This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

EAS Proxy PowerShell mode - Authentication

Our SMC EAS PowerShell mode proxy appears to have stopped working.

We performed an upgrade to v9.7.3 to resolve Log4j vulnerabilities and performed tests to ensure it was working after the upgrade. (Made a device non compliant, which disabled mail sync as expected, we then made the device compliant again, and mail sync was re-enabled)

Lately new devices enrolled are not able to sync mail.

We have investigated and found that the server seems unable to connect to the Microsoft platform to execute the PowerShell commands to change the settings for user devices.

Reports suggest that Microsoft have disabled basic authentication for Exchange Online PowerShell access.

We are unable to find any documentation from Sophos that refers to using Modern Authentication, which we understand is now required to make EO PowerShell connections.

We have upgraded to the current release 9.7.5 to see if this improves the situation but there is no change.

2022-02-16 15:48:46.338 [Timer-2] INFO PowershellEASProxyInstance_EAS01 - Starting Office 365 Task
2022-02-16 15:48:46.338 [Timer-0] INFO com.sophos.mobilecontrol.easproxy.server.EASProxyService - Memory statistics: free: 59.43 MB, max: 946.00 MB, total: 77.00 MB
2022-02-16 15:48:46.354 [Timer-0] INFO com.sophos.mobilecontrol.easproxy.server.EASProxyService - Running EAS Proxy - version 9.7.5 (rev 47474731e0cf2da644c2a7532002b41d8ff8cb46)
2022-02-16 15:49:00.449 [Timer-2] ERROR PowerShell_EAS01 - Error executing Login command: New-PSSession : [] Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.At line:1 char:12+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:Re moteRunspace) [New-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailedImport-PSSession : Cannot validate argument on parameter 'Session'. The argument is null. Provide a valid value for the argument, and then try running the command again.At line:1 char:18+ Import-PSSession $session+ ~~~~~~~~ + CategoryInfo : InvalidData: (:) [Import-PSSession], ParameterBi ndingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Power Shell.Commands.ImportPSSessionCommand
2022-02-16 15:49:00.449 [Timer-2] ERROR PowershellEASProxyInstance_EAS01 - The login via Powershell failed. Please ensure the following: This machine is able to connect to the specified host. The proxy settings are setup correctly. The host certificate is trusted. The credentials of the service user are correct.
2022-02-16 15:49:00.449 [Timer-2] ERROR PowershellEASProxyInstance_EAS01 - Office 365 Task failed Error executing command

This thread was automatically locked due to age.
  • Microsoft sign in logs report that the login fails because of invalid username or password.

    We have successfully managed to establish a remote PS Session from PowerShell running on the EAS server. This rules out any changes made by Microsoft to disable basic authentication (although this change is coming).

    This has been performed with credentials temporarily held in a text document in Notepad, and the credentials have been copied and pasted from here to the Get-Credential dialog presented. 

    We have run the EAS Proxy configuration wizard, entering the credentials in the same way, which should eliminate any issues with typing the username or password as being the issue.

    We have also changed the password for the user account to make the password less complex, to ensure that it is not an issue with the length or complexity of the password. The current password only contains alphanumeric values.

    It seems that the issue is with the way that the EAS proxy is storing or sending these when attempting to establish the connection.