FME Flow Troubleshooting: Azure Active Directory

Richard Mosley
Richard Mosley
  • Updated
Full Guide: FME Flow Troubleshooting Guide

Are you encountering issues integrating FME Flow (formerly FME Server) with Azure Active Directory? Please read below for some common troubleshooting tips, questions, and resources.


Content Overview


Initial Troubleshooting

  • Check the following log files located in Resources/Logs /service/current/ for errors: 
    • restV4.log (holds information about the initial connection and import of users)
    • SSO.log (holds errors on the login process)
 

Common Issues

”After creating an Azure AD Connection I am getting an Access Denied error trying to import a User or Group” 

In FME Flow you see a toast error message: 

Access denied. Ensure that your client ID and secret are correct, and an administrator has granted permissions.
Error_permissions2.png

This error typically occurs when FME Flow can reach the Azure AD Tennant but lacks the permissions to import users or groups. 

To resolve this error check the ‘Type’ on the permissions for the app. The User.Read Token should be ‘Delegated’ while the others are ‘Application’:

app_Permissions.png
Second, make sure in the FME Flow Web UI  you are using the secret value not the secret ID. 
 

"After creating an Azure AD Connection I am getting an unauthorized_client error when trying to search for a user or group to import"

unauthorized client

Check the Azure AD Connection in FME Flow authentication services. Confirm that the value of the "Client ID" matches the "Application (client) ID" from the Azure App Registration's overview page (do not use the Client Secret ID from the Azure App Registration)
 

“After creating an Azure AD Connection I am encountering an issue while accessing the Azure AD tenant. The error was: Error executing the request”

When trying to import a user or group from the Azure AD connection the following error is returned in the browser: 

Error_Accessing_tennatn.png

In the restAPIV4.log you see the following error
Caused by: java.lang.RuntimeException: Max retries 3 times exceeded. Error Details: http, none, qc-proxyBasic.base.safe.com/10.212.101.48:8080 => login.microsoftonline.com/20.190.154.139:443, timeout
This indicates that the FME Flow cannot reach https://login.microsoftonline.com or https://graph.microsoft.com. These URLs should be whitelisted or opened to your firewall. If that is not an option then you can use specify a Proxy in the WebUI and Azure AD authentication will pass through it.
 

“When I try to log in there is a redirect URI error” 

In the Web Browser a Microsoft error ‘Sorry but we’re having trouble signing you in’ is returned: 

LoginError.png

In the SSO.log you'll also see the error: 

Caused by: com.microsoft.aad.msal4j.MsalServiceException: AADSTS50011: The redirect URI 'https://myfmeflow.mydomain.com/fmesso/azuread/redirect' specified in the request does not match the redirect URIs configured for the application

To resolve this issue make sure the URL in the browser is the same as that specified in the Azure AD Redirect URI. This should be the FQDN, not just the hostname.  
 

“I am unable to log in using my Azure Active Directory guest account”

We currently do not support guest accounts through the Azure Active Directory Connection,  however, you can configure FME Flow to use Azure AD guest accounts through SAML Authentication.
 

After creating an Azure AD Connection I cannot see Microsoft 365 Users or Groups

Microsoft 365 accounts are required to be Security Enabled to allow them to receive security tokens for authentication to access apps or resources." Please see this Microsoft article for details and how to set this parameter. 


“How can I connect to Azure Active Directory when my FME Flow HTTPS configuration is through a Reverse Proxy/Load Balancer?”

FME Flow must be configured with HTTPS to allow Azure AD communication. If you are using an SSL termination Reverse Proxy or Load Balancer you don’t have to configure the FME Flow backend for SSL instead, make the following changes:    
 
1. On the FME Flow Web Application machine Run a text editor as an administrator and open server.xml, located in <FMEFlowDir>\Utilities\tomcat\conf.
2. Update the proxyPort directive to 443:
proxyPort="443"
3. Update the scheme directive to https: 
scheme="https"
4. Repeat on any remaining FME Flow Web Applications if you have them.
5. Restart the services

When Microsoft IIS is used as a remote proxy for FME Flow, Azure AD imported User is unable to log in.

When attempting “Sign in with Microsoft“, we get the error - “404 - File or directory not found. The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable". 
It directs you to the link--
For example "https://<<RemoteProxyHostname>>/organizations/oauth2/v2.0/authorize?scope=openid+profile+offline_access+&response_type=code&redirect_uri=http%3A%2F%2Fmge-8763%2Ffmesso%2Fazuread%2Fredirect&......"
---where the redirect URI in the link points to the FME Flow core hostname, not the IIS proxy hostname [which should be the intended endpoint]. Please follow this documentation Failure to Connect to Azure AD Through IIS Proxy for resolution steps.

Are you still experiencing issues? 

Please consider posting to the FME Community Q&A if you are still experiencing issues that are not addressed in this article. There are also different support channels available.

Have ideas on how to improve this? 

You can add ideas or product suggestions to our Ideas Exchange.


 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.