Overview
This article provides the details on the best practices for configuring Exchange Web Services (EWS) OAuth support with GFI Archiver. Microsoft 365 (previously known as Microsoft Office 365) has discontinued the Basic Authentication support for EWS and introduced OAuth 2.0 for authentication and authorization.
EWS OAuth authentication support for Microsoft 365 was introduced in GFI Archiver v15.1. The steps in this article assume that you are running GFI Archiver v15.1 or later. Please consider upgrading your GFI Archiver installation if you are using an earlier version.
Customers have reported seeing the following errors due to misconfiguration of EWS OAuth and GFI Archiver. Performing the configuration as described in this article should mitigate these issues.
Failed during: Testing connection
Details: Could not perform test of connection. Details: The request failed with HTTP status 401: Unauthorized."MailServerWizard","ERROR:MSCreate_ERR: Requested finishing of steps (with error). Stopping on step: TestConnection. With error: Could not perform test of connection. Details: Type 'Microsoft.Identity.Client.MsalUiRequiredException' in Assembly 'Microsoft.Identity.Client, Version=4.18.0.0, Culture=neutral, PublicKeyToken=0a729f4ee981c7ae' is not marked as serializable."
Solution
- Step 1: Register GFI Archiver as an OAuth client app
- Step 2: Configure API permissions
- Step 3: Set the OAuth client to public
- Step 4: Configure TLS on Archiver Server
- Step 5: Configure the Journaling Mailbox in Archiver
Step 1: Register GFI Archiver as an OAuth client app
To use OAuth, an application must have an application ID issued by Azure Active Directory. This tutorial assumes that the application is a console application, so you need to register your application as a public client with Azure Active Directory.
- Open a browser and navigate to the Azure Active Directory admin center and login using a personal account (aka: Microsoft Account) or Work or School Account.
- Select Azure Active Directory in the left-hand navigation, then select App registrations under Manage.
- Select New registration. On the Register an application page, set the values as follows.
- Set Name to a friendly name for your app such as GFI Archiver.
- Set Supported account types to the choice that makes sense for your use case.
- For Redirect URI, change the dropdown to Public client (mobile & desktop) and set the value to
urn:ietf:wg:oauth:2.0:oob
. - Choose Register. On the next page, copy the value of the Application (client) ID and save it, you will need it later in step 5 while configuring EWS passwords.
Step 2: Configure API permissions
- Go to Azure Active Directory > App registrations and select the app registration we created in the previous step.
- Select Add a permission. On the Request API permissions page, select Microsoft Graph under Supported legacy APIs.
- To use Delegated permissions, select Delegated permissions and then select EWS.AccessAsUser.All under EWS and click on Add permissions.
- Back on the API permissions tab, select EWS.AccessAsUser.All under Microsoft Graph from the list and click on Grant admin consent from Default Directory option on top of the list.
Step 3: Set the OAuth client to public
- Locate the Azure App manifest for your registered application from step 1.
- Ensure that the value of
allowPublicClient
is set totrue
in the manifest. If it is set to anything else, please change it totrue
.
Step 4: Configure TLS on Archiver Server
On the Archiver server, run the following PowerShell commands to mitigate any potential TLS issues.
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NetFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
Step 5: Configure the Journaling Mailbox in Archiver
Follow the steps listed in Configuring a Journaling Mailbox while keeping the following note about passwords in mind.
EWS passwords (in GFI Archiver for DataSources, Import/Export, and Folder Sync) should be set using the format below when using OAuth Authentication via EWS.
[password]_@oAuthCoxn_[ClientID] (underscore included)
Where [password] is the user's password (as before). Please make sure to enter the password without the brackets "[ ]"
And the [ClientID] is the OAuth ClientID obtained when registering GFI Archiver as an OAuth client app in Microsoft 365 (in step 1). As with the password, please make sure to enter the ClientID without the brackets "[ ]"