Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I avoid storing MS Exchange credentials while still being able to authenticate (against EWS)?

I'm building an application that syncs data between users' Exchange Server accounts (version 2007-2013 supported) and the application.

The application can't use impersonation (at least not in the typical case) as users could be on any number of domains and exchange servers.

I know I'm going to have to ask for their username/email-address and password initially. However, I really don't want to be responsible for storing these credentials if I don't have to (even if they are encrypted, I'd rather not).

I'm not sure what questions to ask, so I'm going with these:

How does Exchange Server authenticate? Do the user's credentials get sent directly to the server as they are, or are the hashed together before being sent across the wire? If they are hashed, how can I get/generate this hash for re-use on successive authentications?

Does Exchange Server send some sort of authentication token that can be re-used later (and forever, until password change or invalidation)?

If you know of a solution to the problem, that the answers to these questions won't address, please do provide it instead.

like image 993
David Murdoch Avatar asked Jan 31 '13 17:01

David Murdoch


People also ask

Does EWS use modern authentication?

Once Modern Authentication is configured in EWS, the AirMedia receiver uses this access method to provide heightened user authentication.

What is basic authentication for EWS?

Basic authentication is no longer supported for EWS to connect to Exchange Online. Use OAuth authentication in all your new or existing EWS applications to connect to Exchange Online. OAuth authentication for EWS is only available in Exchange Online as part of Microsoft 365.

What is EWS in exchange?

Exchange Web Services (EWS) is a cross-platform API that enables applications to access mailbox items such as email messages, meetings, and contacts from Exchange Online, Exchange Online as part of Office 365, or on-premises versions of Exchange starting with Exchange Server 2007.

How do I authenticate an EWS application by OAuth?

To use OAuth with your application you will need to: Register your application with Azure Active Directory. Add code to get an authentication token to get an authentication token from a token server. Add an authentication token to EWS requests that you send.


2 Answers

Active directory federation services is exactly for such tasks. You can read about it there.

like image 92
Kirill Bestemyanov Avatar answered Oct 23 '22 11:10

Kirill Bestemyanov


As mentioned by Kirill, ADFS 2.0 is one of the best solution for your task. You can also look into other SSO implementations as well. Though the main goal of SSO implementation is to maintain single Login state for multiple application (thereby reducing multiple Login prompt for each application), some of your application goals seems relevant. Please do a thorough research on all the tradeoffs before heading to the sso implementation since there is a small degree of complexity involved during implementation. SSO suits best if you are considering integration of multiple application in the future with the exchange server.

To answer some of your questions (in the same order - considering an SSO scenario with ADFS 2.0):

  1. The authentication to exchange server will be done via ADFS 2.0 (Which provides security tokens (STS service) - to your application after authenticating with AD/ main Directory service). All the communication is encrypted and token signing certificates are used for Integrity and confidentiality.
  2. The lifetime of Security tokens sent by ADFS 2.0 can be configured and reused as required. Please see this blog post for more details.

Also you can configure the ADFS 2.0 (Federation Service) to send only the relevant claim values (like username and email address) to the application, thereby improving the data security.

like image 43
Karthik Avatar answered Oct 23 '22 11:10

Karthik