PRODUCTION: Invalid Credentials

Question

I'm getting an 'invalid credentials' error. I verified the customer id is correct, the developer token is correct, and I can get a new access token + refresh token using curl. I can't figure out what is wrong.

$ YII_ENV=prod yii kw/bing-list-accounts
The operation failed with the following faults:
TrackingId: 5692baa7-28ad-4ac9-916b-4b05b94252aa
AdApiError
Code: 105
Error Code: InvalidCredentials
Message: Authentication failed. Either supplied credentials are invalid or the account is inactive

2016-10-21 11:41:46 [-][-][-][error][application] Last SOAP request/response:
https://clientcenter.api.bingads.microsoft.com/Api/CustomerManagement/v9/CustomerManagementService.svc?singleWsdl
<?xml version="1.0" encoding="utf-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns1="https://bingads.microsoft.com/Customer/v9">
  <SOAP-ENV:Header>
    <ns1:CustomerAccountId />
    <ns1:CustomerId>999999999</ns1:CustomerId>
    <ns1:DeveloperToken>xxxxxxxxxxx</ns1:DeveloperToken>
    <ns1:UserName />
    <ns1:Password />
    <ns1:AuthenticationToken>xxxxxxxxxxxxxxxxxx</ns1:AuthenticationToken>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body>
    <ns1:GetUserRequest>
      <ns1:UserId xsi:nil="true" />
    </ns1:GetUserRequest>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <s:Fault>
      <faultcode>s:Server</faultcode>
      <faultstring xml:lang="en-US">Invalid client data. Check the SOAP fault details for more information</faultstring>
      <detail>
        <AdApiFaultDetail xmlns="https://adapi.microsoft.com" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
          <TrackingId>5692baa7-28ad-4ac9-916b-4b05b94252aa</TrackingId>
          <Errors>
            <AdApiError>
              <Code>105</Code>
              <Detail i:nil="true" />
              <ErrorCode>InvalidCredentials</ErrorCode>
              <Message>Authentication failed. Either supplied credentials are invalid or the account is inactive</Message>
            </AdApiError>
          </Errors>
        </AdApiFaultDetail>
      </detail>
    </s:Fault>
  </s:Body>
</s:Envelope>

Answer 1

I see this error box in the account page. But the credit card IS added, and we are going to create campaigns via the API, never manually. The account is aged a few months already.

Pending: New customer.
As a new customer, please make sure that you have completed account set up, including creating a campaign and adding a payment method. Note: After you complete set up, it can take up to 72 hours before your ads can run.
Learn more

Pending: New customer.

As a new customer, please make sure that you have completed account set up, including creating a campaign and adding a payment method. Note: After you complete set up, it can take up to 72 hours before your ads can run.

Learn more

Answer 2

I copied your exact SOAP request and substituted with my AuthenticationToken (access token), and it worked. (I removed CustomerId since it isn't required for this operation.) Are you also able to login to the Bing Ads web application with the Microsoft account (email) that you used to get the access token? It is possible to get an access token for a Microsoft account that might not even have access to any Bing Ads accounts. The 105 error can be returned if the credentials are not valid for a Bing Ads account. For example you might have a Microsoft account that you used to register the application and get the ClientId for OAuth, but those credentials don't necessarily have access to any Bing Ads account.

Answer 3

Yes I can log in with the email and password to get into the Bing Ads web app. That is how I found the customer id.

The CustomerId says it's not always required, but says it is good practice to always include it. I also commented it out as a test but it didn't help.
https://msdn.microsoft.com/en-us/library/bing-ads-getting-started.aspx

• Required for service operations related to targeting and editorial. As a best practice you should always specify this element.

What do you mean by "I might have a client id that doesn't have access to Bing Ads"? According to the documentation on this page, it doesn't matter which client id you use.
https://msdn.microsoft.com/en-us/library/bing-ads-user-authentication-oauth-guide.aspx?f=255&MSPPError=-2147217396

<token>Note</token>
You may use any of your Microsoft accounts to manage authentication for your application. Using a Microsoft Account which is linked to your Bing Ads user credentials is optional for managing your application.

I'm using my developer client id, which worked for the sandbox, and which worked for a separate test account in production (test.bestsales@gmail.com). My developer account also has access to Bing Ads for personal use. Not only that, but I was able to get a refresh token using that client id, and to refresh the access token whenever I make a request. 

Should I mail you my credentials so you can investigate?

Answer 4

I found it. I must have refactored at some point while working with sandbox and I was encrypting the access token before using it when saving to the DB.