10 and later. For more info on how to integrate your Shared Mailbox, see Integrating with OAuth 2.0. A note on creating your integration: If you’re using a shared email address, set the username (or email field in Jira Service Management) to this address and then authorize as the delegated user during the OAuth 2.0 authorization flow.
Alternatively, if you are not using a version of Jira that supports OAuth 2.0 you can use POP3 instead:
Protocol: SECURE_POP Host: outlook.office365.com Port: 995 Username: firstname.lastname@example.org\sharedmailboxalias Password: (licensed user password)
Complete the "Authorize" request using OAuth2.0 with username and password for the required email account
For example, when the user email@example.com is re-directed to Google or Microsoft Office365, and allows the OAuth connection between Jira and the mail box for firstname.lastname@example.org the connection will succeed.