A little “weirndess” with O365 two-factor authentication

This is an admittedly weird and probably not very prevalent problem that I stumbled on to today but it might help you if you are in a similar situation.

We (itgroove) have recently moved from in-house Exchange and in-house Lync to Exchange on Office365 and a hosted Lync platform that links back to O365.  We are on hosted Lync as we use Lync as our phone system and we didn’t want to have to deal any longer with the additional servers required to host Lync as a phone system.  We could not take advantage of the full-meal-deal Lync available with O365 as Microsoft does not provide the enterprise phone bits for Lync in Canada so we did the next best thing and partnered with ThinkTel who do provide the full meal deal in Canada.  ThinkTel’s system, in turn, is linked back to O365 so that we can properly federate with other Lync users on O365 (or other fully federated Lync systems).  For us it’s been pretty much a win-win as the ThinkTel service has been pretty decent.

But, as we have both O365 and hosted Lync, we actually have two completely different domains in the backend (ThinkTel has to do the full domain “thing” with Enterprise Lync and, of course, we have our full domain inside O365).  This means that we have to jump through a few hoops as users to make it all work nicely, specially so as we have not yet gone done the route of implementing DirSync or any of the other “single sign on/easy sign on” features of O365.  For the most part this means setting up our user accounts so that we have the same passwords in O365 and Lync and then setting our client software (Outlook, Lync, etc) to “remember” our logins and passwords.  It all works pretty well, actually.  Well, that is it does until you throw a spanner into the works …

I wanted to try out the two-factor authentication piece that Microsoft integrated into O365 and Azure (PhoneFactor) so I modified my O365 account settings to use the two-factor authentication (this was all done after I had already set up Outlook and Lync).  The two-factor authentication worked brilliantly (see post 1 and post 2 for more details) and I never thought much more about it as it only appeared to kick in whenever I logged in online; my local Outlook and Lync never caused it to fire off.  Everything was peachy for a month or so until something changed in our Lync backend that caused our clients to update.  From that point forward I lost Outlook connectivity from Lync and I started getting the dreaded prompt for email credentials from Lync that appeared to do nothing even when I supplied the correct credentials.  Doing some digging I found out that by CTRL-right clicking on Lync in the taskbar that I could display all of my Lync configuration info and by doing so I discovered that Lync had no “EWS External URL” info which is critical to the Lync/Outlook connection (the bit highlighted in yellow in the following was missing):

image

 

To put it mildly, I went nuts trying to solve the problem.  My good friends Mr Google and Mr Bing provided me with a zillion hits about similar problems, all seemingly tied back to incorrect Lync server configurations.  As it was only me having the problem and as our Lync is hosted I pretty much ruled out the problem being on the server side and I concentrated on “fixes” for the client side.  Well, I gotta tell ya that nothing worked.  More to the point, there seemed to be a lot of info about similar problems with Lync2010 but very little about Lync2013.  And the more I dug the more I realised that it had to be something to do with my local Lync installation rather than anything else as, again, it was only me having the problem.

When my brain finally collapsed in on itself, and I still hadn’t solved the problem, I decided to take a step back and look at the problem from a slightly higher level.  I asked myself what was the difference between my O365 account and everyone else in the office?  I am an O365 admin but so are Louis, Sean and Steph and they weren’t having problems.  What else could it be?  Then, DOH! it hit me!  I was the only one with two-factor authentication enabled on my account!!  I disabled two-factor authentication and restarted my Lync and lo and behold my problem disappeared.  Lync happily made connections to Outlook and I was not prompted for email credentials.  I also checked my Lync install on my home machine (which had broken about the same time as Lync on my office machine) and it was also a happy camper.

I’m not 100% sure why I hit this problem as I did follow Microsoft’s two-factor instructions and provided Outlook with the special password that is generated by the two-factor authentication system for Outlook (and other apps) that are not two-factor enabled.   And as I type this the thought occurs to me that I might have had to provide that password (the special one) to the Lync email credential challenge as Lync would have been trying to logion to the EWS on O365.  I guess this is another DOH! and something I will have to check.  I’ll update this post when I do.

In the meantime, if you use two-factor auth you might want to keep this post in mind if you start having Lync/Outlook issues.

UPDATE

As I suspected, I’m a bit of an idiot.  The problem I described was my own fault as I did NOT supply Lync with the “special” O365 password that is supplied for use with apps that are NOT two-factor aware.  If I had supplied the Lync Outlook connector with the proper password I would have had no problem.  So, keep this in mind when using two-factor auth; you need to keep your “special password” handy for cases like this.