AAD Sync fails with Authentication_MissingOrMalformed Access Token missing or malformed.

If you’ve recently performed a K2 migration to Microsoft Graph or installed a cumulative update, you might have noticed your Azure Active Directory (AAD) Sync suddenly failing.

The error log usually looks something like this: Error - {"odata.error":{"code":"Authentication_MissingOrMalformed", "message":{"lang":"en","value":"Access Token missing or malformed."}}}

This occurs because the Sync Service is still trying to communicate using legacy protocols rather than the newly required Microsoft Graph provider type. To fix this, you need to manually transition the Sync Engine's provider type and register the OAuth Resource ID.

The Fix: Transitioning AAD to Microsoft Graph

The following SQL script automates the transition by updating the SyncEngine tables to use the MSGraph provider type and mapping the correct oAuthResourceId from your Security Label configuration.

⚠️ Prerequisite: It is highly recommended to create a full backup of your K2 database before executing any scripts directly against the tables.

SQL
/* Nintex Automation (K2) AAD to Graph Sync Fix
   Note: This script assumes your Provider and Security Label names are 'AAD'.
   If your environment uses different names, update the 'WHERE Name = ...' clauses accordingly.
*/

DECLARE @ProviderTypeID AS int
SELECT @ProviderTypeID = ID
FROM [SyncEngine].[ProviderType]
WHERE Type = 'MSGraph'

-- Update the Provider to use the new Graph Type
UPDATE [SyncEngine].[Provider]
SET ProviderTypeID = @ProviderTypeID
WHERE Name = 'AAD'

DECLARE @ProviderInstanceID AS int
SELECT @ProviderInstanceID = ID
FROM [SyncEngine].[ProviderInstance]
WHERE ProviderID = (SELECT ID FROM [SyncEngine].[Provider] WHERE Name = 'AAD')

DECLARE @ProviderInstanceIDGuid AS nvarchar(max)

-- Extract the OAuth Resource ID from the Security Label AuthInit XML
SELECT @ProviderInstanceIDGuid = AuthInit.value('(/AuthInit/OAuthResourceID/node())[1]','nvarchar(max)')
FROM [HostServer].[SecurityLabel]
WHERE SecurityLabelName = 'AAD'

-- Register the Graph Resource ID in the SyncEngine Runtime Config
INSERT INTO [SyncEngine].[ProviderInstanceRuntimeConfig]([ProviderInstanceID],[ConfigKey],[ConfigValue])
VALUES (@ProviderInstanceID, 'msgraph.oAuthResourceId', @ProviderInstanceIDGuid)

Comments

Post a Comment

Popular posts from this blog

Blocking Error during K2 5.6 Server migration

  Error Encountered: Error during K2 5.6 migration to a new machine, keeping the SQL server unchanged. Error message:                       20:49:59:>> Certificates.FindCertificate: Found 1 certificates                       20:49:59:>> RegisterShard.Execute: Adding additonal connection string parameters to config service shard                       20:49:59:>> AdditionalConnectionStringParameters.AmendSQLConnectionString: Additional connection string parameter value: empty                       20:49:59:>> AdditionalConnectionStringParameters.AmendSQLConnectionString: Additional ConnectionString Parameters is empty                       20:50:04:>> AnalyzableAction.PopulateValidate...
Read more

Client Credentials flow with K2 Cloud with Odata, Workflow REST or SCIM

Image
This guide outlines the steps to using the Client Credentials Flow for accessing Nintex K2 Cloud's OData, Workflow REST, or SCIM APIs. Before you begin: Ensure your environment is eligible for Client Credentials Flow by contacting Nintex support ( https://customer.nintex.com/cases/Pages/default.aspx ). Have a SHA256 hash of the client secret of your choosing ready. Steps: Onboarding: Open a support ticket with Nintex requesting the onboarding of the Client Credentials Flow for your environment. Provide the SHA256 hash of your the client secret. https://help.nintex.com/en-US/k2cloud/userguide/current/Content/IdProviders/ClientCredentials.htm You can Generate the secret hash from a Client Secret value in a .NET console application. The onboarding team does not need the actual secret value, only the hash of it. Use the following steps and code example to generate the hash: Add the  IdentityModel  NuGet package. Add the  IdentityModel  library reference in the ...
Read more

Blocking error RegisterServiceInstanceObjects when upgrading to K2 5.6/5.7

K2 5.7 Upgrade Error: Blocking Issue with Orphaned Service Instances Error Message:             07:30:39:>> AuthorizationBase.RegisterServiceInstanceObjects: Current ServiceType and ServiceInstance details: ServiceType.Guid = GUIDValue1. ServiceInstance.Guid = GUIDValue2 . ServiceInstance.Name = ServiceInstanceName             07:30:39:>> ConnectionHelper.GetServerInstance: Create 'AuthorizationClient' instance using ConnectionContext             07:30:39:>> AuthorizationBase.RegisterObject: Validate Parent             07:30:39:>> AuthorizationBase.Execute: Logged Error: Failed: System.Exception: Item 'GUIDValue1' does not exist    at SourceCode.Install.Package.Actions.Authorization.AuthorizationBase.RegisterObject(String name, Guid id, Guid parentID, Guid classID, String className, Boolean inherit, Boolean propagate, IIdentityReferenc...
Read more