Re: [Evolution] Failing to connect to Office365 account with MFA

From: Vincent Hennebert <vhennebert+evolution gmail com>
To: evolution-list gnome org
Subject: Re: [Evolution] Failing to connect to Office365 account with MFA
Date: Wed, 01 Sep 2021 20:14:27 +0200

On Wed, 2021-09-01 at 19:06 +0200, Milan Crha via evolution-list wrote:

On Wed, 2021-09-01 at 18:46 +0200, Vincent Hennebert via evolution-list
wrote:

I thought the first 2 warnings might have been associated with my
other email accounts but actually not, I temporarily disabled them.


        Hi,

if I'm not mistaken then the Single-Sign-On (SSO) page your company
provides supports also the Kerberos (GSSAPI) login, which could not be
used here (the error says), even it had been tried. In other words,
having configured Kerberos on the machine and the tickets granted with
the `kinit` you may not need to enter the credentials into the SSO
page. If I'm not wrong. There are surely companies, where the the SSO
works this way.


Hmmm. I installed the krb5-workstation package to see if things would
magically work but I get the same gssapi warning. I had not installed
any kerberos-specific package before, beyond what the distribution
installs by default. Not sure if I need to configure anything else?

Also, when I click ‘Check for Supported Types’ in the account
configuration, Kerberos ends up being stricken out. But IIUC, that
doesn’t mean that I can’t use it for the SSO part?

I’ve just tried again leaving the Tenant ID empty and I get the same
error.


Does the log confirm the 'common' tenant is used in this case? The
`evolution --force-shutdown` may make sure the things will work as
expected in all the processes (though it should not be needed to call).


Yes, in that POST request it uses the tenant ID when I specify it and
‘common’ otherwise. Are you saying that I should try specifying the
tenant ID but override it with ‘common’ in that POST request? How would
I do that?

Although as indicated in my other message, that’s where DavMail seems
to be diverging in the authentication process,
using https://login.microsoftonline.com/login.srf instead.

You mentioned Flatpak. Things work differently there, especially the
--force-shutdown. The accounts are defined separately as well, they are
not shared with the host system. Thus if you change anything in the
account settings in the Flatpak Evolution, it's not propagated into the
host system settings and vice versa. As long as you can get the latest
code in the distribution, I suggest to use that. The Flatpak is good
for distros where it's not possible, for its price.


That confirms the conclusion I had reached, thanks for that. I removed
the Flatpak version a while ago and all the logs and errors I’m showing
in this email thread come from the distro-provided version.



Vincent

Follow-Ups:
- Re: [Evolution] Failing to connect to Office365 account with MFA
  - From: Milan Crha

References:
- Re: [Evolution] Failing to connect to Office365 account with MFA
  - From: Milan Crha
- Re: [Evolution] Failing to connect to Office365 account with MFA
  - From: Vincent Hennebert
- Re: [Evolution] Failing to connect to Office365 account with MFA
  - From: Milan Crha

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]