New error "Exchange login exception: Unauthorized" after update of Exchange Server ?

[ldoub]

Hi,

I used DavMail with success for many years but there must have been an update to our corporate Exchange Server because DavMail now cannot login to it. I was using DavMail version 5.4.0-3135 when the error appeared for the first time. I tried an updated 5.5.1-3299 version (that I had downloaded but apparently didn't use) and I had the same error. I also downloaded and tried the last version 6.2.2-3546 with no success. I tried accessing our "Outlook on the Web" URL (that has the form of https://email.corp.company/owa/) with Firefox to see if there was a problem with my user/password pair but it worked, I could access my emails. The same URL in DavMail and the same user/password in Thunderbird yield an "Unauthorized" error...

In the log file I can see the NTLM handshake and it looks like it's just a user/pass problem yielding an invalid challenge response (but again, user/pass are valid):

2024-04-29 14:59:46,951 DEBUG [ImapConnection-64677] davmail.http.DavGatewaySSLSocketFactory  - createSocket email.corp.company 443
2024-04-29 14:59:46,986 DEBUG [ImapConnection-64677] davmail.http.HttpClientAdapter  - Creating NTCredentials for user USERIDXX workstation WKSNAME domain WORK
2024-04-29 14:59:46,986 DEBUG [ImapConnection-64677] davmail.http.HttpClientAdapter  - GET https://email.corp.company/owa/
2024-04-29 14:59:47,001 DEBUG [ImapConnection-64677] davmail.http.JCIFSEngine  - Generate Type1Msg Type1Message[suppliedDomain=WORK,suppliedWorkstation=WKSNAME,flags=0xA008B207]
2024-04-29 14:59:47,016 DEBUG [ImapConnection-64677] davmail.http.JCIFSEngine  - Received Type2Msg Type2Message[target=WORK,challenge=<8 bytes>,context=null,targetInformation=<208 bytes>,flags=0xA2898205]
2024-04-29 14:59:47,016 DEBUG [ImapConnection-64677] davmail.http.JCIFSEngine  - Generate Type3Msg Type3Message[domain=WORK,user=USERIDXX,workstation=WKSNAME,lmResponse=<24 bytes>,ntResponse=<256 bytes>,sessionKey=null,flags=0x00088201]
2024-04-29 14:59:47,035 ERROR [ImapConnection-64677] davmail.exchange.ExchangeSession  - Exchange login exception: Unauthorized

(User ID, Workstation name, Domain and URL have been changed to not give away company info)

Using the DEBUG log level, I was able to capture the NTLM authentication tokens, and with Firefox I also captured the NTLM tokens of a successful Auth and tried a comparison:

• Type1Msg are different. Firefox used blank Domain and Workstation fields whereas DavMail used the correct values WORK and WKSNAME.
• Type2Msg are very similar (so I guess the different Type1 didn't matter that much) except of course for the challenge value and the server timestamp.
• Type3Msg are quite different, and from my point of view, these differences may explain the login failure. I cannot share the tokens here, but I can share their anonymized decoding by ntlmdecoder.py:

DavMail Type3Msg:

Msg Type: 3 (Response)
LM Resp: '????a??z?5?v?Pe???lxqp?' [<anonymized non null hex values>] (24b @64)
NTLM Resp: '<string containing, among other things, values from Type2Msg: server timestamp?, AD domain name, Server Name, DNS domain name, FQDN, Parent DNS domain, timestamp again?>' [<corresponding hex values>] (256b @88)
Target Name: u'WORK' [<corresponding hex values>] (8b @344)
User Name: u'USERIDXX' [<corresponding hex values>] (16b @352)
Host Name: u'WKSNAME' [<corresponding hex values>] (14b @368)
Session Key: '' [] (0b @0)
OS Ver: '????????'
Flags: 0x88201 ["Negotiate Unicode", "Negotiate NTLM", "Negotiate Always Sign", "Negotiate NTLM2 Key"]

Firefox Type3Msg:

Msg Type: 3 (Response)
LM Resp: u'????????????' [000000000000000000000000000000000000000000000000] (24b @118)
NTLM Resp: '<string containing, among other things, values from Type2Msg: server timestamp?, AD domain name, Server Name, DNS domain name, FQDN, Parent DNS domain + unidentified data but containing HTTP/email.corp.company in unicode near the end>' [<corresponding hex values>] (396b @142)
Target Name: '' [] (0b @88)
User Name: u'USERIDXX' [<corresponding hex values>] (16b @88)
Host Name: u'WKSNAME' [<corresponding hex values>] (14b @104)
Session Key: '' [] (0b @538)
OS Ver: '????????'
Flags: 0x-5d777dfb ["Negotiate Unicode", "Request Target", "Negotiate NTLM", "Negotiate Always Sign", "Negotiate NTLM2 Key", "Negotiate Target Info", "unknown", "Negotiate 128", "Negotiate 56"]

The differences that caught my attention are:

• Firefox doesn't set the LM response. Can this weak algorithm be refused by the Exchange Server?
• Firefox gives a larger NTLM response (396b vs 256b) with more information. Maybe my work Exchange Server now requires this additional information?
• Firefox doesn't set Target Name, maybe because I didn't use WORK\USERIDXX as my login but only USERIDXX ?
• Firefox sets more flags, that are maybe related to the additional data it gives in the NTLM token?

What is your opinion on this? Are there other tests I can do to pinpoint more precisely the problem? Is there a way to fix this problem?

Thanks!

[mguessan]

First step is to set default domain in DavMail settings:

# Default windows domain for NTLM and basic authentication
davmail.defaultDomain=

Then we can have a close look at flags

[ldoub]

Ok, I have put: davmail.defaultDomain=WORK into the davmail64.ini file in the program directory. I still have the problem and the flags didn't change (0x88201)... Any other idea ? How can I make DavMail provide the same info as Firefox does when logging in ? Thanks!

[ldoub]

My issue may be the same as this one Maybe the NTLM payload differences were a red herring ?

[ldoub]

@mguessan This was indeed a duplicate of #352 , the latest trunk version with the fix for #352 also fixes my problem. Thanks!