Whitelist Service Account in new Servers

Question

Whitelist Service Account in new Servers

RS0312 1

We are receiving following error when our application connects with a service account to Office365.

Local EWS error: The request failed. The remote server returned an error: (401) Unauthorized.

Found following link where the issue as resolved by Whitelisting a service account however, no detailed information is giving about how to whitelist a service account.

https://learn.microsoft.com/en-us/answers/questions/565600/local-ews-error-the-request-failed-the-remote-serv.html

How to whitelist service account in new servers?

A. Do we have to add service account to local administrators group in new servers?
Or
B. Do we have to registerd SPN for new servers in AD?

1 answer

Your answer

Answer 1

Glen Scales 4,446

Are you using Basic Authentication if so it may have already been disabled or will be in a few days https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online . The post you referenced talked about an OnPrem exchange which is different there is no whitelisting you would need to do in Exchange Online however if you where using impersonation there are application access policies that can take affect https://practical365.com/application-access-policies-in-exchange-online/#:~:text=The%20feature%20is%20called%20Application,of%20course%20being%20Exchange%20Online.

The place to start would be try the remote connectivity analyser https://testconnectivity.microsoft.com/tests/o365

RS0312 1 Reputation point

2022-10-03T22:11:52.993+00:00

Glen,

Thanks for the answer, we are be moving off Basic Authentication however, can you help in the following point as per the link hence, trying to figure out how to add servers to service account whitelist in AD.

"had our AD admin add the 3 new servers to the service account whitelist"
Glen Scales 4,446 Reputation points

2022-10-04T22:47:03.333+00:00

There can be a number of different types of service accounts can you details a little more about what your using https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-on-premises . I think the term whitelist isn't the correct terminology to use so it might be confusing it a little, for kerberos authentication OnPrem you need SPN etc https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/kerberos-authentication-problems-8211-service-principal-name-spn/ba-p/395455 . Do you have an IIS app that is trying to impersonate the logged on user ?

If all your mailboxes are on Exchange Online and your moving the oAuth this isn't really relevant as basically your authenticating against AzureAd getting an Access token and then using that against Exchange Online. If your doing it via WIA (Windows Integrated Authentication) to get the Azure Access Token then it's a little bit different. Generally when moving to oAuth from Service Accounts the path people take is to use the Client Credentials flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. So now instead of storing credentials (which have expiring passwords and lateral permissions etc) you store a SSL certificate for Authentication and you can lock down the access to which mailboxes you app needs to access via Application Access polices https://practical365.com/application-access-policies-in-exchange-online/#:~:text=The%20feature%20is%20called%20Application,of%20course%20being%20Exchange%20Online.

Share via

Whitelist Service Account in new Servers

1 answer

Your answer