Exchange Web Services Change in February 2019 Update

One of those product changes within the February 2019 Exchange Updates affects the architecture of Exchange Web Services (EWS) for all supported Exchange Server products. The quarterly update is resolving push notification security issues in Exchange Web Services so that they can’t be abused by NTLM relay attack methods.

Microsoft has changed the notifications contract that is established between EWS clients and servers that are running Exchange Server not to allow authenticated notifications to be streamed by the server. Instead, these notifications are streamed by using anonymous authentication mechanisms. Because a client would have to authenticate to establish the subscription, this approach is considered to be an appropriate and necessary design to protect the credentials and identity of the server. After this change, clients that rely on an authenticated EWS Push Notification from the server that is running Exchange Server will require a client update to continue to function correctly.

Some clients that connect with Exchange Server will need to get updated because of the EWS architectural change induced by the quarterly update.

Applying the quarterly update will result in “a permanent change” to the push notification authentication process, Microsoft warned.

Lastly, Microsoft set an Oct. 13, 2020, deadline for those administrators with third-party tools that rely on Exchange Web Services for Office 365 integration to switch to Microsoft Graph.

See Microsoft’s Knowledge Base article KB4490060.

Leave a Reply