New sharedmailbox with keysafe > Bad user is auth...

[Martijn]

Setting up a shared mailbox

- Created new user / shared mailbox in ExO
- Removed MFA requiredment for this user.
- Password is long but does not contain special chars 
- Created keysafe for that user.
- Setup new shared mailbox in hornbill using created keysafe. (when testing all green )

- Does not import email but can send email 
- EspMailImporter log > Error Bad user is authenticated but not connected. 

Classic auth seem to work fine, but want to move a way from that for obvious reasons.

Looking at the email importer log, seems to suggest something is wrong. 

 

How to setup a sharedmailbox with Keysafe ? 

 

[James Ainsworth]

Hi @Martijn

I wanted to see if you have had any luck with setting this up yet.  Have you managed to read through this wiki document on configuring OAuth with Outlook?

[Martijn]

HI @James Ainsworth

I followed the wiki there, setup of keysafe is straightforward. 
Setup the shared mailbox in hornbill and testing the connections works, with IMAP.

But still end up with the error mentioned above (and no email in hornbill mail client) 

i can send email from that box to external / interternal email adresses. 

 

 

 

 

 

[Martijn]

That last sentence maybe a bit confusing reading this back. 
I can sent email for internal domain and extranal domains from the hornbill email client. but not receive any (in the hornbill client) 
Looking in outlook webmail i see the new email landing in there.

 

[Martyn Houghton]

@Martijn

In your screenshot the the credential states xxxxxx Shared Mailboxes, so is the account you have used to create the KeySafe entry the owner of the mailbox or are using permissions to give it access the mailbox in question?

I believe there is some additional steps/permissions to the Hornbill Connector account created in Exchange when you create the Keysafe entry if using a single account to access other mailboxes. 

I try to see if I can get some more information from our IT team.

Cheers

Martyn

[Martijn]

@Martyn Houghton

The account used in the keysave was given Full mailbox rights on the shared mailbox.

Shared mailbox = Infosec@domain 
Keysafe user= gensemail (we call this a service account)

I did the login thereafter with the same account gensemail then it prompet for admin consent for the app, im able to do that for my business. 

Cheers.
Martijn

 

 

[Martijn]

@James Ainsworth@Martyn Houghton

Comming back to this after having a chat with support, they point to azure /office being an issue. 
i disagree with that for reasons below.  

- Have no logs from a azure / o365 point of view that there is a account issue. 
- i can connect to shared mailbox user powershell with chillkat (trial)
- i can access mailbox via Postman.
- i can connect to mailbox using EAGetMail with .net (also trial) / other acount details
   both console app / desktop app. 

So did some more digging, turns out its a BUG (imho) 
When you get the first login for the "email" user you want to save in the keysafe, it prompts you thereafter to consent.. this where it goes wrong. 

The process saves the "Consenting" user details instead of the "email user"  (managed to intercept the JWT token during the callback after Azure login) 

Further you cant save credetials when not consenting directly in that flow. which is also broken (imo), why can't i just save credentials without consenting. what if i want to consent in another browser session i have open to azure ? 

The only way for me to get it working is to disable the consent, and allow the "email " user to consent during the creation of the keysafe. 

 

 

[Martyn Houghton]

@Martijn

I will leave @James Ainsworth to respond from a product point of view and detail how we have got this working for us using the current capability.

• Each Shared Mailbox as a KeySafe Microsoft365 Mail connector entry for the mailbox owner, i.e. a one to one relationship logging in as the mailbox user. They are an actual mailbox not a shared mailbox.
• For each email domain, we use one of the above KeySafe credentials to login via SMTP and add the 'SendAs' permission to all the email addresses associated with Shared Mailbox.

 

Cheers

Martyn

[Martijn]

@Martyn Houghton

Once the keysafe was saved i can connect / interact with the mailbox as intended.

For some reason it would not save with consent setting set to Admin Only in azure.

[James Ainsworth]

Hi @Martijn

Thanks. I'll feed back your findings to the development team.  

[Martijn]

Thanks @James Ainsworth

if they need evidence on the subject, i can provide that. 

I do wonder if its only our tenant / hornbill instance which are not playing nice for some reason. 
Did other customers face the same issue i had ?

[Martijn]

Hi @James Ainsworth

Any feedback from the dev team ?