NamithaKamaraju
Tera Explorer

Introduction

This blog is to capture all information to prepare an existing Mid-Server host to support various integrations that requires complex/modern authentication approach to connect to the third-party apps.

For many years, applications have used Basic authentication to connect to servers, services, and API endpoints.

Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device.

 

Traditionally, Basic authentication is enabled by default on most servers or services and is simple to set up.

 

 But Basic authentication makes it easier for attackers to capture user credentials which increases the risk of those stolen credentials being reused against other endpoints or services. Furthermore, the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible when Basic authentication remains enabled.

This approach is to define the modern authentication to connect ServiceNow with Exchange Online, to perform exchange activities without using basic authentication.

 

O365 Use cases (Not limited to the below)

  • Provision o365 licenses
  • Provision licenses via laptop requests
  • Manage meeting rooms (create, modify, delegate)
  • Manage shared mailboxes.
  • Delegate user’s/shared mailboxes
  • Modify contact visibility in GAL.
  • Modify shared mailbox visibility in GAL.
  • Modify user mailbox visibility in GAL.

 

Process Flow

Existing workflows uses custom activities to call the mid server host and execute the PowerShell scripts for contacting the exchange servers and perform the required activities as per the use case.

 

 

NamithaKamaraju_0-1679638706781.png

 

PowerShell scripts that connect to O365 servers leverage basic authentication as per below which passes the credentials of the target server by executing this from mid servers.

$session = New-PSSession -ConfigurationName Microsoft.Exchange -SessionOption (New-PSSessionOption -SkipRevocationCheck) -ConnectionUri $connectionUri -AllowRedirection -Authentication Basic -Credential $cred;

 

Now as part of migration to Modern authentication thumbprint +  appid combo can be leveraged after installing the certificates in the host machines of the mid servers and executing the powershell commands for successful exchangeonline setup.

 

1. How to Implement Modern Authentication?

The approach is called thumbprint + app Id combo. This approach doesn’t require any credential storage in the platform.

  1. How to get an App ID
    • Messaging team will do the app (Servicenow) registration at azure and provide access/permissions to this registered profile. The unique id of this registration is call app-id and this will be passed on to ServiceNow team.
    • One app-id will be enough for all the ServiceNow instances.
  2. How to get thumbprint id
    • Messaging team will assist to generate a self-signed certificates for the registered app-id. Once the certificate is created, the certificate will be assigned with a thumbprint id. This id will work wherever this certification is installed. Once certificate can be installed on any mid-server host to support the modern authentication.
    • In this case, only one certificate will be used for all the instances.

1.1 Certificate generation steps

  • Open PowerShell terminal as an admin
  • This file prompt to generate a password to install the certificate on the Host. Password is generated by the ServiceNow team and stored in password vault.

1.2 Certificate Installation on the Host:

  • The script will generate two certificates (.cer and .pfx)
  • Import the .cer certificate in the MMC console (right click on certificates and import).
  • NamithaKamaraju_1-1679641017322.png

     

    NamithaKamaraju_2-1679641017399.png

     

    .pfx file is use to install certificate on the Host via right click on it and select export
    • It will start the installation and asked for the generated password
    • Follow the instruction, install it on the local machine and rest settings are default.

Installing the Module

  • First check the TLS 1.2 is enabled or not.

NamithaKamaraju_3-1679641054582.png

  • Execute the following commands
    • Set-ExecutionPolicy RemoteSigned
    • Install-Module -Name ExchangeOnlineManagement
      • If no error comes, installation completed.

NamithaKamaraju_4-1679641069576.png

 

Update the mid server PowerShell scripts that connect to exchange online to use the below command with thumbprint and appid being unique.

Showing the below command with sample thumbprint and appid which are not original one's for security purposes.

 

Connect-ExchangeOnline -CertificateThumbPrint "ECC1E22F442D6266150939432365658C8E6D3A80" -AppID "f892db44-4822-42f1-9af7-dbb1f0de3afb" -Organization "***.onmicrosoft.com"

 

Connectivity Verification

Loginto the mid server host and execute the above command to verify the establishment of connectivity with Exchange servers as per below screenshot.

 

NamithaKamaraju_5-1679641202249.png

 

Now use Get commands for testing purposes as an example to retrieve the mailbox permissions as per below and that's it you're ready to go with modern authentication approach for all exchange specific transactions.

 

Get - Mailboxpermission 'Insert mailid'

NamithaKamaraju_6-1679641453233.png

Lessons Learnt:

  • Certificates should be installed in all mid server hosts without fail and make sure exchange modules are updated with latest versions else the connectivity will not get established with exchange servers.
  • Make sure the app id and thumbprint are placed in the command without any spaces to avoid errors.
  • Disable basic authentication at the host level to test the modern authentication approach.
  • Have the certificate expiry process proactively in place to avoid last minute issues. 

 

2 Comments