How to use MFCMAPI to create a MAPI profile to connect to Office 365
I helped in a case recently where the customer needed to use Exchange’s MAPI to connect to Office 365. Now that Exchange’s MAPI supports RPC over HTTP (ROH) this is possible. I used my other post on connecting to Exchange 2013 as a base template and then just changed some things to connect. Here are the things that changed and some important notes along the way. Note: This is instructions for configuring Exchange’s MAPI to connect to Office 365. It will not work for Outlook’s MAPI.
First, Office 365 uses basic authentication over Secure Sockets Layer (SSL) for authentication. Therefore, I had to change the following properties to tell Exchange’s MAPI to use the right authentication protocol.
Property: PR_PROFILE_RPC_PROXY_SERVER_AUTH_PACKAGE |
Value: RPC_C_HTTP_AUTHN_SCHEME_BASIC (0x1) |
Property: Instructs the MAPI subsystem to use Basic authentication when connecting to the RPC Proxy Server |
Property: PR_PROFILE_RPC_PROXY_SERVER_FLAGS |
Value: ROHFLAGS_USE_ROH (0x1) | ROHFLAGS_SSL_ONLY (0x2) |
Property: Instructs the MAPI subsystem to use RPC over HTTP and to use SSL |
Property: PR_PROFILE_AUTH_PACKAGE |
Value: RPC_C_AUTHN_NONE (0x0) |
Property: This property governs the authentication protocol that RPC uses. |
Now here is where it gets tricky. Basic authentication requires a username, password and realm / domain. However, the credential prompt present in Exchange’s MAPI did not allow me to specify the credentials needed for the tenant. This was because Office 365 does not support NetBIOS domain names and the tenant’s domain name was too long to fit in the edit box for username. Therefore, I had to specify the username and password in the profile. *** The password property for the profile requires that I encrypt the password and store the encrypted password as a stream of bytes (PT_BINARY). MFCMAPI does not currently support the ability to create this property in that way so I had to write a small little program to do it. Once I had that written, I set the properties as follows.
Property: PR_PROFILE_AUTH_USER_W |
Value: The User Principal Name (UPN) of a user who has access to the mailbox. For example, Jeremy@contoso.onmicrosoft.com |
Property: PR_PROFILE_AUTH_PASSWORD |
Value: The encrypted password |
The data returned from the call to CryptProtectData() Crypto API then stored as a SBinary |
As far as the rest of the properties are concerned, they follow the same convention that I outlined in my previous post for Exchange 2013. The value of the RPC_PROFILE_RPC_PROXY_SERVER property is outlook.office365.com. The value of the property PR_PROFILE_UNRESOLVED_SERVER is the personalized server name. For example, <guid>@contoso.onmicrosoft.com. These settings can be retrieved using Autodiscover as I described before.
*** [Edit: 3/18/2014] This is not really true. I believe the issue is that if you don't specify the username and password in the profile upon initial connection to the proxy server no credentials will be passed. Once you are in this error state there is really no way to recover. Therefore, if you are using Basic Authentication you must specify the username and password in the profile.
Comments
Anonymous
July 16, 2013
Nice article!!Anonymous
August 26, 2014
Hi Dave, First of all, congratulations for the article. I am attempting to open an Office365 mailbox using the MFCMAPI and ExchangeMAPICDO. I follow the instructions of this article but I still in trouble to open the user mailbox. Is there any Additional profile property you had to configure to be able to connect with Exchange Online? I am setting the following properties (PR_PROFILE_UNRESOLVED_NAME, PR_PROFILE_UNRESOLVED_SERVER, PR_PROFILE_RPC_PROXY_SERVER, PR_PROFILE_RPC_PROXY_SERVER_FLAGS, PR_PROFILE_RPC_PROXY_SERVER_AUTH_PACKAGE, PR_PROFILE_AUTH_PACKAGE. PR_PROFILE_CONNECT_FLAGS , PR_PROFILE_AUTH_PACKAGE PR_PROFILE_AUTH_USER_W and PR_PROFILE_AUTH_PASSWORD). MFCMAPI dialog shows "The operation could not be completed because one or more parameters are incorrect. Contact MS Tech. support" Thank you in advance,Anonymous
October 07, 2014
Hi Jaquinei, Sorry about this I just found your comment. I believe you opened a support case on this. Is it resolved? If so, please post the resolution here for others.Anonymous
May 11, 2015
How to set PR_PROFILE_AUTH_USER_W and PR_PROFILE_AUTH_PASSWORD, as I believe, Mapi does support it?Anonymous
June 16, 2015
Hi Dave, Thanks for the detailed steps. Unfortunately we are tied to using Outlook MAPI, and would love to be able to create a profile that auto-populates credentials to prevent the credential dialog from showing. Our product is a server product and no UI is ever shown. We create a Windows account, then a MAPI profile, apply the GPO to populate proxy configuration settings, and login to the MAPI profile programmatically without a user ever needing to physically login to the machine. This works well, except for when Basic Authentication is used with RPC over HTTP due to the password dialog. GPO's we use are here: support.microsoft.com/.../2426686 I have read here that populating the Credential Manager is possible, but not supported: blogs.msdn.com/.../outlook-and-the-credential-manager.aspx The following thread suggests that you may have some steps that will work with Outlook MAPI: peach.ease.lsoft.com/.../wa-PEACH.exe If this is true would you be able to post them? Thanks very much! -StuartAnonymous
June 16, 2015
Hi Dave, Thanks for the detailed steps. Unfortunately we are tied to using Outlook MAPI, and would love to be able to create a profile that auto-populates credentials to prevent the credential dialog from showing. Our product is a server product and no UI is ever shown. We create a Windows account, then a MAPI profile, apply the GPO to populate proxy configuration settings, and login to the MAPI profile programmatically without a user ever needing to physically login to the machine. This works well, except for when Basic Authentication is used with RPC over HTTP due to the password dialog. GPO's we use are here: support.microsoft.com/.../2426686 I have read here that populating the Credential Manager is possible, but not supported: blogs.msdn.com/.../outlook-and-the-credential-manager.aspx The following thread suggests that you may have some steps that will work with Outlook MAPI: peach.ease.lsoft.com/.../wa-PEACH.exe If this is true would you be able to post them? Thanks very much! -StuartAnonymous
October 13, 2015
Hi Peter, is this still working for Office 365 ? Since last week I am not able to establish a connection to my office 365 with this method. I keep getting the error "MAPI_E_VERSION == 0x80040110" (actually I am able to list the msg stores in mfcmapi, but when I click on one of them I get the error). Before that everything was working fine (I didn't change anything on the profile). I am using the MAPI CDO for exchange for the connection.Anonymous
October 14, 2015
Hi Rimes, As Office 365 moves to the Exchange 2016 code base you will no longer be able to use MAPI CDO. I will blog about this soon but in the meantime you can refer to my earlier post. blogs.msdn.com/.../exchange-2016-mapi-cdo-not-supported.aspx- Anonymous
April 05, 2016
Yes, please document the steps how to create a profile for Exchange Online / Office 365 based on Outlook MAPI. Outlook 2010 and 2013 would be preferred on my side as MAPI of Outlook 2016 got very slow when used against On-Prem Exchange.- Anonymous
April 19, 2016
Hi,I have already documented how to connect toOffice 365 and Exchange On-Premises from Outlook's MAPI.- Anonymous
April 19, 2016
Missed that. Still no way to set the user name and password for basic auth from code?Got it working for Outlook 2013 with a generic windows credential. But Outlook 2010 does not use it, and pop ups a logon dialog.
- Anonymous
- Anonymous
- Anonymous