Re: [Evolution] Failing to connect to Office365 account with MFA

From: Vincent Hennebert <vhennebert+evolution gmail com>
To: evolution-list gnome org
Subject: Re: [Evolution] Failing to connect to Office365 account with MFA
Date: Wed, 1 Sep 2021 18:46:03 +0200

Hi Milan,

On Wed, 1 Sept 2021 at 09:08, Milan Crha via evolution-list
<evolution-list gnome org> wrote:


On Tue, 2021-08-31 at 18:32 +0200, Vincent Hennebert via evolution-list
wrote:

None of those worked :( Every time the OAuth window shows up, I enter
my credentials, confirm the login from my phone’s app, and then get the
same error.


        Hi,
I know those keys work fine, not only for me, thus the problem is
somewhere else.

Your second message in this thread contains a snippet of the OAuth2
debug log, but not enough of it. I'd need to see what had been sent to
the server, which resulted into the Bad Request response. The base64
encoded things and the application and other IDs should be replaced,
similarly as you did before.


Here is the full log:
  (process:140669): libsoup-WARNING **: 17:38:32.604: gssapi step
failed: No credentials were supplied, or the credentials were
unavailable or inaccessible: SPNEGO cannot find mechanisms to
negotiate

  (process:140669): libsoup-WARNING **: 17:38:32.833: gssapi step
failed: No credentials were supplied, or the credentials were
unavailable or inaccessible: SPNEGO cannot find mechanisms to
negotiate
  [OAuth2] 2021-09-01 17:38:37.339 - Loaded URI: '<Org SSO URL>'
  [OAuth2] 2021-09-01 17:38:53.665 - Loaded URI: '<MFA URL>'
  [OAuth2] 2021-09-01 17:38:58.832 - Loaded URI: '<Another MFA URL>'
  [OAuth2] 2021-09-01 17:39:11.090 - Loaded URI: '<Back to different
org SSO URL'
  [OAuth2] 2021-09-01 17:39:11.111 - Loaded URI: 'none-local://'
  > POST /<the_tenant_id>/oauth2/token HTTP/1.1
  > Soup-Debug-Timestamp: 1630510751
  > Soup-Debug: SoupSession 1 (0x561d22db7c40), SoupMessage 1
(0x561d239b0e60), SoupSocket 1 (0x561d2423d3f0)
  > Host: login.microsoftonline.com
  > Content-Type: application/x-www-form-urlencoded
  > Connection: close
  > Accept-Encoding: gzip, deflate
  > Accept-Language: en-gb, en;q=0.9
  >
  > 
grant_type=authorization_code&code=<the_code>&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient&client_id=<the_client_id>

  < HTTP/1.1 400 Bad Request
  < Soup-Debug-Timestamp: 1630510752
  < Soup-Debug: SoupMessage 1 (0x561d239b0e60)
  < Cache-Control: no-store, no-cache
  < Pragma: no-cache
  < Content-Length: 485
  < Content-Type: application/json; charset=utf-8
  < Expires: -1
  < Strict-Transport-Security: max-age=31536000; includeSubDomains
  < X-Content-Type-Options: nosniff
  < P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
  < x-ms-request-id: 2a59b83a-6019-45a9-b190-5bda25ba4300
  < x-ms-ests-server: 2.1.11984.12 - SCUS ProdSlices
  < Set-Cookie: fpc=<cookie>; expires=Fri, 01-Oct-2021 15:39:12 GMT;
path=/; secure; HttpOnly; SameSite=None
  < Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; httponly
  < Set-Cookie: stsservicecookie=estsfd; path=/; secure; httponly
  < Date: Wed, 01 Sep 2021 15:39:12 GMT
  < Connection: close
  <
  < {"error":"invalid_grant","error_description":"AADSTS9002313:
Invalid request. Request is malformed or invalid.\r\nTrace ID:
2a59b83a-6019-45a9-b190-5bda25ba4300\r\nCorrelation ID:
c9bef423-5107-4b78-9c31-0c1d445ded9c\r\nTimestamp: 2021-09-01
15:39:12Z","error_codes":[9002313],"timestamp":"2021-09-01
15:39:12Z","trace_id":"2a59b83a-6019-45a9-b190-5bda25ba4300","correlation_id":"c9bef423-5107-4b78-9c31-0c1d445ded9c","error_uri":"https://login.microsoftonline.com/error?code=9002313"}

  [OAuth2] 2021-09-01 17:39:12.436 - Loaded URI: 'none-local://'

I thought the first 2 warnings might have been associated with my
other email accounts but actually not, I temporarily disabled them.

DavMail shows more intermediate connections, but otherwise seemingly
the same steps.

What values do you change in the OAuth2 settings of the Office 365
account? Most of the values should be left empty, it's usually enough
to change/set the Application ID and left the rest empty.


I’m only changing the Tenant and Application IDs. I obtain the OAB URL
by clicking the ‘Fetch URL’ button, but I suppose it has nothing to do
with this issue.

I think I saw similar error when I changed the Tenant ID to something
else, when I did not left it to its default value, which is "common". I
do not know how that works for your company though, due to the multi-
factor login.


I’ve just tried again leaving the Tenant ID empty and I get the same error.

I'd guess the settings you use for the DAVMail are not exactly the same
as for the Evolution-EWS. The only other thing might be the resource
URI. It's currently derived from the Host Name, while it used to be
"https://outlook.office.com"; in the past. I understood from your
messages that you did not update the evolution-ews, it's still the same
version, you only changed the password on the server.


Well, I switched from the Flatpak version (3.40.3) to the distro
version (3.40.4) to have better GNOME integration (and also with the
vague hope that the issue might have been caused by some cached data),
but I get the exact same error in both cases. I know that several of
my colleagues are having the same issue.

I found ‘https://outlook.office365.com’ somewhere in the DavMail log,
so I tried to set the Resource URI to that in the Advanced Settings,
but again same issue.

I cannot think of anything else right now, I'm sorry.


Sure, hopefully the above will give you some hints. Thanks for your
efforts anyway!

Vincent

Follow-Ups:
- Re: [Evolution] Failing to connect to Office365 account with MFA
  - From: Milan Crha
- Re: [Evolution] Failing to connect to Office365 account with MFA
  - From: Vincent Hennebert

References:
- Re: [Evolution] Failing to connect to Office365 account with MFA
  - From: Milan Crha

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]