Using Microsoft Exchange Online with OAuth authentication

As of the 9.5 release, NexJ Systems provides OAuth 2.0 token-based authentication with Microsoft Exchange Online for increased security, and as an alternative to Basic Authentication, which Microsoft will disable in the near future.

NexJ CRM acquires OAuth access tokens from the Azure Active Directory (AAD), which in turn, are submitted along with Exchange Web Services (EWS) requests for the authentication. The credentials of an AAD registered application, and a dedicated Exchange Online user, or service account, are embedded in the access token, and they are used by EWS and Exchange Online for authorization. Optionally, you can use Exchange Online permissions linked to the service account to control access to specific mailboxes.

The following environment is required for OAuth authentication:

• A dedicated Exchange Online user or service account
• A service account assigned the ApplicationImpersonation Exchange management role
• A registered application in AAD
• An application configured with the EWS.AccessAsUser.All delegated permission and client secret
• Modern Authentication enabled with Exchange Online

Setting up the NexJ CRM environment

To set up the NexJ CRM environment:

1. Add or configure the sender channel to be used for Exchange Online. An example is shown below and reference details are available at Channel settings for a NexJ CRM deployment with Exchange Online.

   CODE

   <HTTPConnection authComponent="rpc:System.Authentication.EXO" authentication="custom" channel="ExchangeEWSSender5" password="text:<client_secret>:<service_account_password>" secure="true" url="https://outlook.office365.com/ews/Exchange.asmx" user="<application_ID>:<service.account@domain.com>"/>

2. Add the exo.tokenURL property to the root element of the environment file. The tokenURL can be found in the AAD registered application. Only the object ID in the URL varies (121473f8-249c-4cd7-928f-7c4886979ca4). It is the tenant ID.

   CODE

   <Environment ... exo.tokenURL="https://login.microsoftonline.com/<application_ID>/oauth2/v2.0/token" ... >

3. Add Exchange Online as a synchronization target in accordance with the steps described at Adding synchronization targets for Exchange Server.

   Property	Value
   Host	outlook.office365.com
   Version	Exchange Online
   Method	Impersonation
   Subscription Type	Streaming
   EWS Sender	ExchangeEWSSender5 (should correspond with the sender channel created for Exchange Online)

4. Create links for users being set up for Exchange synchronization by following the steps described at Creating links to folders on the Exchange server.

5. If you are using an IBM WebSphere server, you must perform the following steps to import two certificates into the WebSphere container:

   

    WebSphere must have internet access to fetch the certificates.

   1. Log in to the IBM WebSphere administrative console.

   2. Expand Security and click SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations.

   3. Select the Outbound cell corresponding to "...(CellDefaultSSLSettings)" in your installation.

   4. Under Related Items, click Key stores and certificates and click the CellDefaultTrustStore key store.

   5. Import the certificate to WebSphere’s CellDefaultTrustStore for requests to Microsoft’s OAuth token URL (login.microsoftonline.com) by performing the following steps:

      1. Under Additional Properties, click Signer certificates and Retrieve From Port. 
      2. In the Host field, enter login.microsoftonline.com in the host name field. In the Port field, enter 443, and in the Alias field, enter login.microsoftonline.com_cert.
      3. Click Retrieve Signer Information. 
      4. Verify that the certificate information is for a certificate that you can trust.
      5. Click Apply and Save.

   6. Import the certificate to WebSphere’s CellDefaultTrustStore for interacting with Microsoft’s Exchange EWS service (outlook.office365.com) by performing the following steps:

      1. Under Additional Properties, click Signer certificates and Retrieve From Port. 
      2. In the Host field, enter outlook.office365.com in the host name field. In the Port field, enter 443, and in the Alias field, enter outlook.office365.com_cert.
      3. Click Retrieve Signer Information. 
      4. Verify that the certificate information is for a certificate that you can trust.
      5. Click Apply and Save.
   7. Restart all JVMs after the certificates import.

Related link

Channel settings for a NexJ CRM deployment with Exchange Online