#713 Multi-factor authentication doesn't work for me

[Marco Brandizi]

I need something to use Thunderbird against recent changes for the corporate Office 365 server, where the damn multi-factor authentication was introduced.

I've read DavMail/Desktop supports this, but it doesn't work for me. I've tried DavMail 5.2.0 with MacOS and JDK "12.0.1" 2019-04-16.

TB hangs while waiting for a reply, DavMail's log (attached) shows that it forwards client requests to the server, without doing anything, no pop-up is ever shown to provide the 2nd factor auth code (as I understand it should work). At some point, there is a "BAD missing command" message in the log (which should be coming from the server), but I don't get what the hell it wants (sorry, I've been thrown this MS MFA rubbish out of the blue and, after days of struggling with my laptop and IT people, I'm furious).

I've tried all the authentication methods available from the GUI, including "Auto".

Thanks in advance for any help.

[Mickael Guessant]

According to your log file the first issue is that you are trying to connect with IMAPS (encrypted) to a cleartext DavMail IMAP listener
=> please first switch your client to IMAP (non SSL)

[Marco Brandizi]

Hi @mguessan,

thank you for your reply. I've downloaded the latest stable version again (5.2.0), tried with java 12 and plain authentication set on TB. Now the problem is I don't have the O365Interactive as an option in "Exchange Protocol". I've tried all other options and also davmail.authenticator=davmail.exchange.auth.O365InteractiveAuthenticator in the .properties file.

It seems this feature isn't included in 5.2.0. I cannot find nightly builds anymore, so I've tried to rebuild DavMail from the sources, but the POM has:
<exclude>*/O365Interactive.java</exclude>. I tried removing it and raising 1.6<target>1.6</target> to 9, but then I get many compilation errors for O365Interactive (the first ones are "package javafx.application does not exist").

[Mickael Guessant]

OpenJFX (JavaFX) is not included in Java 12 => your best bet would be to compile with Oracle JDK 8 which includes JavaFX or use latest trunk build from https://github.com/mguessan/davmail#trunk-builds

[Marco Brandizi]

Thanks, I've tried the last in the trunk-builds, with Java 12. Now I get a couple of errors about 'Info.plist' not found, and then I get: 'HttpAuthenticator - NEGOTIATE authentication error: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)' (log file attached).

I think this comes from my organisation authenticator, to which O365 redirects everything, damn it.

[Joseph Reagle]

My organization is now using Duo 2FA. When I connect to DavMail I often see a prompt (small web window) for me to log in and then send a confirmation to the Duo app on my phone. Ultimately, it works for a bit, but eventually will have to repeat the process even though I have the "remember for 30 days" checked on the Duo screen. I don't know if this is because of DavMail crashes (#715) or something else.

[Mickael Guessant]

For the record, check https://sourceforge.net/p/davmail/bugs/717/ for updates on token persistence.