How to resolve access denied to cryptographic module error for certificate-based OAuth authentication - Support and Troubleshooting

How to resolve access denied to cryptographic module error for certificate-based OAuth authentication Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Resolve access denied errors when using certificate-based OAuth authentication with Microsoft Graph email accounts. After configuring an email account with Graph (Receive) type to use certificates for OAuth access tokens, the manual token fetch works as expected. However, when the token expires, the base system Refresh Email Access Token scheduled job fails to renew it.

Note : This issue may also occur when a JWT is generated within a user-created script on the instance. This article focuses on the email account scenario, but the resolution may apply to other cases. Before proceeding, to ensure a Module Access Policy was not automatically generated, review this related knowledge article .

Symptoms .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The following error appears in System Logs with each Email Reader run:

"Unable to process messages: com.glide.notification.inbound.GraphEmailReaderException: Access Token is not available:"

The logs for the Refresh Email Access Token transaction show:

Started to generate JWT

Getting JWTProvider for jwtProviderSysId =

SEVERE *** ERROR *** Access Denied to cryptographic module 'global.com_snc_platform_security_oauth_glideencrypter' For guidance on this issue, please have your Security Admin refer to KB: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1112530

WARNING *** WARNING *** Access denied to crypto module

WARNING *** WARNING *** string may not be encrypted: Input length must be multiple of 8 when decrypting with padded cipher

SEVERE *** ERROR *** Error while generating JWT token.Cannot recover key

SEVERE *** ERROR *** *** Script: JWT Token is not valid. Please make sure standard claims are valid.

OUTBOUND_HTTP: protocol=HTTP/1.1 response_status=401 response_time=335 request_length=142 response_length=623 app_scope=global session_id=glide.scheduler.worker.6 transaction_name="Refresh Email Access Token - system" transaction_id= user_name= mid_server= source_table=sysauto_script source_record= system_id= method=POST log_level=All scheme=https hostname=login.microsoftonline.com path=/ /oauth2/v2.0/token

OAuthProblemException{error='invalid_client', description='AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app ' '. ...

WARNING *** WARNING *** failed to get access token from remote oauth server.

*** Script: OAuth authentication failed for Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All supported releases

Cause .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The script is denied access to the Key Management Framework (KMF) module. Script includes and applications typically install with a preconfigured Module Access Policy (MAP), or MAPs are automatically generated when encryption or decryption is attempted.

In this scenario, a MAP was not automatically generated. You must manually create a granular MAP for the caller, which is the Refresh Email Access Token scheduled script execution [sysauto_script] record.

Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Important : Creating this Module Access Policy is a security decision. Understand the implications and how they impact your security before implementing.

To create the MAP:

Go to the sys_kmf_crypto_caller_policy table. To create a new MAP, select New . Set Type to Script . Set Script Table to Scheduled Script Execution [sysauto_script]. Select the lookup icon next to Target Script and select the Refresh Email Access Token record. Set Active to true and Result to Track . Select Save . Subsequent runs of the Refresh Email Access Token job should now successfully generate the JWT and return a 200 response with a token from the Graph API.

Note : Creating a more specific MAP for the script include created by duplicating GraphCertificateOAuthTemplate is not sufficient. Access continues to be denied until a MAP is created for the calling script.

Related Links .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Configure an OAuth profile to use certificates for authentication with Microsoft Azure

How to resolve Key Management Framework access denied errors for Password2 decryption