AquaMail Forum
English - Android => General Discussion => Topic started by: tbessie on March 13, 2018, 04:42:30 am
-
I'm trying to set up a connection with my work email account; we use Outlook 365.
When I give my email address and password, I get the above message ("The login (OAUTH2) server returned something strange...").
What does this mean? How can I find out what this "strange" something is, and how I can fix it?
- Tim
-
The account is at Office 365?
Most likely a bug on our side.
We could investigate if you captured the issue in the app's debug log.
Please see the link below in my signature, then look under "Creating a log if something doesn’t work right". You will need to enable "raw session data".
With the log enabled like this please try to add the account again repeating all the steps up to and including the error message.
Then send the log to support / at / aqua-mail / dot com.
Thanks.
-
Hello,
I decided to join this topis, as I have the same problem with my company's Office365 account and MFA.
Kostya, in a minute I will send you log from AquaMail made this evening when I was trying to setup this account. Hope, this willhelp, and soon I will be able to use Aqua Mail again ;)
Thank you for your great job and best regards,
ArekG
-
The account is at Office 365?
Most likely a bug on our side.
I just sent in the debug log.
It appears this is due to my company requiring I be using a managed device:
{"error":"interaction_required","error_description":"AADSTS53000: Your device is required to be managed to access this resource.\r\nTrace ID: a163a5d4-4049-47a9-87dc-c7ff017d4e00\r\nCorrelation ID: e63e108b-3335-4ef0-9e5d-9fce531ece91\r\nTimestamp: 2018-03-13 22:36:25Z","error_codes":[53000],"timestamp":"2018-03-13 22:36:25Z","trace_id":"a163a5d4-4049-47a9-87dc-c7ff017d4e00","correlation_id":"e63e108b-3335-4ef0-9e5d-9fce531ece91","suberror":"additional_action"}
- Tim
-
I saw that entry in log as well. My device seems to be managed by the company (now I use Outlook for emails), but afaik my company didn't implemented 'app password' policy, so maybe this is the reason, why AquaMail is unable to connect to my account.
Best regards,
Arek
-
We'll make sure that this error (or any other "OAUTH2 approval" error) is shown in the error window.
As for what this actually means - sorry no idea. As far as I know, EWS doesn't have the concept of server managed "device security" ("app password" etc.) policies.
-
Hi! Any updates in this issue?
I have the same problem and my device is fully managed by my company and enrolled in Intune using Company Portal. I can use the built-in mail app in my device and I have full access to all other company resources.
I really would prefer to use AquaMail. Is it possible to investigate further? The MFA works fine during the account set up but then you get an additional dialog box informing me that "Aqua Mail will need to access my mailbox and login as me and read my profile" and when you click "Accept", that is when you get the error message in AguaMail
I'll be happy to send you my Aqua Mail log and screenshots.
-Torbjorn
-
Yes please send a log with "raw session data" enabled (and the "something strange" error) to support / at / aqua-mail / dot com - then I'll be able to investigate.
-
I have the same issue and send you the log-file. Hope it helps. If you need additional information just let me know.
/GS
-
Hi!
The log file is in your mailbox. :)
Thanks!
-
Hi! Any updates in this issue?
I have the same problem and my device is fully managed by my company and enrolled in Intune using Company Portal. I can use the built-in mail app in my device and I have full access to all other company resources.
I really would prefer to use AquaMail. Is it possible to investigate further? The MFA works fine during the account set up but then you get an additional dialog box informing me that "Aqua Mail will need to access my mailbox and login as me and read my profile" and when you click "Accept", that is when you get the error message in AguaMail
I'll be happy to send you my Aqua Mail log and screenshots.
-Torbjorn
I am getting the exactly same issue. Any progress to resolve it?
-
lijunle - is your server also InTune managed?
No we don't have a solution or fix yet.
Still investigating and considering our options.
InTune requires additional cooperation from our side.
Microsoft has a library that is supposed to make this easy for us - but I wrote a test app using that library, and it's not able to log in either.
-
@lijunle
I made a couple of small changes which might help (I hope).
Could you please try this build?
https://www.aqua-mail.com/download/AquaMail-market-1.15.0-912-fix_o365_login-028fd510c496.apk
You can update the app in-place (uninstall / reinstall is not needed).
-
@Kostya Thank you for the help! Yes, my company needs inline policy. I am sorry to tell you that, the fix dpk does not work.
In the fix, after pass the MFA step, it prompts in a web view that the current app is not registered and there is a REGISTER button below it. After click the REGISTER button, it jumps to the "open in intune app" page. However, the process stops here. Open the online app manually and don't see the register request.
Here is the step when I add my account to Gmail (which is working with intune). After pass the MFA, it jumps to a screen to add Gmail as this Android's administrator (not web view), then it finish the settings and go to email list. However, the first sync will fail and only one email will be downloaded - the email to prompt to register the app into intune. There is a link in that email, click on it will also jump to "open in intune app" page. Click on the link WILL jumps to intune app. Intune will show a warning that Gmail is not finishing register. Click fix and wait a while, intune shows done. Now, sync again in Gmail will sync the full list.
-
I'm getting the same issue. Has there been any headway in resolution ? Currently I'm having to switch to Edison mail as that works without issue. But I prefer Aquamail..
Sent from my MI 5 using Tapatalk
-
In the fix, after pass the MFA step, it prompts in a web view that the current app is not registered and there is a REGISTER button below it.
OK, thanks - so there is a change in the "fix" version, it now has the "complete the process in InTune" button which it did't have before. Right?
We've just become aware of InTune a few days ago - basically we'll have to handle this button and redirect you into InTune app and then it will complete the process and redirect back to our setup window.
This isn't something I can just do from the docs - and have asked for a test environment (an Office 365 domain with InTune enabled). Will take some time, sorry.
@screwfox67
Also InTune?
Can you try the custom build above and let us know if you got same exact behavior - a button to "continue in InTune" which does nothing?
-
Hi,
My phone is not managed by intune. Tried your custom build and switcht to MFA. Works like a charm. Thanks.
/GS
-
In the fix, after pass the MFA step, it prompts in a web view that the current app is not registered and there is a REGISTER button below it.
OK, thanks - so there is a change in the "fix" version, it now has the "complete the process in InTune" button which it did't have before. Right?
We've just become aware of InTune a few days ago - basically we'll have to handle this button and redirect you into InTune app and then it will complete the process and redirect back to our setup window.
This isn't something I can just do from the docs - and have asked for a test environment (an Office 365 domain with InTune enabled). Will take some time, sorry.
@screwfox67
Also InTune?
Can you try the custom build above and let us know if you got same exact behavior - a button to "continue in InTune" which does nothing?
I get this message now: looks looks like you're trying to open this resource with an app that hasn't been approved by your IT department. Ask them for a list of approved applications.
The following information might be useful to your administrator:
Access rules set by DXC Production restrict which applications can be used to open this resource
App name: Aqua Mail
App ID: 906be9aa-2843-47e6-a01d-ab9361ca7009
IP address: 86.13.20.234
Device identifier: not available
Device platform: Android
Device state: Unregistered
Signed in as jfox25@csc.com
Correlation ID: 80028645-7d97-48ba-987e-15bca85bcb38
Timestamp: 2018-04-21 15:39:52Z
Sent from my MI 5 using Tapatalk
-
In the fix, after pass the MFA step, it prompts in a web view that the current app is not registered and there is a REGISTER button below it.
OK, thanks - so there is a change in the "fix" version, it now has the "complete the process in InTune" button which it did't have before. Right?
We've just become aware of InTune a few days ago - basically we'll have to handle this button and redirect you into InTune app and then it will complete the process and redirect back to our setup window.
This isn't something I can just do from the docs - and have asked for a test environment (an Office 365 domain with InTune enabled). Will take some time, sorry.
@screwfox67
Also InTune?
Can you try the custom build above and let us know if you got same exact behavior - a button to "continue in InTune" which does nothing?
I get this message now: looks looks like you're trying to open this resource with an app that hasn't been approved by your IT department. Ask them for a list of approved applications.
The following information might be useful to your administrator:
Access rules set by DXC Production restrict which applications can be used to open this resource
App name: Aqua Mail
App ID: 906be9aa-2843-47e6-a01d-ab9361ca7009
IP address: 86.13.20.234
Device identifier: not available
Device platform: Android
Device state: Unregistered
Signed in as jfox25@csc.com
Correlation ID: 80028645-7d97-48ba-987e-15bca85bcb38
Timestamp: 2018-04-21 15:39:52Z
Sent from my MI 5 using Tapatalk
I get to MFA and then receive the above. So I'm wondering if my employer (DXC) have changed something And are restricting web access. (But it works for Edison mail!).
Sent from my MI 5 using Tapatalk
-
@screwfox67
Re: wondering if my employer (DXC) have changed something And are restricting web access
Well it's not "web access", but this from the error message looks ominous:
Access rules set by DXC Production restrict which applications can be used to open this resource
App name: Aqua Mail
Would it be possible to ask your company's IT Department if they've in fact deliberately blocked Aqua Mail?
Maybe they have a black list (which includes Aqua Mail) or a white list (which does not)?
-
Hi, @Kostya Vasilyev
May I ask any update on this issue? I really want to have AquaMail instead of other mail app.
-
Re: May I ask any update on this issue? I really want to have AquaMail instead of other mail app.
I'm thinking that your case may be different (i.e. not related to InTune) - and that your IT department may have deliberately blocked Aqua Mail specifically. Guess you never asked them about it?
-
@Kostya Vasilyev, Aqua Mail
I think you are replying to a wrong person. I don't think my company is blocking any specific app.
Today, I check the WPS email app. It does not prompt for the app encryption/registration. Instead, it directly goes to login success page and starts receiving the email. The first email is about intune registration. Click on it to redirect to intune app to complete registration. After registered, go back to the email app, refresh and it starts to download the real mails.
Till now, the email is not the administrator of the phone. It seems like the administrator part that I mentioned before is not really enforced.
-
I know that the login procedure when using InTune is different.
I know that InTune takes care of "remote erase" etc. so it's not necessary for each email app to provide that.
We do not support "login through InTune" at this time, no changes yet.
I have asked our Project Manager to provide me with a test environment (purchase an Office 365 subscription, register a couple of accounts, enable InTune requirement) --
-- and *then* I'll be able to work on this. So far it hasn't happened.