Two factor authentication on EWS
Brought to you by:
mguessan
Menu
▾
▴
1 Attachments
#111 Two factor authentication on EWS
Not sure if this could be called a bug, so I request a feature.
Situation:
Microsoft exchange server and previous settings that worked up till noon today was:
EWS protocol with owa url https://post.intility.no/owa
This has worked for years until IT figured they'd add two factor authentication (SMS) to the web mail "client" today at 12:00 sharp.
Now, when going to https://post.intility.no/owa in a web browser, I'm redirected to another login page, and upon success I'm back to https://post.intility.no/owa again. Can't really tell, but I suspect the EWS endpoint would be available after authenticating...
In logs I see 10 redirects before davmail gives up.
Attaching full davmail logs. It seems the problem is:
1) davmail unable to process the new login page or
2) NEW FEATURE: catch a two-factor login page (something like the Lightning for Thunderbird's google auth page) and then move on to contact EWS on the (original) owa url?
I might be barking up the wrong tree here, but it seems like not-a-bug but new-feature(?)
Just found out that the organization also has an Android endpoint WITHOUT two-factor authentication... (well, could be the endpoint works for other OS as well) Tried that as OWA url in davmail and it worked. Until they add additional security to it, it worked with https://eas.intility.no/owa
Perhaps this finding could be of help for others whose organizations do something like this and do support android clients: try and look in the android email settings and copy that to the OWA URL ;)
My company has also started using two-factor authentication. In our case they're using Office365 MFA. I believe in both cases that OAuth2 support would resolve this issue. If the email client attempts OAuth2 authentication then DavMail should be able to work through an OAuth2 authentication process.
Oauth2 may definitely help in your case, however to use Oauth the application (DavMail in this case) must be registered on AzureAD, see:
https://msdn.microsoft.com/en-us/library/office/dn903761(v=exchg.150).aspx
and
https://github.com/Azure-Samples/active-directory-java-native-headless
Update on this: DavMail works perfectly with Office 365 and MFA enabled accounts: you just have to use the application password instead of your normal password, see:
https://docs.microsoft.com/en-US/azure/multi-factor-authentication/end-user/multi-factor-authentication-end-user-app-passwords
DavMail does not work with Office365 and MFA if organization disabled the application password feature. So, having OAuth2 support is still needed.
also not working with my organization's email on office365.com. looks like application password is disabled.
Not sure there is a way to authenticate with EWS without an application password and without an oauth application clientid :-(
i created an Application ID for my user account (not Administrator!) using the instructions at https://wiki.gnome.org/Apps/Evolution/EWS/OAuth2.
Reopening, MFA support is indeed required when application passwords are disabled on tenant.
Ok, first working prototype of an interactive Oauth2 authentication with EWS, see EWSAuthenticationFrame.java
=> this application should open an authentication frame, and on success retrieve an Oauth2 token to authenticate against Office365 EWS endpoint
Note that Java >= 9 is a prerequisite.
do you have a nightly build? i installed four different versions of jdk but only java-1.8.0-openjdk-devel-1.8.0.181.b15-0.fc28.x86_64 had the tools.jar ant requires but davmail would not compile. i'm guessing because it is Java < 9.
Sorry, forgot to commit the jettison lib, only added it to Maven POM.
You can compile with Java 8 or later, Java 9 is only mandatory for Microsoft logon page
Thank you Mickael for working on this feature. A quick question, do you anticipate that this will work only when davmail is installed on local computer? Or will it somehow work when it is installed on a server, and is used from various devices?
Currently only desktop will work, as we have an interactive authentication and consent.
In the future we may be able to automatically authenticate, after the initial consent that must be manual.
Just to be clear: we do not have a working DavMail with Oauth support, just a standalone app (EWSAuthenticationFrame) that demonstrates interactive authentication.
Update: add davmail.enableOauth2=true with latest trunk commit to test interactive OAuth2 authentication
i tried on Mac OS High Sierra with:
brew install ant
brew cask install java10
and built DavMail-MacOSX-4.9.0-2664-trunk.app.zip. yay!
i added to .davmail.properties:
davmail.enableOauth2=true
then launched DavMail.app and Thunderbird.app. i get a new DavMail window labeled https://or.company.com/IWA/ with:
Unauthorized: Access is denied due to invalid credentials.
IWA means integrated windows authentication => this is not a form based authentication, and I did not implement username/password callback.
We now have two authenticators, please remove the enableOauth2 parameter and set:
davmail.authenticator=davmail.exchange.auth.O365Authenticator
=> for headless authenticator, you may have to open the consent page first, please check logs
davmail.authenticator=davmail.exchange.auth.O365InteractiveAuthenticator
=> for interactive authentication, will automatically send username/password if requested by target server
Additional note: tested only with standard Office 365 authentication (with Azure AD), may need some adjustments for other use cases (ADFS, ...)
Last edit: Mickael Guessant 2018-09-29
yes, it does work and i am very grateful for that.
is it possible to make the interactive MFA window come to the front? my experience is that while Thunderbird repeatedly requests your password nothing good happens. it wasn't until i pulled up the DavMail logs window did i realize there was this other completely obscured window asking for MFA.
Great, thanks for your feedback, tried to fix the focus issue in trunk.
I also refactored code to implement token refresh => you should no longer get the MFA prompt every hour, DavMail will try to refresh token transparently.
nice, pops to the top; unfortunately, locks up when i use it:
press checkbox
press pull down
* press the button to interact with my phone does cause the phone to pop up an approval but once that is acknowledged DavMail locks up
in all cases i have to Force Quit.
Ok, this is probably the progress bar getting in the way => use it only on initial page load.
Fix available in trunk