Kace 1000 emailing broken after move to 365 online Exchange
Recently moved to 365 online exchange (Hybrid configuration). Now the email through Kace no longer works. Default security is enabled in the online exchange. This means that mail using SMTP cannot authenticate with the server. The options laid out in this document https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365 do not work. Has anyone else run into this issue and was able to resolve it.
Answers (9)
What version of the SMA?
What is defined in Settings › Control Panel › Network Settings > Email Configuration?
What is defined in Service Desk › Configuration › Service Desk Queue Email Settings | "Name of your Service Desk" under Inbound and Outbound?
Settings › Support › Diagnostic Utilities
KevinG,
I am now at version 14.1.95
Settings › Control Panel › Network Settings >Enable SMTP Server:smtp.office365.com Port 587 Login: kaceinternal@xxxx.ca and the account password
Service Desk › Configuration › Service Desk Queue Email Settings | "Name of your Service Desk" under Inbound and Outbound
General|email address: helpdesk@xxx-kace1000.xxx.local, Alternate: helpdesk@xxxx.ca
Both inbound and outbound are configured using the Office365 button with a certificate created in the entra admin center and the MS 365 API Service: Microsoft 365 GCC - This configuration is now working for inbound emails from users to create tickets
Outbound email from Kace is not currently working. now getting this error when testing the SMTP server settings. I have sucessfully logged into the kaceinternal account by going to smtp.office365.com. I believe this issue is a result of the default security setting in the 365 tenant
Comments:
-
use the Email Sending test to troubleshoot your email configuration issue, not the Service Desk Queue SMTP connection test
Settings › Support › Diagnostic Utilities - KevinG 4 months ago -
according to the error message the used user is blocked through the security settings. You may need to unblock it or use another one. - Nico_K 4 months ago
-
Nico_K, the security settings are the default security settings that are enabled for all mailboxes on newly created tenants. It is not an option to disable this as the sysadmin is determined to leave it on and I understand that decision. This default security system will not allow for legacy SMTP and there is no way to disable this on a individual basis. - Rigger718 4 months ago
-
well, if Security Setting _LOCK_ a user who is trying to authenticate, you cannot use _THIS_ user. Maybe the security settings are ... MICROSOFT like not smart or another user should be used _OR_ the user should be reenabled.
If you try to use a locked out user this will never work. Thats why you lock out users, that they cannot login.
Therefore it is not a KACE issue but an OSI8 issue with configuring O365 correctly and using the right user and password. - Nico_K 4 months ago
Thank you,
ran the diagnotic as you recommended. It took some time but enventually i started receiving test emails from all my service desk queue's. There was also a substancial log created that indicated the same errors as posted earlier. I have attached this log to the Quest trouble ticket for further anaylisis. Hopefully a solution is forthcoming
Pam, the following works for incoming email allowing Kace to create tickets from useer email:
Create aapplication for the mailbox using the “Microsoft Entra Admin Center”
Login tothe Entra Admin Center
SelectApplications>app Registrations
Add a newregistration, provide a descriptive name, select “accounts in any organizationaldirectory”
Under “Redirect URI", select Web platform andprovide the redirect kace URL. ie...https://your kace FQDN/common/authorize.php
Selectregister
Next windowis the App registration that was just created
Copy and notethe “Application (client) ID” you will require this when creating thecredential on Kace
LocateClient Credentials and select “Add a certificate or secret”
In the nextwindow create a “New Client Secret” provide a descriptive name and a expirytime then select add
VeryImportant step to copy and record the Value and secret ID. The value is onlyavailable at this step and you will need this when creating the credential on the kace server
Select the “Overview”and confirm everything is correct
Log in toyou Microsoft 365 admin center
Select themailbox you are configuring in Kace
Goto themail and select Manage email apps
Ensure allapps are checked including “Authenticated SMTP”Create the credentialin Kace
Sign into kace admin using the https://URL Note: you must use the secure https this will not work if using just httpGo tosettings>credentials
In “ChooseAction” select new
Provide requiredinformation in this form:
Name: descriptive name,
Type: pull down and select “Office365 OAuth”
Client ID: insert he the client ID you recordedearlier
Client Secret: This is the “Value” you recordedearlier
Azure AD Tenant Type: Make sure this is thesame as what is configured in Entra
Scroll downand “Authorize Credential”
Authenticateusing the account for the mailbox. You will require the login name and passwordfor the mailbox
Carry outthe MFA
Once theMFA is complete then the “Add Credential” on Kace Status will indicateAuthorized
Save tocontinue
Your newcredential is now available
Go to “ServiceDesk”>Configuration>Email Configuration>Configure department emailsettings
Pull downthe Help desk you are configuring
In "General",confirm all settings are correct
Select the “InboundTab” and highlight the Office365 radio button
Select thecredential you just created and leave the Microsoft 365 API Service as default
Select the “Outbound”tab, highlight the “Queue specific settings”>”Office365” and select the credentialyou just created and leave the Microsoft 365 API Service as default
Save yourwork
Send a test email to the service desk to confirm the settings work
As a side note, i ended up have to use the Kace Self Signed certificate as the sever UI would stop responding if i used a cert from my CA and would not accept a Cert from godaddy. Quest Engineers are working on this issue
Pam,
The reason I used a selfsigned cert is because my internal CA Cert cause the kace web application to hang. It was doing this while Quest was online with me and their shortterm suggestion was to use a selfsigned until they reviewed to logs as to the cause of the hanging. There is no reason I can see that a CA signed cert would cause any problems with mail configuration. Complication comes part in parcel when using MS documentation, it is often incomplete and inconsistant as they are always updating the software/process and not the documentation
Based on the screenshots above of the service desk queue settings, Incoming is using the Microsoft API to pull down an email from Office365 (Not SMTP)
All outgoing email from the SMA uses SMTP regardless of the incoming protocol.
The error message reported is from the external Office365 SMTP server (not SMA) that authentication failed.
Did you verify that an Office365 client can log in to that mailbox using the same credentials in the Outbound Email Settings?