Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lars_de_Mooy
Participant

Capsule Workspace Oauth

Hi all,

We used Capsule Workspace for business mail for many years, the best advantage is that you only have to allow a connection from the public IP to exchange online and you can block all the rest. Capsule is making a connection to the remote access gateway and the remote access gateway makes a session to ExO.

Now last week Microsoft finaly depricated basic auth in ExO that Capsule needs to connect.

The only way to make the connection again is to upgrade to R81.20 that had the Oauth for Capsule Workspace option.

We upgraded our environment and configured the enterprise app in Azure and made all the configs on the mobile asscess GW on the checkpioint side. The problem is that the authentication to the Mobile access GW is all fine but the authentication to Azure Oauth ends up with a 401 error. I spended last week to troubleshoot and created all the relevant logging.

Is there anyone that have this setup working that may faced the same issues and was able to fix them ?

I am at the end of my knowlage and need this to work asap.

Hope someone has some good tips to get us in the right track.

Best rgrds Lrs

0 Kudos
39 Replies
PhoneBoy
Admin
Admin

I presume you’ve opened a TAC case in parallel?
In any case, sharing whatever debug you’ve collected might be helpful.

0 Kudos
Lars_de_Mooy
Participant

Hi PhoneBoy,

Yes i have a TAC case

Right after i login i get a new prompt "Enter your Mail credentials" if i fill in this credentials i see this logging 

 

How to debug Mobile Access Web Applications (checkpoint.com)

tail -f $CVPNDIR/log/httpd.log

[4606][22 Jan 10:58:28][SERIALIZE] [CVPN_INFO] getDecoder: Using fwobj-based RPC decoder
[4606][22 Jan 10:58:28][SERIALIZATION] [CVPN_INFO] CvpnIS::FwobjDeserializer::createObject: deserializing object of class: PortalCustomizationResponse
[4606][22 Jan 10:58:28][SERIALIZATION] IDeserializable::createObject: found CreateFunc (0xf1c5c110) for className: PortalCustomizationResponse
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Mod_input_filter: Handling HTTP (not SOCKS) traffic
[Sun Jan 22 10:58:28.454160 2023] [wi:debug] [pid 4606] WIConnection.cpp(220): parsing: (body printout skipped)
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::getRequestNumber: WIConnection::getRequestNumber m_requestNumber=1
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::isCriticalError: WIConnection::IsCriticalError isCriticalError=false
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::shouldHandleInFilter: handleInFilter = true
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::checkParseResult: handleInFilter
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::getRequestNumber: WIConnection::getRequestNumber m_requestNumber=1
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::isCriticalError: WIConnection::IsCriticalError isCriticalError=false
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::checkParseResult: no errors or no relevant errors
[Sun Jan 22 10:58:28.455897 2023] [deflate:debug] [pid 4606] mod_deflate.c(873): [client x.x.x.x:52824] AH01384: Zlib: Compressed 171 to 156 : URL /Errors/ErrorDocument, referer: https://capsule.xxxxxxx/sslvpn/MobileApp/
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Mod_input_filter: Handling HTTP (not SOCKS) traffic
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Cvpn::ApacheRequest::~ApacheRequest: (/Errors/ErrorDocument)
[4606][22 Jan 10:58:28][BusinessMail] [CVPN_INFO] Cvpn::BusinessMailHandler::~BusinessMailHandler: Dtor
[4606][22 Jan 10:58:28][CURL_BASED] [CVPN_INFO] Cvpn::CurlBasedHandler::~CurlBasedHandler: Dtor
[Sun Jan 22 10:58:28.456891 2023] [:debug] [pid 4606] trace_logger_filters.c(321): [client x.x.x.x:52824] in clean request , referer: https://capsule.xxxxxxx/sslvpn/MobileApp/
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WICreateRequestHook::doExecute: WICreateRequestHook::execute setting current request and body flag
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::setIsBody: WIConnection::setIsBody m_isBody=false
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::incrementRequestNumber: WIConnection::incrementRequestNumber incremented m_requestNumber=2
[Sun Jan 22 10:58:28.457456 2023] [:debug] [pid 4606] trace_logger_filters.c(207): [client x.x.x.x:52824] creating request_buffer_handle<<<<<
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Mod_input_filter: Handling HTTP (not SOCKS) traffic
[4606][22 Jan 10:58:30][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::parseLoop: ap_get_brigade failed - return false
[Sun Jan 22 10:58:30.459714 2023] [:debug] [pid 4606] trace_logger_filters.c(244): [client x.x.x.x:52824] get brigade failed
[Sun Jan 22 10:58:30.459724 2023] [:debug] [pid 4606] trace_logger_filters.c(321): [client x.x.x.x:52824] in clean request

0 Kudos
PhoneBoy
Admin
Admin

That appears to be the logs from the front end web server.
I suspect you’ll need to look at a different log file which will contain the actual backend authentication that is occurring with O365.

0 Kudos
Spectrumtech_MS
Explorer

Hello

Has Checkpoint released a new guide on how to onboard capsule workspace as an Azure enterprise app ?

Capsule tries to authenticate using basic auth and given its deprecated status, users can no longer log in. 

0 Kudos
Lars_de_Mooy
Participant

Hi spectumtech

This is the guide that you need please share your findings and report back.

If its not working use EWSEDITOR from github to test the azure part.

On my config the EWSeditor is connecting fine on the azure app, the gateways are not.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont...

0 Kudos
Lars_de_Mooy
Participant

Hi spectumtech did you manage to get this working i just spend 2 hours with TAC and no solution yet...

I hope you to hear back and hear how your capsult oauth is doing ?

Regards Lars

 

0 Kudos
Lars_de_Mooy
Participant

Hi PhoneBoy,

Spend hours and days and hours fixing this the azure app is fine i can connect with EWSeditor using the exact same input as i have on the gateways. I have sent all related logs to checkpoint and i keep waiting on a solution.

0 Kudos
PhoneBoy
Admin
Admin

I can see that you have an active case with TAC and they are working with you to get the necessary information to troubleshoot.

0 Kudos
Lars_de_Mooy
Participant

Yes thats what ik wrote before and TAC is doing all they can to help me solve this, like they always do.

After working on this for a while i am very curious to know if someone else was able to connect Capsule with Oauth.

Tnxs for the reply and keep you posted.

 

0 Kudos
Spectrumtech_MS
Explorer

PhoneBoy

indeed, we have an open case with TAC

No real help at this stage and very slack in responding .

It is most likely due to the deprecation of basic auth in m365. We are able to successfully connect and authenticate to the mobile portal and SNX which used the local AD but when capsule is trying to authenticate to Azure AD (ie m365 - exchange online) authentication fails 

we simply need a solid (and working) guide on how to correctly configure the enterprise app in Azure to get capsule workspace to authenticate correctly using modern auth.

not sure why this is taking so long. I am safe to assume that there are quite a few frustrated capsule users out there that can’t use this po until it is resolved ..

0 Kudos
Spectrumtech_MS
Explorer

The following confirms the above:

https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/authentication-and...

 

There is NO guide (tested and validated !) from Checkpoint on how to configure capsule workspace to authenticate as an Azure enterprise app using OAth2.0. Checkpoint  - why not ??? 

0 Kudos
Lars_de_Mooy
Participant

Hi Spectrumtech_MS,

Microsoft deprecated basic auth after a long time of communicating and warning and end 2022 and switched off basic in the tenants one at the time.

This is the moment we started to get the 401 unauthenticated error on EWS in smartvier tracker. 

Capsule workspace stopped working because of this.
There was a possibility to turn back on basic on EWS in office 365 to give you some more time and after we did that it started to work again. So it was not a surprise for us that this was about to happen beginning 2023 and we needed a solution for this.

We created a checkpoint case and the only way to get the possibility to use Oauth on mobile access connecting to ews was to upgrade to R81.20 we did. The mobile access guide i posted here gives you the basics on what you need to configure in Azure to make this work. Dont take me wrong but the configuration of the enterprise app in azure ad is no complex configuration and the R81.20 mobile access admin guide i posted here gives all the relevant information to create it and it can be tested easaly with the EWSeditor tool from github. 

The fact that the R81.20 release, in which the possibility to use oauth with caspule, was released after Microsoft switched off  basic auth is strange.  Checkpoint is investigating my config and i believe this will be solved soon. 

 

0 Kudos
Spectrumtech_MS
Explorer

Hi there,

We have upgraded to R81.20 and the issue persists.

Capsule workspace is NOT using modern auth but rather reverts to basic which, in turn, is rejected by m365.

Regarding the configuration of Azure Enterprise App - Are you able to post the detailed configuration steps to allow the use of OATH2.0 for capsule workspace authentication to Exchange Online as the guide is somewhat vague.

Thanks in advance

0 Kudos
Spectrumtech_MS
Explorer

see attached log extract from the gateway 

0 Kudos
Lars_de_Mooy
Participant

hi please read carefully

-login azure AD
-click azure active directory
-click app registrations (not enterprise applications)
-click new registration leave all default and give name
-click Client credentials Add a certificate or secret
-new client secret + give name
-copy value to txt
-click api permissions chose APIs my organization uses search offcie 365 exchange online
-click delegated poermissions seacrh ews open ews chose EWS.AccessAsUser.All click ok
-chose Office 365 Exchange Online (1) again click application permissions chose full_access_as_app

dont forget to add the redirect url for iOS / Android)

0 Kudos
Spectrumtech_MS
Explorer

Thank you Lars.

All configured but unfortunately Capsule still fails to authenticate with a 401 error in the log

We have an open, escalated ticket with Checkpoint ( which failed to provide any meaningful input to date) so will continue to follow up and update if/when a resolution is found 

0 Kudos
Lars_de_Mooy
Participant

Hi please try this;

- Open your Mobile Mail application in smart dashboard

-go to exchange access

-tick use specific domain

-fill in yourdomain.onmicrosoft.com and save -> policy install

In the basic auth configuration this field had you public domain name that is after the @

In Oauth this needs to be your onmicrosoft domain

 

1.PNG

0 Kudos
Spectrumtech_MS
Explorer

Thanks Lars.

I think that did the trick  (changing the domain to the *.microsoftonline.com)

Is this a prerequisite for OATH2 authentication to AAD/M365 ?

0 Kudos
Lars_de_Mooy
Participant

This may be necessary for the GW to find the tenant, the authentication itself uses the primary smtp address.

You can see this address in the top of your screen in the settings on the capsult client.

Is all working in your environment now ?

0 Kudos
Spectrumtech_MS
Explorer

Strange as the tenant has always been identified with the public DNS domain and not the microsoft one.

Further, the domain showing on the settings of the client is the public DNS one..

All is now seem to work as it should. Thank you VERY much for your support and assistance. 

I'll document the steps followed (and your advice) and publish here for future reference .

Again, your assistance is appreciated !

0 Kudos
Lars_de_Mooy
Participant

Oke now your config works, its time for checkpoint to help me fix mine ..... 😞

0 Kudos
dt18685
Explorer
Explorer

Hello,

we noticed the same issue couple of weeks ago. Today we managed to establish modern authentication via Capsule Workspace on a test environment running R81.20 (it was upgraded from R81.10). I am not comfortable with upgrading production environment to a version that is not "widely recommended" just yet.

I have followed the steps in provided documentation. Be careful on the following 2 settings:
- "use specific domain" setting must be in form "yourdomain.onmicrosoft.com" as already stated in this thread
- Office365ClientSecret must be entered in obfuscated form by using "obfuscate_password" command

But in my case it started to work after when I removed the Capsule Workspace Site ID from my phone and recreate a new one with identical parameters. Only sign-out/sign-in was not enough.

After entering initial credentials to login into Capsule Workspace, I immediately received a form to connect to "Exchange Online":

91251880-9A9D-418A-B24E-1A0FF24FAB08.jpeg

After clicking "Sign in with Microsoft" button, it redirects me to O365 web portal to enter credentials. After that the login is successful and I can normally receive and send emails. Works perfectly on both IOS and Android.

Another thing I noticed is that in Log Server I do not see any logged attempt of this access (not even Accept) - that is because Workspace app is communicating directly with O365, not via gateway. 

Hope that helps. If it does not work in your production environment, try setting up the test environment - there you have a bit more flexibility on changing settings.

0 Kudos
Lars_de_Mooy
Participant

Hi thnks for the post.

The strange this is we have all we need to authenticate, i see the "sign in with Microsoft" on my capsule and i can login, get mfa and all is fine.

After i login i even get push notifications on a new e-mail !

if i open the capsule app i don't see any e-mails and if i refresh i get "application is offline check your internet connection"

This is so frustrating its driving me crazy ...

0 Kudos
Lars_de_Mooy
Participant

Does anyone know the rar password that needs to be filled in to unrar the capsule client logs ?

0 Kudos
Lars_de_Mooy
Participant

Hi all i am not 100% sure what i need to do here...

My email address is not endig on @onmicrosoft.com but its a custom domain.

Could this be my problem ?

End-User Directory Configuration

Mobile Access learns end-user email addresses from their directory records. The directory can either be the internal user database, a local Active Directory, Azure AD or another LDAP-based directory.

Capsule Workspace receives the email address of each Mobile Access end-user right after the end-user authenticates to the gateway. Such mail addresses are later used for authenticating to the Office 365 mail service, and also obtaining each end-user’s mail identity. Therefore, it is essential to configure end-user records with the correct email address.

The email address should be in this format:

username@mailaccountdomain.onmicrosoft.com

 

0 Kudos
PhoneBoy
Admin
Admin

Based on everything else in this thread, I suspect this is part of your issue.
You need to use your "onmicrosoft" domain, not your custom domain.

0 Kudos
Lars_de_Mooy
Participant

There is no way businesses are changing their UPN to onmicrososoft.com because of oauth to work...

Beside that this would be noticed by TAC after me sending the logs for over three weeks.

I will ask TAC

 
Spectrumtech_MS is also using a custom domain so thats why i dont understand why this is so strange in the manual.
 
 
0 Kudos
Lars_de_Mooy
Participant

I get to the point the frustration is taking the overhand.

After 3 weeks non stop troubleshooting and this manual that is a crap as it can be and no normal support.

Ho hard is it to create a decent manual for people that are using this product for years and years.

All was woking fine with my custom domain for many years and after changing only the authentication method it takes me 3 weeks with no solution and with two brand new firewalls R81.20. I am lost what is happening here and why i dont get the support after sending al my logs for all those weeks.

0 Kudos
Lars_de_Mooy
Participant

Hi

 
 
 
Can you please confirm that your primary SMTP address and your login to capsule is using your normal SMTP custom domain and not the domain.onmicrosoft.com ? You only changed the Mail application in smart dashboard to use the specific domain domain.onmicrosoft.com ?
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events