Configuring Microsoft Modern Authentication (OAuth 2.0) for FogBugz On Premise


Follow

Overview

OAuth support for accessing O365/outlook.com (EWS) mailboxes using modern authentication is now available for FogBugz (8.22.635 above).

 


Information

Microsoft is deprecating basic authentication in Exchange Online. Refer to this article for more information surrounding this: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

 

To overcome this, FogBugz has adopted modern authentication (OAuth 2.0 token-based authorization). This guideline is created for FogBugz on premise customers to assist them in performing the changes required to support modern authentication.

 

Download the latest version of Fogbugz on premise and perform an upgrade, then go through the following steps to complete the set up.

 

1. Register your FogBugz application using the Azure app registration portal. You can use either a Microsoft account or a work or school account to register.

2. In the App registrations portal, click on New registration.

2.png

3. Enter a display Name for your FogBugz application. This name will be seen by FogBugz users when signing in using modern authentication.

4. Specify who can use the FogBugz application, sometimes called its sign-in audience.

Supported account types

Description

Accounts in this organizational directory only

For use only by users (or guests) in your Azure tenant.

Accounts in any organizational directory

For use by any Azure Active Directory (Azure AD) tenant (multitenant).

Accounts in any organizational directory and personal Microsoft accounts

For use by any Azure Active Directory (Azure AD) tenant (multitenant) + users who have personal Microsoft accounts.

Personal Microsoft accounts

For use only by users who have personal Microsoft accounts.

 

5. For the Redirect URI, select Web then provide the URI value based on your FogBugz URL. The URI should be provided in this format: https://<your FogBugz URL>/oauthresult.aspx

5.png

Take note of the redirect URI as this is needed when updating the registry editor later on.

6. Once the registration is completed, take note of the client id and tenant id. We are going to need these 2 values when updating the registry editor later on.

6.png

7. Go to “Certificates & secrets”, then click on “New client secret”.

7.png

8. Enter the description and the expiry based on your preferences, then click on Add.

8.png

9. Take note of the client secret value. This will be used when updating the registry editor later on.

9.png

10. Go to “API permissions”, remove the existing User.Read permission as it is not needed.

10.png

11. Now click on “Add a permission” => “APIs my organization uses” => find and select “Microsoft Graph”.

11.png

12. For the type of permissions, select “Delegated permissions”, then select “offline_access”. Click on Add permissions.

12.png

13. Click on “Add a permission” again => “APIs my organization uses” => find and select “Office 365 Exchange Online”.

13.png

14. For the type of permissions, select “Delegated permissions”, then select “EWS.AccessAsUser.All”. Click on Add permissions.

14.png

15. The list of configured permissions should look like this

15.png

16. Go to the server where your FogBugz on prem application is installed, and launch the registry editor.

17. Go to the FogBugz registry directory. It should be located under the following registry path:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fog Creek Software\FogBugz\<your FogBugz installation path>

18. Add the following 4 sets of registry values into the FogBugz registry directory. The value type should be a string value.

"sOAuthExchangeOnlineClientId"="your_fogbugz_app_client_id"

"sOAuthExchangeOnlineTenantId"="your_azure_tenant_id"

"sOAuthExchangeOnlineRedirectUrl"="https://<your FogBugz URL>/oauthresult.aspx"

"sOAuthExchangeOnlineClientSecret"="your_fogbugz_app_client_secret"

 

19. The registry values should look like the following once added:

19.png

20. Restart the IIS or FogBugz Application Pool and you are all set to use modern authentication in FogBugz.

 

TLS setting:

In order to use FogBugz OAuth successfully, you must enforce TLS 1.2 in the FogBugz server (website & heartbeat). To enforce TLS 1.2 in the server, please run the PowerShell script, "PowerShell script to enable TLS 1.2", which can be found in this Microsoft article: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement.

Please note that TLS 1.0 and 1.1 don't have to be disabled to enforce TLS 1.2.