Problem getting auth type from Exchange server about exchangelib HOT 15 CLOSED

Just realized that the Exchange server is using Kerberos for authentication so I tried to add 'auth_type=GSSAPI' to the Configuration object but I get an error stating:

'auth_type' 'gssapi' must be one of ['CBA', 'NTLM', 'OAuth 2.0', 'basic', 'digest', 'no authentication']

from exchangelib.

You need to install exchangelib with Kerberos support for that to work. See https://ecederstrand.github.io/exchangelib/#installation and https://ecederstrand.github.io/exchangelib/#kerberos-and-sspi-authentication

from exchangelib.

I installed the exchangelib[sspi] package and that got me further but now the response is 'Error server busy' even after restarting the Exchange server and there are no throttling policies in place:

Waiting for _protocol_cache_lock
Protocol call cache miss. Adding key '('https:///EWS/Exchange.asmx', Credentials('company.com\john', '********'))'
Waiting for _version_lock
Asking server for version info using API version Exchange2016
Processing chunk 1 containing 1 items
Calling service ConvertId
Trying API version Exchange2016
Server : Increasing session pool size from 0 to 1
Server : Created session 93035
Server : Waiting for session
Server : Got session 93035
Session 93035 thread 7100 timeout 120: POST'ing to https:///EWS/Exchange.asmx after 0s sleep
Timeout: 120
Session: 93035
Thread: 7100
Auth type: <requests_negotiate_sspi.requests_negotiate_sspi.HttpNegotiateAuth object at 0x09AE4C28>
URL: https:///EWS/Exchange.asmx
HTTP adapter: <exchangelib.protocol.NoVerifyHTTPAdapter object at 0x09AE4BB0>
Streaming: False
Response time: 0.030999999999039574
Status code: 413
Request headers: {'User-Agent': 'exchangelib/5.4.0 (python-requests/2.31.0)', 'Accept-Encoding': 'gzip, deflate', 'Accept': '/', 'Connection': 'Keep-Alive', 'Content-Type': 'text/xml; charset=utf-8', 'Content-Length': '481'}
Response headers: {'Server': 'Microsoft-IIS/10.0', 'X-Powered-By': 'ASP.NET', 'X-FEServer': 'exVM', 'Date': 'Wed, 15 May 2024 18:33:18 GMT', 'Connection': 'close', 'Content-Length': '0'}
Request XML: b'\n<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"><s:Header><t:RequestServerVersion Version="Exchange2016"/></s:Header><s:Body><m:ConvertId DestinationFormat="EntryId"><m:SourceIds><t:AlternateId Id="DUMMY" Format="EwsId" Mailbox="DUMMY"/></m:SourceIds></m:ConvertId></s:Body></s:Envelope>'
Response XML: b''
Server : Retiring session 93035
Server : Created session 49045
Server : Releasing session 49045
Got ErrorServerBusy (back off 10 seconds)

from exchangelib.

If you want GSSAPI auth, you need to install exchangelib as pip install exchangelib[kerberos]

from exchangelib.

I believe we want to use SSPI since the Exchange 2019 CU14 server has SChannel and Extended Protection enabled (as I'm told from the Exchange admin)

from exchangelib.

Ok. There's not a lot to work with here. The server just returns an empty HTTP 413 response and closes the connection.

I would suggest working with your Exchange admin to find out why the connection fails. There may be hints in the Exchange server logs.

from exchangelib.

Any idea what logs to look in for inbound connections? I noticed the error was 413 (Content Too Large)

from exchangelib.

No idea, sorry. I'm not an Exchange admin myself.

from exchangelib.

Closing because I don't think this is an issue with exchangelib itself. But please post the solution here if you find one, so others can benefit if they are having the same problem.

from exchangelib.

@ecederstrand if I'm correct exchangelib uses the requests module to issue requests to the Exchange server correct? If so do you know if that uses the CURL library under the covers? We had to recompile the CURL library with the option to support the implementation of Secure Channel and Extended Protection in Exchange 2019 CU14 in one of our other products. We were getting the same 413 errors before doing this with the standard CURL library.

https://support.microsoft.com/en-us/topic/cumulative-update-14-for-exchange-server-2019-kb5035606-5d08ad6d-3527-41c9-82b6-e19d3ddf94db

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-extended-protection?view=exchserver-2019

from exchangelib.

requests does not use curl under the hood.

Installing exchangelib[sspi] will install the https://pypi.org/project/requests-negotiate-sspi/ package which adds SSPI auth for requests.

from exchangelib.

@ecederstrand yes I have that installed but does that handle the Secure Channel changes in CU14?

from exchangelib.

I don't know. You'll have to check with the authors of the requests-negotiate-sspi package.

from exchangelib.

@ecederstrand just trying to understand the flow. The initial request looks like it uses the python-requests package and not the requests-negotiate-sspi package - just wanted to make sure that was expected?

Request headers: {'User-Agent': 'exchangelib/5.4.0 (python-requests/2.31.0)', 'Accept-Encoding': 'gzip, deflate', 'Accept': '/', 'Connection': 'Keep-Alive', 'Content-Type': 'text/xml; charset=utf-8', 'Content-Length': '481'}

from exchangelib.

I don't know how those two packages cooperate internally. exchangelib doesn't do anything special except creating an instance of an HttpNegotiateAuth object when you specify SSPI aith:

from exchangelib.