EWS Setup with double Authentication Layer

[berdesz]

Dear Aquamail

I'm having a problem with your app atm. When I'm in the office and connected to corporate wifi, it works beaatifully. When outside in the office I'm required to put in my special account, which lets me login to the actual server.

Is there a way to do this or could you please implement this feature ?

Now I'm getting the HTTP1./4.0.1 Authentication error because of it.

Regards

A FAN

[Kostya Vasilyev]

Sorry, I don't know what "double Authentication Layer" is, can you provide the technical details?

Oh, and if your IT people are soooo seeeerious about "security", do they not mind your using a "non-certified" (whatever it means) mail app?

[berdesz]

Double Authentication Layer means that you are prompted with a Login and Password before getting to the actual site. Its like a two step verification. And regarding the IT ppl, they don't mind, normally the process is you have to go VIA browser, login there with this 2 step verification method, then you can read your emails in the browser.

Or you can get an Iphone and you will get a specific software which gives you access directly to the server. (I'm not really an Apple FAN)

[Kostya Vasilyev]

What I'm saying is -- I understand what it looks like to a user, but I have no idea about the technical bits.

Is it a third party "Corporate Security Shield" from Symantec, McAfee, etc. which works as an add-on to Exchange?

Something built into Exchange?

To the point: how is a mail app supposed to interact with it?

[berdesz]

Its before I loging into the OWA.

I think easier to write down the process.

So I'm typing in the Outlook Web Access address into my browser.
Before I can access the site, a seperate authentication layer comes up, to type in a username and password.
When I typed that in, and the authentication is successful, then I will get into the OWA site, where I can put in my actual corporate login and password.

(I've attached a screenshot what kind of pop I get before I can login into the OWA site)

[Kostya Vasilyev]

Looks like regular (not special in any way) authentication to me.

And I can't develop anything from screenshots, sorry.

If you can find and provide the technical details, I would be able to take a look.

But a screenshot is not much use, sorry.

[berdesz]

Sorry, I didn't wanted to "promote" any other programs on this site, but for example OWA for Android has this functionality. There it is called : Owa server protected by an extra layer of HTTP Authentication.

[Kostya Vasilyev]

Knowing that "app A" or "app B" or "app Z" supports this feature does nothing to help me understand the underlying technology, which I'd need to implement in Aqua.

And, sorry, I just don't understand what "extra layer of HTTP authentication" means.

EWS (Exchange Web Services) is HTTP based already, and it uses authentication already (or else you'd not be getting *you* mailbox).

https://msdn.microsoft.com/en-us/library/office/dn626019(v=exchg.150).aspx

has three types of authentication: OAUTH, NTLM, and Basic.

AquaMail supports NTLM and Basic, but not OAUTH.

Does your corporate system require OAUTH?

Or maybe it requires the use of client certificates? This is another "security hardening" method, and is entirely different and unrelated to OAUTH.

[berdesz]

Judging by reading your link this should be Oauth. And it uses GeoTrust Global CA certificate.

[Kostya Vasilyev]

The link describes all the available options.

So which one?

OAUTH has nothing to do with certificates. If it's OAUTH, that's one thing.

If it's "client side certificates", that's a different thing.

And one more thing -- can you or your IT people provide a test account for me? The only thing I have access to is Office 365.