-
Polina
- Veeam Software
- Posts: 4051
- Liked: 1043 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.
Hi Karsten,
Yes, if you edit your existing organization and select to 'Grant permissions automatically' or add a new organization in an automated manner, they will be added to the app.
Yes, if you edit your existing organization and select to 'Grant permissions automatically' or add a new organization in an automated manner, they will be added to the app.
-
mkevenaar
- Veeam Vanguard
- Posts: 42
- Liked: 19 times
- Joined: May 14, 2019 2:34 pm
- Full Name: Maurice Kevenaar
- Location: Uithoorn
- Contact:
Re: Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.
Hi Polina,
I have updated to 8.5.0.1014, and the permissions have not been updated when updating the existing Microsoft Entra ID application or when registering a new application. The checkbox "Grant the required permissions to this application and register its certificate in Microsoft Entra ID" has been checked.
This has been tested on two (2) different installations, both on 8.5.
Am I doing something wrong?
I have updated to 8.5.0.1014, and the permissions have not been updated when updating the existing Microsoft Entra ID application or when registering a new application. The checkbox "Grant the required permissions to this application and register its certificate in Microsoft Entra ID" has been checked.
This has been tested on two (2) different installations, both on 8.5.
Am I doing something wrong?
-
Polina
- Veeam Software
- Posts: 4051
- Liked: 1043 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.
Hi Maurice,
No, you're not doing anything wrong — this is a product behavior, not a configuration mistake on your end. And I need to correct what I said earlier: automatic permission granting does not currently update permissions. My earlier statement was inaccurate, and I apologize for the confusion.
Until the next patch, the reliable path is still to manually update the application's permissions in Microsoft Entra ID.
Thanks for your patience and for the detailed repro.
No, you're not doing anything wrong — this is a product behavior, not a configuration mistake on your end. And I need to correct what I said earlier: automatic permission granting does not currently update permissions. My earlier statement was inaccurate, and I apologize for the confusion.
Until the next patch, the reliable path is still to manually update the application's permissions in Microsoft Entra ID.
Thanks for your patience and for the detailed repro.
-
AlexL
- Service Provider
- Posts: 179
- Liked: 36 times
- Joined: Aug 24, 2010 8:55 am
- Full Name: Alex
- Contact:
Re: Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.
Am I correct in understanding that for v8.5 no api permissions changes are needed (if upgrading from v8.4) but they are needed for a future update? Else I would have thought that the gui wizard would automatically set them or at least the release notes would mention them. Since neither are I’m assuming no changes needed (for now).
-
juerg.hirschi
- Service Provider
- Posts: 36
- Liked: 6 times
- Joined: Jan 09, 2023 6:41 pm
- Full Name: Jürg
- Location: Switzerland
- Contact:
Re: Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.
confused
"Until the next patch, the reliable path is still to manually update the application's permissions in Microsoft Entra ID."
so you forgot this part ? and we need an update to the upgrade to get automated permission adjustment by running the org setup wizard.
makes quite a difference if i can just run the wizard vs. going into each tenant and do permisson magic manually for our customers.
"Until the next patch, the reliable path is still to manually update the application's permissions in Microsoft Entra ID."
so you forgot this part ? and we need an update to the upgrade to get automated permission adjustment by running the org setup wizard.
makes quite a difference if i can just run the wizard vs. going into each tenant and do permisson magic manually for our customers.
-
mjr.epicfail
- Veeam Legend
- Posts: 632
- Liked: 181 times
- Joined: Apr 22, 2022 12:14 pm
- Full Name: Danny de Heer
- Contact:
Re: Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.
As I can see everything still runs via EWS. For now there is afaik no need to update any permissions yet for production use. It s good to already have the permissions in place but they wont be used until a later patch.
VMCE / Veeam Legend 2*
-
sumeet
- Service Provider
- Posts: 283
- Liked: 54 times
- Joined: Apr 23, 2021 6:40 am
- Full Name: Sumeet P
- Contact:
v8.5 new permissions instead of EWS access
Hello,
Did v8.5 upgrade. Upgrade successful - thanks.
Post upgrade, to apply the new permissions https://www.veeam.com/kb4820 for EWS retirement, I did the steps in post upgrade section - https://helpcenter.veeam.com/docs/vbo36 ... pplication
Checked the Entra App in azure and I do not see the new permissions.
Ok, maybe the new permissions do not apply with edit organization.
I did the steps to create a new Entra App amd still do not see the new permissions for MailboxItems - https://www.veeam.com/kb4820
Except for the User.Read.All - which already existed, prior to v8.5 upgrade, none of the new permissions from the KB for Miailbox has been applied?
Is this expected? I don't think so. I was hoping Veeam to create the new permissions.
Without the new permissions, the backups for mailbox continue to work - does this mean that post v8.5 upgrade, even if the new permissions are not applied the backup will continue to use EWS permissions, until they expire?
I was hoping the backups to fail. How do we know post upgrade that new permissions are being used and not the old EWS.
Also the documentation does not say that after applying new permisisons, what permissions to remove, which were for EWS and no longer required.
Did v8.5 upgrade. Upgrade successful - thanks.
Post upgrade, to apply the new permissions https://www.veeam.com/kb4820 for EWS retirement, I did the steps in post upgrade section - https://helpcenter.veeam.com/docs/vbo36 ... pplication
Checked the Entra App in azure and I do not see the new permissions.
Ok, maybe the new permissions do not apply with edit organization.
I did the steps to create a new Entra App amd still do not see the new permissions for MailboxItems - https://www.veeam.com/kb4820
Except for the User.Read.All - which already existed, prior to v8.5 upgrade, none of the new permissions from the KB for Miailbox has been applied?
Is this expected? I don't think so. I was hoping Veeam to create the new permissions.
Without the new permissions, the backups for mailbox continue to work - does this mean that post v8.5 upgrade, even if the new permissions are not applied the backup will continue to use EWS permissions, until they expire?
I was hoping the backups to fail. How do we know post upgrade that new permissions are being used and not the old EWS.
Also the documentation does not say that after applying new permisisons, what permissions to remove, which were for EWS and no longer required.
-
Mildur
- Product Manager
- Posts: 11941
- Liked: 3390 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.
Hi Sumeet,
Yes, @Polina confirmed in this topic yesterday that the Organization wizard does not handle the permissions in this release.
EWS permissions are therefore still required.
Best,
Fabian
Yes, @Polina confirmed in this topic yesterday that the Organization wizard does not handle the permissions in this release.
VB365 does not use Graph yet. Mailboxes are still protected through EWS.Without the new permissions, the backups for mailbox continue to work - does this mean that post v8.5 upgrade, even if the new permissions are not applied the backup will continue to use EWS permissions, until they expire?
EWS permissions are therefore still required.
Best,
Fabian
Product Management Analyst @ Veeam Software
Who is online
Users browsing this forum: Gabriel Tapirlan, MarkBoothmaa, sumeet and 142 guests