Exchange Web Services Change in February 2019 Update

One of those product changes within the February 2019 Exchange Updates affects the architecture of Exchange Web Services (EWS) for all supported Exchange Server products. The quarterly update is resolving push notification security issues in Exchange Web Services so that they can’t be abused by NTLM relay attack methods.

Microsoft has changed the notifications contract that is established between EWS clients and servers that are running Exchange Server not to allow authenticated notifications to be streamed by the server. Instead, these notifications are streamed by using anonymous authentication mechanisms. Because a client would have to authenticate to establish the subscription, this approach is considered to be an appropriate and necessary design to protect the credentials and identity of the server. After this change, clients that rely on an authenticated EWS Push Notification from the server that is running Exchange Server will require a client update to continue to function correctly.

Some clients that connect with Exchange Server will need to get updated because of the EWS architectural change induced by the quarterly update.

Applying the quarterly update will result in “a permanent change” to the push notification authentication process, Microsoft warned.

Lastly, Microsoft set an Oct. 13, 2020, deadline for those administrators with third-party tools that rely on Exchange Web Services for Office 365 integration to switch to Microsoft Graph.

See Microsoft’s Knowledge Base article KB4490060.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by WordPress.com.

Up ↑

%d bloggers like this: