none
Connecting to Exchange Online via Powershell remote using Kerberos authentication RRS feed

  • Question

  • Hi,

    I do administration for a lot of Office365 tenants using Powershell delegated remote access to the customers exchange server. I used a method described here: https://docs.microsoft.com/en-us/office365/enterprise/powershell/manage-office-365-tenants-with-windows-powershell-for-delegated-access-permissio

    However, this no longer works since our IT does no longer allow Basic authentication for WinRM, only Kerberos.

    Is there a way to change the connection script to use Kerberos? If I just change the method in the script, it fails as expected with an authentication error.

    Thanks a lot,

    Romulus

    Wednesday, June 5, 2019 11:58 AM

All replies

  • No. The only way you can connect is via Basic authentication. Even the MFA-enabled module uses basic auth, it simply obtains the token via Modern authentication and passes in on the basic endpoint.
    Wednesday, June 5, 2019 6:10 PM
  • Hi.

    Vasil will be not happy from my answer. I know. :)

    If you have Office 365 SSO with ADFS on prem AD, sync AD on prem with AD Azure device both way and domain-joined computer with Azure AD Domain.

    How To: Plan your hybrid Azure Active Directory join implementation

    On "Theory" you can run this, but again on "Theory". I can't confirm this.

    [PS] C:\> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Authentication Kerberos -AllowRedirection


    MCITP, MCSE. Regards, Oleg

    Wednesday, June 5, 2019 8:10 PM
  • Nope, it's always Basic auth for ExO :) Even when connecting with MFA, they "convert" it by using the same basic auth endpoint:

    (Get-PSSession).Runspace.ConnectionInfo.ConnectionUri
    
    AbsoluteUri
    -----------
    https://outlook.office365.com/PowerShell-LiveId?BasicAuthToOAuthConversion=true

    So PowerShell needs to be able to connect via the basic auth endpoint. As for actually getting the token, you can use Kerberos or any other method. But passing it to ExO - that's good old basic auth.

    Thursday, June 6, 2019 7:59 PM
  • Just checking in to see if above information was helpful. Please let us know if you would like further assistance.

    Regards, 

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to shareexplore and talk to experts about Microsoft Teams.

    Tuesday, June 11, 2019 10:09 AM
    Moderator
  • Just checking in to see if above information was helpful. Please let us know if you would like further assistance.

    Regards, 

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to shareexplore and talk to experts about Microsoft Teams.

    Hi, thanks for your help.

    It seems indeed impossible to use Remote Exchange-Online without Basic-Auth. Buggers, but I was able to convince our IT to create an exception rule in the GPO, so I can use Basic-Auth again.

    Does not really solve the issue but I take what I get.

    Greetings,

    Romulus

    Thursday, June 27, 2019 9:49 AM
  • Just checking in to see if above information was helpful. Please let us know if you would like further assistance.

    Regards, 

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to shareexplore and talk to experts about Microsoft Teams.

    Hi, thanks for your help.

    It seems indeed impossible to use Remote Exchange-Online without Basic-Auth. Buggers, but I was able to convince our IT to create an exception rule in the GPO, so I can use Basic-Auth again.

    Does not really solve the issue but I take what I get.

    Greetings,

    Romulus

    Thanks for your update! It is a good idea and can help others in this forum. I proposed it as an answer for this question.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, June 27, 2019 9:56 AM
    Moderator