Skip Navigation
Expand
Collapse
Submit a Service Request
Contact Information for Technical Support
My Service Notifications
  • Advanced SearchOpens new dialog
    Enter plus (+) or minus (-) signs in search terms to make a word required or excluded
    Search Tips
    Filter by product
    Filter by category
Additional Root CAs for Office365 mailboxes
Answer ID 13002   |   Last Review Date 05/28/2025

Are there any additional root certificates needed to support Office365 mailboxes?

Environment:
 
Oracle B2C Service, All versions
Office365 mailboxes on outlook.office365.com mail servers
 
Issue:
 
Intermittent error notifications with Message:
<interface>: Mailbox <pop_account>: Unable to generate new access token:-ERR Authentication failure: unknown user name or bad password.
 
Resolution:
 
The Root Certificate Authorities for SSL protocols involved in using a Microsoft Refresh Token to generate a new Access Token that are required by Microsoft are listed at their website: https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details 
 
To ensure proper SSL connectivity in this process, Oracle B2C Service requires Base-64 Encoded X.509 (.pem) formatted certificate authorities.  The root CAs listed at the link above are mostly DER Encoded Binary X.509 (.cer or .crt) certificates.
 
  1. Download the file available below AdditionalRootCerts-PEMformat.zip and unzip the contents.  
  2. Then follow Managing SSL Certificates for External Integrations by going to Configuration > Site Configuration > File Manager > Switch to dropdown for "Additional root certificates" > Upload and Go (with Comment if desired) for each of the six certificates.
For additional information, refer to the 'Add or Remove Certification Authorities' section in the Online Help User Guide documentation.
 
Cause:
 
The error message can have various causes, one of which has been intermittent SSL protocol failures.  The information provided here should address this cause.
 
Notes:
 
Other possible causes exist and would require different actions to resolve.  If techmail encounters either of the following responses then B2C Service will also record error notifications with "Unable to generate new access token" message:
  • Microsoft response: [{"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password.
  • Microsoft response: [{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '<AppID / Client ID>'.
If you have uploaded the root CAs available here, and a particular mailbox is still erroring consistently, you should click Authenticate on your mailbox.  If the issue persists, please raise a service request via Ask Technical Support and we will run a trace to locate the cause.
 
 

Was this answer helpful?

Still have questions?

Notify Me
Forgot your username or password?
The page will refresh upon submission. Any pending input will be lost.