Hi PhoneBoy,

Yes i have a TAC case

Right after i login i get a new prompt "Enter your Mail credentials" if i fill in this credentials i see this logging 

How to debug Mobile Access Web Applications (checkpoint.com)

tail -f $CVPNDIR/log/httpd.log

[4606][22 Jan 10:58:28][SERIALIZE] [CVPN_INFO] getDecoder: Using fwobj-based RPC decoder
[4606][22 Jan 10:58:28][SERIALIZATION] [CVPN_INFO] CvpnIS::FwobjDeserializer::createObject: deserializing object of class: PortalCustomizationResponse
[4606][22 Jan 10:58:28][SERIALIZATION] IDeserializable::createObject: found CreateFunc (0xf1c5c110) for className: PortalCustomizationResponse
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Mod_input_filter: Handling HTTP (not SOCKS) traffic
[Sun Jan 22 10:58:28.454160 2023] [wi:debug] [pid 4606] WIConnection.cpp(220): parsing: (body printout skipped)
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::getRequestNumber: WIConnection::getRequestNumber m_requestNumber=1
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::isCriticalError: WIConnection::IsCriticalError isCriticalError=false
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::shouldHandleInFilter: handleInFilter = true
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::checkParseResult: handleInFilter
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::getRequestNumber: WIConnection::getRequestNumber m_requestNumber=1
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::isCriticalError: WIConnection::IsCriticalError isCriticalError=false
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::checkParseResult: no errors or no relevant errors
[Sun Jan 22 10:58:28.455897 2023] [deflate:debug] [pid 4606] mod_deflate.c(873): [client x.x.x.x:52824] AH01384: Zlib: Compressed 171 to 156 : URL /Errors/ErrorDocument, referer: https://capsule.xxxxxxx/sslvpn/MobileApp/
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Mod_input_filter: Handling HTTP (not SOCKS) traffic
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Cvpn::ApacheRequest::~ApacheRequest: (/Errors/ErrorDocument)
[4606][22 Jan 10:58:28][BusinessMail] [CVPN_INFO] Cvpn::BusinessMailHandler::~BusinessMailHandler: Dtor
[4606][22 Jan 10:58:28][CURL_BASED] [CVPN_INFO] Cvpn::CurlBasedHandler::~CurlBasedHandler: Dtor
[Sun Jan 22 10:58:28.456891 2023] [:debug] [pid 4606] trace_logger_filters.c(321): [client x.x.x.x:52824] in clean request , referer: https://capsule.xxxxxxx/sslvpn/MobileApp/
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WICreateRequestHook::doExecute: WICreateRequestHook::execute setting current request and body flag
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::setIsBody: WIConnection::setIsBody m_isBody=false
[4606][22 Jan 10:58:28][WEBINT] [CVPN_INFO] Cvpn::WIConnection::incrementRequestNumber: WIConnection::incrementRequestNumber incremented m_requestNumber=2
[Sun Jan 22 10:58:28.457456 2023] [:debug] [pid 4606] trace_logger_filters.c(207): [client x.x.x.x:52824] creating request_buffer_handle<<<<<
[4606][22 Jan 10:58:28][APACHE] [CVPN_INFO] Mod_input_filter: Handling HTTP (not SOCKS) traffic
[4606][22 Jan 10:58:30][WEBINT] [CVPN_INFO] Cvpn::WIInputFilter::parseLoop: ap_get_brigade failed - return false
[Sun Jan 22 10:58:30.459714 2023] [:debug] [pid 4606] trace_logger_filters.c(244): [client x.x.x.x:52824] get brigade failed
[Sun Jan 22 10:58:30.459724 2023] [:debug] [pid 4606] trace_logger_filters.c(321): [client x.x.x.x:52824] in clean request

That appears to be the logs from the front end web server.
I suspect you’ll need to look at a different log file which will contain the actual backend authentication that is occurring with O365.

Hello

Has Checkpoint released a new guide on how to onboard capsule workspace as an Azure enterprise app ?

Capsule tries to authenticate using basic auth and given its deprecated status, users can no longer log in. 

Hi spectumtech

This is the guide that you need please share your findings and report back.

If its not working use EWSEDITOR from github to test the azure part.

On my config the EWSeditor is connecting fine on the azure app, the gateways are not.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont...

Hi spectumtech did you manage to get this working i just spend 2 hours with TAC and no solution yet...

I hope you to hear back and hear how your capsult oauth is doing ?

Regards Lars

Hi PhoneBoy,

Spend hours and days and hours fixing this the azure app is fine i can connect with EWSeditor using the exact same input as i have on the gateways. I have sent all related logs to checkpoint and i keep waiting on a solution.

I can see that you have an active case with TAC and they are working with you to get the necessary information to troubleshoot.

Yes thats what ik wrote before and TAC is doing all they can to help me solve this, like they always do.

After working on this for a while i am very curious to know if someone else was able to connect Capsule with Oauth.

Tnxs for the reply and keep you posted.

PhoneBoy

indeed, we have an open case with TAC

No real help at this stage and very slack in responding .

It is most likely due to the deprecation of basic auth in m365. We are able to successfully connect and authenticate to the mobile portal and SNX which used the local AD but when capsule is trying to authenticate to Azure AD (ie m365 - exchange online) authentication fails 

we simply need a solid (and working) guide on how to correctly configure the enterprise app in Azure to get capsule workspace to authenticate correctly using modern auth.

not sure why this is taking so long. I am safe to assume that there are quite a few frustrated capsule users out there that can’t use this po until it is resolved ..

The following confirms the above:

https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/authentication-and...

There is NO guide (tested and validated !) from Checkpoint on how to configure capsule workspace to authenticate as an Azure enterprise app using OAth2.0. Checkpoint  - why not ??? 

Hi Spectrumtech_MS,

Microsoft deprecated basic auth after a long time of communicating and warning and end 2022 and switched off basic in the tenants one at the time.

This is the moment we started to get the 401 unauthenticated error on EWS in smartvier tracker. 

Capsule workspace stopped working because of this.
There was a possibility to turn back on basic on EWS in office 365 to give you some more time and after we did that it started to work again. So it was not a surprise for us that this was about to happen beginning 2023 and we needed a solution for this.

We created a checkpoint case and the only way to get the possibility to use Oauth on mobile access connecting to ews was to upgrade to R81.20 we did. The mobile access guide i posted here gives you the basics on what you need to configure in Azure to make this work. Dont take me wrong but the configuration of the enterprise app in azure ad is no complex configuration and the R81.20 mobile access admin guide i posted here gives all the relevant information to create it and it can be tested easaly with the EWSeditor tool from github. 

The fact that the R81.20 release, in which the possibility to use oauth with caspule, was released after Microsoft switched off  basic auth is strange.  Checkpoint is investigating my config and i believe this will be solved soon. 

Hi there,

We have upgraded to R81.20 and the issue persists.

Capsule workspace is NOT using modern auth but rather reverts to basic which, in turn, is rejected by m365.

Regarding the configuration of Azure Enterprise App - Are you able to post the detailed configuration steps to allow the use of OATH2.0 for capsule workspace authentication to Exchange Online as the guide is somewhat vague.

Thanks in advance

see attached log extract from the gateway 

hi please read carefully

-login azure AD
-click azure active directory
-click app registrations (not enterprise applications)
-click new registration leave all default and give name
-click Client credentials Add a certificate or secret
-new client secret + give name
-copy value to txt
-click api permissions chose APIs my organization uses search offcie 365 exchange online
-click delegated poermissions seacrh ews open ews chose EWS.AccessAsUser.All click ok
-chose Office 365 Exchange Online (1) again click application permissions chose full_access_as_app

dont forget to add the redirect url for iOS / Android)

Thank you Lars.

All configured but unfortunately Capsule still fails to authenticate with a 401 error in the log

We have an open, escalated ticket with Checkpoint ( which failed to provide any meaningful input to date) so will continue to follow up and update if/when a resolution is found 

Hi please try this;

- Open your Mobile Mail application in smart dashboard

-go to exchange access

-tick use specific domain

-fill in yourdomain.onmicrosoft.com and save -> policy install

In the basic auth configuration this field had you public domain name that is after the @

In Oauth this needs to be your onmicrosoft domain

Thanks Lars.

I think that did the trick  (changing the domain to the *.microsoftonline.com)

Is this a prerequisite for OATH2 authentication to AAD/M365 ?

This may be necessary for the GW to find the tenant, the authentication itself uses the primary smtp address.

You can see this address in the top of your screen in the settings on the capsult client.

Is all working in your environment now ?

Strange as the tenant has always been identified with the public DNS domain and not the microsoft one.

Further, the domain showing on the settings of the client is the public DNS one..

All is now seem to work as it should. Thank you VERY much for your support and assistance. 

I'll document the steps followed (and your advice) and publish here for future reference .

Again, your assistance is appreciated !

Oke now your config works, its time for checkpoint to help me fix mine ..... 😞

Hello,

we noticed the same issue couple of weeks ago. Today we managed to establish modern authentication via Capsule Workspace on a test environment running R81.20 (it was upgraded from R81.10). I am not comfortable with upgrading production environment to a version that is not "widely recommended" just yet.

I have followed the steps in provided documentation. Be careful on the following 2 settings:
- "use specific domain" setting must be in form "yourdomain.onmicrosoft.com" as already stated in this thread
- Office365ClientSecret must be entered in obfuscated form by using "obfuscate_password" command

But in my case it started to work after when I removed the Capsule Workspace Site ID from my phone and recreate a new one with identical parameters. Only sign-out/sign-in was not enough.

After entering initial credentials to login into Capsule Workspace, I immediately received a form to connect to "Exchange Online":

After clicking "Sign in with Microsoft" button, it redirects me to O365 web portal to enter credentials. After that the login is successful and I can normally receive and send emails. Works perfectly on both IOS and Android.

Another thing I noticed is that in Log Server I do not see any logged attempt of this access (not even Accept) - that is because Workspace app is communicating directly with O365, not via gateway. 

Hope that helps. If it does not work in your production environment, try setting up the test environment - there you have a bit more flexibility on changing settings.

Hi thnks for the post.

The strange this is we have all we need to authenticate, i see the "sign in with Microsoft" on my capsule and i can login, get mfa and all is fine.

After i login i even get push notifications on a new e-mail !

if i open the capsule app i don't see any e-mails and if i refresh i get "application is offline check your internet connection"

This is so frustrating its driving me crazy ...

Does anyone know the rar password that needs to be filled in to unrar the capsule client logs ?

Hi all i am not 100% sure what i need to do here...

My email address is not endig on @onmicrosoft.com but its a custom domain.

Could this be my problem ?

End-User Directory Configuration

Mobile Access learns end-user email addresses from their directory records. The directory can either be the internal user database, a local Active Directory, Azure AD or another LDAP-based directory.

Capsule Workspace receives the email address of each Mobile Access end-user right after the end-user authenticates to the gateway. Such mail addresses are later used for authenticating to the Office 365 mail service, and also obtaining each end-user’s mail identity. Therefore, it is essential to configure end-user records with the correct email address.

The email address should be in this format:

username@mailaccountdomain.onmicrosoft.com

Based on everything else in this thread, I suspect this is part of your issue.
You need to use your "onmicrosoft" domain, not your custom domain.

There is no way businesses are changing their UPN to onmicrososoft.com because of oauth to work...

Beside that this would be noticed by TAC after me sending the logs for over three weeks.

I will ask TAC

I get to the point the frustration is taking the overhand.

After 3 weeks non stop troubleshooting and this manual that is a crap as it can be and no normal support.

Ho hard is it to create a decent manual for people that are using this product for years and years.

All was woking fine with my custom domain for many years and after changing only the authentication method it takes me 3 weeks with no solution and with two brand new firewalls R81.20. I am lost what is happening here and why i dont get the support after sending al my logs for all those weeks.

Hi