Restore questions with MFA

[kristofpoppe]

Hi all,

We're playing around with the MFA capabilities.
Automatic creation of app and certificates is quite straight forward and easy to use.
We were successful on creating a good backup, but.... when we try to restore to the original user's mailbox, (with modern auth and the app ID+ devicelogin) we get the message: Cannot open 'targetmailboxname' Failed to access mailbox, Mailbox does not exist.

Although, the mailbox exists. We tested 2 cases (user's mailbox and shared mailbox, both with same error)
The account used for the backup (successful) and restore is the tenant admin.

Can somebody give us a direction ?

The Explorer logs show us the following:

Code: Select all

14/09/2020 19:53:02   29 (6804) Token found with the following permissions: Directory.Read.All, EWS.AccessAsUser.All, offline_access
14/09/2020 19:53:03   29 (6804) Token found with the following permissions: EWS.AccessAsUser.All, offline_access
14/09/2020 19:53:03   29 (6804) Validating if any of the required roles (Global administrator, Exchange administrator) is assigned to the current user: admin@manoirdunotaire.be...
14/09/2020 19:53:03   29 (6804)   Required roles successfully validated
14/09/2020 19:53:08   24 (4568) Initializing Exchange Web Services...
14/09/2020 19:53:08   24 (4568) Connecting to Exchange Web Services (server: outlook.office365.com, account: , ID: 7ac28b99-b7c9-4ab1-87c6-57e2819520a4)...
14/09/2020 19:53:08   24 (4568) Microsoft Exchange Web Services binding path: https://outlook.office365.com/EWS/Exchange.asmx
14/09/2020 19:53:08   24 (4568)   Opening root folder using impersonation...
14/09/2020 19:53:08   24 (4568) Error: Cannot open mailbox: info@domainname.com.
14/09/2020 19:53:08   24 (4568) Type: System.Exception
14/09/2020 19:53:08   24 (4568) Stack:
14/09/2020 19:53:08   24 (4568)    at Veeam.Exchange.Restore.Restore.ExchangeConnection.OpenSpecialMailboxFolders(IEwsHolder ews, IExMailbox mailbox, IRestoreConfig config, String targetEmail)
   at Veeam.Exchange.Restore.Restore.ExchangeConnection.OpenSpecialMailboxFoldersWithImpersonation(IEwsHolder ews, IExMailbox mailbox, IRestoreConfig config)
14/09/2020 19:53:08   24 (4568) Error: Failed to access mailbox.
14/09/2020 19:53:08   24 (4568) Type: Veeam.Ews.Internal.ExServerCodeException
14/09/2020 19:53:08   24 (4568) Stack:
14/09/2020 19:53:08   24 (4568)    at Veeam.Ews.ExError.Throw(SoapException soap, String format, Object[] args)
   at Veeam.Ews.ExError.Catch(Action action, String format, Object[] args)
   at Veeam.Ews.ExError.Catch[T](Func`1 func, String format, Object[] args)
   at Veeam.Ews.ExMailbox.GetWellKnownFolder(String mail, DistinguishedFolderIdNameType id, IReadOnlyDictionary`2 requestProps, CancellationToken cancel)
   at Veeam.Ews.ExMailbox.GetMsgRootFolder(IReadOnlyDictionary`2 requestProps)
   at Veeam.Exchange.Restore.Restore.Retry.ExMailboxRetry.GetMsgRootFolder(IReadOnlyDictionary`2 requestProps)
   at Veeam.Exchange.Restore.Restore.ExMsgRootFolderProviderExtension.GetMsgRootFolder[T](IExMsgRootFolderProvider`1 mailbox, Boolean& canBeGroupMailbox)
   at Veeam.Exchange.Restore.Restore.ExchangeConnection.GetMsgRootFolderWithImpersonation(IEwsHolder ews, IExMailbox mailbox, IRestoreConfig config)
   at Veeam.Exchange.Restore.Restore.ExchangeConnection.OpenSpecialMailboxFolders(IEwsHolder ews, IExMailbox mailbox, IRestoreConfig config, String targetEmail)
14/09/2020 19:53:08   24 (4568) Error: The account does not have permission to impersonate the requested user.
14/09/2020 19:53:08   24 (4568) Type: System.Web.Services.Protocols.SoapException
14/09/2020 19:53:08   24 (4568) Stack:
14/09/2020 19:53:08   24 (4568)    at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
   at EWServices.ExchangeServiceBinding.EndGetFolder(IAsyncResult asyncResult)
   at Veeam.Ews.ExMailbox.GetFolder(GetFolderType gf, CancellationToken cancel)
   at Veeam.Ews.ExMailbox.GetFolder(BaseFolderIdType id, IReadOnlyDictionary`2 requestProps, CancellationToken cancel)
   at Veeam.Ews.ExError.<>c__DisplayClass7_0`1.<Catch>b__0()
   at Veeam.Ews.ExError.Catch(Action action, String format, Object[] args)
14/09/2020 19:53:08   24 (4568)   Opening root folder without impersonation...
14/09/2020 19:53:08   24 (4568) Connection 7ac28b99-b7c9-4ab1-87c6-57e2819520a4 is closed
14/09/2020 19:53:08   24 (4568) Error: Cannot open mailbox: info@domainname.com.
14/09/2020 19:53:08   24 (4568) Type: System.Exception
14/09/2020 19:53:08   24 (4568) Stack:
14/09/2020 19:53:08   24 (4568)    at Veeam.Exchange.Restore.Restore.ExchangeConnection.OpenSpecialMailboxFolders(IEwsHolder ews, IExMailbox mailbox, IRestoreConfig config, String targetEmail)
   at Veeam.Exchange.Restore.Restore.ExchangeConnection.OpenSpecialMailboxFoldersWithImpersonation(IEwsHolder ews, IExMailbox mailbox, IRestoreConfig config)
   at Veeam.Exchange.Restore.Restore.ExchangeConnection.InitSpecialFolders(IEwsHolder ews, IRestoreConfig config)
   at Veeam.Exchange.Restore.Restore.ExchangeConnection..ctor(EwsPool ewsPool, IRestoreConfig config)
   at Veeam.Exchange.Restore.Restore.ExchangeConnectionFactory.CreateFromAuthenticator(IRestoreConfig restoreConfig, IEwsAuthenticator ewsAuthenticator, String defaultImpersonateAs)
   at Veeam.Exchange.Restore.Restore.ExchangeConnectionFactory.LogDecorator(Func`1 factoryMethod)
   at Veeam.Exchange.Restore.EWS.EwsConnectionFactory.CreateExchangeConnection(IRestoreConfig restoreConfig, CancellationToken cancel)
   at Veeam.Exchange.Explorer.Dialogs.ConnectionValidator.Validate(Action checkCancel)
   at Veeam.Presentation.SafeExecuteCall.Execute(Func`2 action, Action checkCancel, IMessageService messageService)
14/09/2020 19:53:08   24 (4568) Error: Failed to access mailbox.
14/09/2020 19:53:08   24 (4568) Type: Veeam.Ews.Internal.ExServerCodeException
14/09/2020 19:53:08   24 (4568) Stack:
14/09/2020 19:53:08   24 (4568)    at Veeam.Ews.ExError.Throw(ExServerCodeException error, String format, Object[] args)
   at Veeam.Ews.ExError.Catch(Action action, String format, Object[] args)
   at Veeam.Ews.ExError.Catch[T](Func`1 func, String format, Object[] args)
   at Veeam.Ews.ExMailbox.GetWellKnownFolder(String mail, DistinguishedFolderIdNameType id, IReadOnlyDictionary`2 requestProps, CancellationToken cancel)
   at Veeam.Ews.ExMailbox.CheckAccountMailboxExistance()
   at Veeam.Exchange.Restore.Restore.ExchangeConnection.GetMsgRootFolder(IEwsHolder ews, IExMailbox mailbox, IRestoreConfig config, Boolean impersonate)
   at Veeam.Exchange.Restore.Restore.ExchangeConnection.OpenSpecialMailboxFolders(IEwsHolder ews, IExMailbox mailbox, IRestoreConfig config, String targetEmail)
14/09/2020 19:53:08   24 (4568) Error: Mailbox does not exist.
14/09/2020 19:53:08   24 (4568) Type: Veeam.Ews.Internal.ExServerCodeException
14/09/2020 19:53:08   24 (4568) Stack:
14/09/2020 19:53:08   24 (4568)    at Veeam.Ews.Internal.ResponseMessageTypeExtension.ThrowIfError(ResponseMessageType item)
   at Veeam.Ews.Internal.BaseResponseMessageTypeExtension.GetItems[T](BaseResponseMessageType response)
   at Veeam.Ews.ExMailbox.GetFolder(GetFolderType gf, CancellationToken cancel)
   at Veeam.Ews.ExMailbox.GetFolder(BaseFolderIdType id, IReadOnlyDictionary`2 requestProps, CancellationToken cancel)
   at Veeam.Ews.ExError.<>c__DisplayClass7_0`1.<Catch>b__0()
   at Veeam.Ews.ExError.Catch(Action action, String format, Object[] args)

[nielsengelen]

Hi Kristof, per our forum rules we require a support case ID when posting about technical issues and log snippets should also be prevented as they usually don’t provide the full message/issue. If you did not open a support case yet, please do so as this will require insight from support and post the case ID here so we can use it for future reference.

Thanks.

[Polina]

Hi Kristof,

This error may indicate that the account you're authenticating with is not granted with ApplicationImpersonation role. This permission is required to work with EWS APIs and access mailboxes.

Thanks!

[kristofpoppe]

Hi Kristof, per our forum rules we require a support case ID when posting about technical issues and log snippets should also be prevented as they usually don’t provide the full message/issue. If you did not open a support case yet, please do so as this will require insight from support and post the case ID here so we can use it for future reference.

Thanks.

Thanks Niels, case is already open "ID:04388473", I think we've overlooked something trivial. Will wait for input from support then.

[kristofpoppe]

After adding the account to the ApplicationImpersonation, the job was still failing. We waited for more than 8 hours and now restores are working. Strange that this takes so much time on Microsoft's side...

Anyway, case closed !

[ortoscale]

Hi Kristof,

This error may indicate that the account you're authenticating with is not granted with ApplicationImpersonation role. This permission is required to work with EWS APIs and access mailboxes.

Thanks!

Hi Polina, so I can't restore via one time password?
Rima Salman Failed to open mailbox: user@domain.com. | Failed to access mailbox. | Mailbox does not exist.

[ortoscale]

why is this info on your webpage if it's outdated? https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=80

[Polina]

Hi Matjaž,

It depends on whether the ApplicationImpersonation role is still accessible in your M365 tenant. Most likely, it is already deprecated, and in such a case your option is to restore using an app certificate.

Our HelpCenter is up-to-date and covers all the possible options and corresponding requirements. All changes in M365 - should it be new features or deprecations - are rolled out gradually; when some functionality, role or permission is being deprecated, it may continue to work longer for some of the tenants. VB365 is typically updated with an intentional few months delay.