Use DefaultNetworkCredential under TLS encryption?

Question

Our company is switching the SMTP mail server to Office 365. The key issue is the new SMTP server "smtp.office365.com" only supports TLS encryption. Thus I cannot use CredentialCache.DefaultNetworkCredentials to encode my Windows log-in password automatically.

        var smtpClient = new SmtpClient("smtp.oldserver.com")
        {
            Credentials = CredentialCache.DefaultNetworkCredentials
        };

        const string from = "[email protected]";
        const string recipients = "[email protected]";
        smtpClient.Send(from, recipients, "Test Subject", "Test Body");

Previously this works without any issue. But if I now change the above snippet to:

        var smtpClient = new SmtpClient("smtp.office365.com");
        smtpClient.EnableSsl = true;
        smtpClient.Port = 587;
        smtpClient.Credentials = CredentialCache.DefaultNetworkCredentials;

I'm now getting:

Unhandled Exception: System.Net.Mail.SmtpException: The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM

But if I specify my Windows login username and password in the code it works fine:

smtpClient.Credentials = new NetworkCredential("[email protected]", "mypassword");

So:

1. Is it possible to encode the password using DefaultNetworkCredentials but make it workable under TLS encryption?
2. If 1. is not possible, is there a better way to encode my Windows password somewhere else without directly revealing it as plaintext in the code?

Answer 1

The two topics - credentials and encryption - are unrelated. DefaultNetworkCredentials only works when the mail server and your computer belong to the same "network" or to be more accurate, the same or connected Active Directory server. I'm guessing that the old SMTP server was on premise and was part of your office network. The O365 server is in the cloud and doesn't share the AD.

When you provide your credentials explicitly, it works because O365 is able to authenticate you.

There is a possibility to use Azure Active Directory and somehow connect it to your on premise Active Directory. I'm not familiar with the details but I know it can be done. I believe that if you set this up correctly, DefaultNetworkCredentials will start working again.

Details about O365 authentication: https://blogs.office.com/2014/05/13/choosing-a-sign-in-model-for-office-365/

If you need to store the password, you need to store it encrypted. See this answer: Best way to store encryption keys in .NET C#

Answer 2

In my situation I encrypt the section of the web.config that I store these credentials in. I have similarly stored an encrypted version of the credentials in my DB and had a routine to decrypt them in the application.