- Exquilla License
- Exquilla Addon For Mozilla Thunderbird
- Exquilla Alternative
- Thunderbird Exchange Addon
- Exquilla License Free
Thunderbird is a free email application that’s easy to set up and customize - and it’s loaded with great features! To help minimize the disadvantages, you can use the Microsoft Azure AD Authentication Library (ADAL) to authenticate users to Active Directory Domain Services (AD DS) in the cloud or on-premises and then obtain access tokens for securing calls to an Exchange server.
-->Find information to help you choose the right authentication standard for your EWS application that targets Exchange.
Authentication is a key part of your Exchange Web Services (EWS) application. Exchange Online, Exchange Online as part of Office 365, and on-premises versions of Exchange starting with Exchange Server 2013 support standard web authentication protocols to help secure the communication between your application and the Exchange server.
If you're targeting Exchange Online, the authentication method that you choose must use HTTPS to encrypt the requests and responses that your application sends. Although you can use HTTP with Exchange on-premises servers, we recommend that you use HTTPS for any request that your application sends to an EWS endpoint to help secure communication between your application and an Exchange server.
Exchange provides the following authentication options for you to choose from:
OAuth 2.0 (Exchange Online only)
NTLM (Exchange on-premises only)
Basic (no longer recommended)
The authentication method that you choose depends on the security requirements of your organization, whether you are using Exchange Online or Exchange on-premises, and whether you have access to a third-party provider that can issue OAuth tokens. This article provides information that will help you select the authentication standard that's right for your application.
OAuth authentication
We recommend that all new applications use the OAuth standard to connect to Exchange Online services. The advantage in security over basic authentication is worth the additional work required to implement OAuth in your application. For the record, however, there are also some disadvantages that you should be aware of.
Table 1. Advantages and disadvantages of using OAuth
| Advantages | Disadvantages |
|---|---|
| OAuth is an industry-standard authentication protocol. Authentication is managed by a third-party provider. Your application does not have to collect and store the Exchange credentials. Fewer worries for you, because your application only receives an opaque token from the authentication provider; therefore, a security breach in your application can only expose the token, not the user's Exchange credentials. | OAuth relies on a third-party authentication provider. This can impose additional costs on your organization or your customers. The OAuth standard is more difficult to implement than basic authentication. To implement OAuth, you need to integrate your application with both the authentication provider and the Exchange server. |
To help minimize the disadvantages, you can use the Microsoft Azure AD Authentication Library (ADAL) to authenticate users to Active Directory Domain Services (AD DS) in the cloud or on-premises and then obtain access tokens for securing calls to an Exchange server. Exchange Online requires tokens issued by the Azure Active Directory service, which is supported by the ADAL; however, you can use any third-party library.
To learn more about using OAuth authentication in your EWS application, see the following resources:
Office 365 trial, to set up an Exchange server to use to test your client application.
Configure Azure Active Directory, to enable your application to use OAuth tokens for authentication.
Review the sample code in Authenticate an EWS application by using OAuth for example code that you can study.
NTLM authentication
NTLM authentication is only available for Exchange on-premises servers. For applications that run inside the corporate firewall, integration between NTLM authentication and the .NET Framework provides a built-in means to authenticate your application.
Table 2. Advantages and disadvantages of using NTLM authentication
| Advantages | Disadvantages |
|---|---|
| Works 'out of the box' with your Exchange server. You can configure access to Exchange services by using an Exchange Management Shell cmdlet. Uses the .NET Framework CredentialCache object to automatically get the user's credentials. Code samples are available that use the logged on user's credentials for authentication to an on-premises Exchange server. | Users must be logged on to a domain to use NTLM authentication. It can be difficult to access email accounts that are not associated with the user's domain account. Service applications must have a domain account to take advantage of NTLM authentication. |
Basic authentication
Basic authentication provides a, well, basic level of security for your client application. We do recommend that all new applications use either NTLM or the OAuth protocol for authentication; however, basic authentication can be the correct choice for your application in some circumstances.
Table 3. Advantages and disadvantages of using basic authentication
| Advantages | Disadvantages |
|---|---|
| Works 'out of the box' with your Exchange server. You can configure access to Exchange services by using an Exchange Management Shell cmdlet. Windows applications can use the logged on user's default credentials. Many code samples are available that show you how to call EWS using basic authentication. | Requires your application to collect and store the user's credentials. You have to turn off NTLM authentication if you want to force all users to use basic authentication. If a security breach occurs in your application, it can expose the user's email address and password to the attacker. |
You need to decide if basic authentication meets the security requirements of your organization and customers. Basic authentication can be the right choice if you want to avoid extensive setup tasks, for example for simple test or demonstration applications.
Note
Basic authentication is no longer supported for EWS to connect to Exchange Online. Use OAuth authentication in all your new or existing EWS applications to connect to Exchange Online. OAuth authentication for EWS is only available in Exchange Online as part of Microsoft 365. EWS applications that use OAuth must be registered with Azure Active Directory first.
See also
-->The Autodiscover service minimizes user configuration and deployment steps by providing clients access to Exchange features. For Exchange Web Services (EWS) clients, Autodiscover is typically used to find the EWS endpoint URL. However, Autodiscover can also provide information to configure clients that use other protocols. Autodiscover works for client applications that are inside or outside firewalls and in resource forest and multiple forest scenarios.
Exchange 2016 introduced changes to services that were previously handled by the multiple servers. The Mailbox server now provides Client Access services, so you can't configure a standalone Client Access server like you could in previous versions of Exchange. Autodiscover service in Exchange 2016 and Exchange 2019 is possible because:
Exchange creates a virtual directory named
autodiscoverunder the default web site in Internet Information Services (IIS).Active Directory stores and provides authoritative URLs for domain-joined computers.
Client Access services on Mailbox servers provide authentication and proxy services for internal and external client connections.
Outlook configures services with only the username and password.
Note
If you are a user looking for help with connecting your Outlook client to your Exchange server, see Outlook email setup.
Autodiscover services and Active Directory
Exchange stores in Active Directory the configuration of Exchange servers in the organization as well as information about your users' mailboxes. Before you install Exchange Server, you need to prepare your Active Directory forest and its domains. If you aren't familiar with Exchange forests or domains, see Step 3: Prepare Active Directory domains.
Exchange automatically creates at installation the virtual directory autodiscover in IIS, the frontend Client Access services web site that clients connect to. This allows Outlook to discover the Exchange mailbox settings so that users don't have to deal with manually configuring advanced settings.
The SCP object is also created in Active Directory at the same time as the Autodiscover service virtual directory. The SCP stores and provides authoritative URLs of the Autodiscover service for domain-joined computers.
You need to update the SCP object to point to the Exchange server. This is necessary because Exchange servers provide additional Autodiscover information to clients to improve the discovery process. You can use the Set-ClientAccessService cmdlet to update the SCP object. For more information, see Set-ClientAccessService.
Important
You need to be assigned permissions before you can run the Set-ClientAccessService cmdlet. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Autodiscover makes it easy to retrieve the information that you need to connect to mailboxes on Exchange servers. SCP objects locate those Autodiscover servers or endpoints appropriate for the user you're retrieving settings for. And SCP objects in AD DS provide an easy way for domain-joined clients to look up Autodiscover servers.
Exchange publishes two types of SCP objects for the Autodiscover service:
SCP pointers: Contains information that points to specific LDAP servers that should be used to locate Autodiscover SCP objects for the user's domain. SCP pointers are stamped with the following GUID: 67661d7F-8FC4-4fa7-BFAC-E1D7794C1F68.
SCP URLs: Contains URLs for Autodiscover endpoints. SCP URLs are stamped with the following GUID: 77378F46-2C66-4aa9-A6A6-3E7A48B19596
The SCP object contains the authoritative list of Autodiscover service URLs for the forest. To learn more about locating Autodiscover service endpoints, see Generate a list of Autodiscover endpoints.
Client connectivity in Exchange 2016 and Exchange 2019 is like Exchange 2013 and differs from Exchange 2010. In Exchange 2016 and 2019, MAPI over HTTP is enabled by default, when previously Outlook clients used Outlook Anywhere (RPC over HTTP). Exchange 2016 and 2019 require fewer name spaces for site-resilient solutions than Exchange 2010, reducing to two from the previously required seven namespaces. To read more about namespace and Exchange Server, see the blog Namespace Planning in Exchange 2016.
Depending on whether you configured the Autodiscover service on a separate site, the Autodiscover service URL will be either of the following values, where //<SMTP-address-domain> is the primary SMTP domain address:
https://<SMTP-address-domain>/autodiscover/autodiscover.xmlhttps://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml
For example, if the user's email address is tony@contoso.com, the primary SMTP domain address is contoso.com.
Client applications use the Autodiscover service when the application starts for the first time. For example when an Exchange Web Services (EWS) application starts for the first time, the application configures itself using the Autodiscover service. For a user's computer joined to the contoso.com domain and in the Longview regional Active Directory site, the application generates the list of these Autodiscover service endpoints:
| Endpoint | Generated by |
|---|---|
| https://longview.contoso.com/autodiscover/autodiscover.xml | SCP results |
| https://email.contoso.com/autodiscover/autodiscover.xml | SCP results |
| https://newark.contoso.com/autodiscover/autodiscover.xml | SCP results |
| https://contoso.com/autodiscover/autodiscover.exc | Derived from email address |
| https://autodiscover.contoso.com/autodiscover/autodiscover | Derived from email address |
Exquilla License
For more information about SCP objects, see Publishing with Service Connection Points.
Autodiscover in DNS
Exchange introduced namespace requirements for Autodiscover in Exchange 2010 and certificates required several of them. In a server resilience scenario, all of these elements were required:
Primary datacenter IP namespace
Secondary datacenter IP namespace
Primary Outlook Web App failback namespace
Secondary Outlook Web App failback namespace
Transport namespace (for SMTP)
Primary datacenter RPC Client Access namespace
Secondary datacenter RPC Client Access namespace
Exquilla Addon For Mozilla Thunderbird
Server resiliency scenarios have been improved, reducing the five namespaces to two. This is because Exchange no longer needs the RPC Client Access namespaces and Client Access services proxy requests to the Mailbox server that is hosting the active Mailbox database. A Mailbox server in one Active Directory site can proxy a session to a another Active Directory site's Mailbox server.
What this means is that unique namespaces are no longer required for each datacenter. For example, instead of mail.contoso.com and mail2.contoso.com, you only need a single namespace, mail.contoso.com, for the datacenter pair. Additionally, failback namespaces are no longer needed in Database Availability Groups (DAG) activation scenarios.
Autodiscover is simple to set up for your domain because it only requires that you create a CNAME resource record in your external (public) DNS. CNAME records let you hide the implementation details of your network from the clients that connect to it. Used internally in your network, CNAME records allow users to use the simpler URI mail.domain.com instead of host.examplemachinename.domain.com.
A CNAME or canonical name record is the DNS equivalent to a Windows shortcut or an Apple Mac alias. A CNAME record is an alias for an Address (A) record that maps an IP address to the target server. If, for example, your domain is contoso.com, you create a CNAME record for autodiscover.contoso.com. The name in the CNAME record must match a name in a certificate. CNAME records work only for hostnames. CNAMEs work externally, but they don't replace the URL in the browser bar. When the certificate is checked against the URL, you get a failure with a warning, but you can still access the service.
A typical CNAME record looks like this:
Name: autodiscover
TTL: 3600
RR Type: CNAME
Target: The externally accessible FQDN of the Mailbox server (for example, mail.contoso.com)
In this example, autodiscover.contoso.com resolves to mail.contoso.com. For more information, see Step 4: Configure external URLs in Configure mail flow and client access on Exchange servers.
We recommend that you create an Autodiscover CNAME record for every domain on your account, including domain aliases and accepted domains. You need to create either a CNAME or SRV record where your domain is hosted. Only then you can synchronize your offline address book, show free/busy information and enable the Out of office feature in Outlook.
Service (SRV) resource records let you specify the location of the servers for a specific service, protocol, and DNS domain. For example, if you have two Web servers in your domain, you can create SRV resource records indicating which hosts serve as Web servers. Resolvers can then retrieve all the SRV resource records for the Web servers.
A typical SRV record looks like this:
Service: _autodiscover
Protocol: ._tcp
Port Number: 443
Host: mail.contoso.com
Priority: 0
Weight: 0
In this example, the Outlook server namespace is mail.contoso.com.
Read more about CNAME and SRV records in the Exchange team blog, Namespace planning in Exchange 2016.
Exquilla Alternative
Autodiscover services in Outlook
With only the user credentials, the Outlook client can authenticate to Active Directory and search for the Autodiscover SCP objects. After the client obtains and enumerates the instances of the Autodiscover service, the client connects to the Client Access (frontend) services on the first Mailbox server in the enumerated list. The client then collects the profile information in the form of XML data that's needed to connect to the user's mailbox and available Exchange features.
Note
Depending on your DNS provider's requirements, you may need to add the fully qualified domain name (FQDN) as your hostname. In that case, if your domain is contoso.com, then your hostname would be autodiscover.contoso.com, not autodiscover.com.
You need to set up a special DNS record for your domain name that points to the server providing Autodiscover services so that Exchange accounts function correctly in Outlook. For external access, or using DNS, the client locates the Autodiscover service on the Internet by using the primary SMTP domain address from the user's email address.
The Autodiscover service uses one of these four methods to configure the email client. The first two work for small, single SMTP namespace organizations. The last two serve multiple-SMTP namespaces.
Connect to: https://contoso.com/AutoDiscover/AutoDiscover.xml
Connect to: https://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml
Autodiscover redirect URL for redirection: http://autodiscover.contoso.com/autodiscover/autodiscover.xml
Search for DNS SRV record
Some of the hostnames and URLs can be configured by using the Exchange admin center (EAC) and the Exchange Management Shell, while others require that you use PowerShell. You can learn more about that in Configure mail flow and client access.
Through the Autodiscover service, Outlook finds a new connection point made up of the user's mailbox. That is, Autodiscover uses the identification made up of a GUID, plus @, and the domain portion of the user's primary SMTP address. The Autodiscover service returns the following information to the client:
User's display name
Separate connection settings for internal and external connectivity
Location of the user's mailbox (the Mailbox server that currently holds the active copy of the mailbox)
URLs for various Outlook features that govern functionality such as free/busy information, Unified Messaging (UM) in Exchange 2016 (but not in Exchange 2019), and the offline address book (OAB)
Outlook Anywhere server settings
You'll need to make sure that you have configured the correct external URLs for the virtual directories of the following services. The examples in the table that follows show values required for the contoso.com email domain.
| Service | Exchange Management Shell | Modifies |
|---|---|---|
| Offline Address Book | Get-OabVirtualDirectory | Set-OabVirtualDirectory -ExternalURL https://mail.companycontoso.com/oab | OAB virtual directories used in IIS |
| Exchange Web Sevices | Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalURL https://mail.companycontoso.com/ews/exchange.asmx | Exchange Web Services virtual directories in IIS |
| Outlook Anywhere (RPC over HTTP) | Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname mail.contoso.com -ExternalClientsRequireSsl $true | Outlook Anywhere virtual directories in IIS |
| Messaging Application Programming Interface (MAPI) over HTTP (Exchange 2013 SP1 or later) | Get-MapiVirtualDirectory | Set-MapiVirtualDirectory -ExternalURL https://mail.companycontoso.com/mapi
| MAPI virtual directories in IIS |
Click the Service name in the preceding table for more information about how to obtain or reconfigure these URLs.
When a user's Exchange information changes, Outlook uses the Autodiscover service to automatically reconfigure the user's profile. For example, if a user's mailbox is moved. or the client can't connect to the user's mailbox or to available Exchange features, Outlook will contact the Autodiscover service and automatically update the user's profile to include the information that's required to connect to the mailbox and Exchange features.
Other clients
Autodiscover service the preferred method to locate all services in Skype for Business Server 2015 . When a connection is successful, the Autodiscover service returns all the Web Services URLs for the user's home pool, including the Mobility Service (known as Mcx by the virtual directory created for the service in IIS), Lync Web App and Web scheduler URLs. However, both the internal Mobility Service URL and the external Mobility Service URL is associated with the external Web Services FQDN. Therefore, regardless of whether a mobile device is internal or external to the network, the device always connects to the Mobility Service externally through reverse proxy. The Autodiscover service also returns references to Internal/UCWA, External/UCWA and UCWA. These entries refer to the Unified Communications Web API (UCWA) web component.
Thunderbird Exchange Addon
Configure Autodiscover services
Autodiscover works for client applications inside and outside firewalls and in resource forest and multiple forest scenarios. For EWS clients, Autodiscover is typically used to find the EWS endpoint URL, but Autodiscover can also provide information to configure clients that use other protocols.
When you install Exchange Server, a self-signed certificate that's created and signed by the Exchange server is automatically installed on the server. However, you can also create additional self-signed certificates that you can use for other services.
Creating a certificate request is the first step in installing a new certificate on an Exchange server to configure Transport Layer Security (TLS) encryption for one or more Exchange services. You use a certificate request (also known as a certificate signing request or CSR) to obtain a certificate from a certification authority (CA). For more information, see the following topics:
Exquilla License Free
Note
You can confirm your Autodiscover service by using the Microsoft Remote Connectivity Analyzer. When the connectivity is successful, also select and run the Outlook Connectivity test. If that fails, you may need to configure the external URLs in Exchange. The results from the Microsoft Remote Connectivity Analyzer should explain why connectivity failed. Generally, a connectivity failure means that you don't have the correct external URLs configured for the virtual directories of the various Outlook services.
Manage Autodiscover services
In deployments where clients connect to multiple Exchange servers, the Autodiscover SCP object is created for the (frontend) Client Access services on each Mailbox server. The SCP object contains the ServiceBindingInfo attribute with the FQDN of the Exchange server that the client connects to in the form of https://<ExchangeServer>/autodiscover/autodiscover.xml (for example, https://cas01/autodiscover/autodiscover.xml).
You can run the Exchange ActiveSync Autodiscover and Outlook Autodiscover tests in the Microsoft Remote Connectivity Analyzer. If the user is using a local wireless network to connect to Exchange Online, the user should run both tests to make sure that the local network allows for connections to the ActiveSync endpoints.
You can get help for planning and deploying Autodiscover services as part of your Exchange deployment in Planning and deployment for Exchange Server.