Context Navigation

Interoperability with Sharepoint on Office 365

Reported by:	frequentbeef	Owned by:	dkocher
Priority:	normal	Milestone:	6.9.0
Component:	webdav	Version:	4.7.3
Severity:	normal	Keywords:
Cc:		Architecture:	Intel
Platform:	Mac OS X 10.11

Description (last modified by dkocher)

When I try to connect to my company's Sharepoint hosted on Office 365, I get "403 FORBIDDEN". I had the IT manager check settings and try to fiddle with a few things as well, but nothing changed that error.

Searching online, it seems like there may be some terminal commands to show hidden options to get Sharepoint on Office 365 to work (since it's IWA), but it's not entirely clear.

I asked on Twitter whether Cyberduck is supposed to support Sharepoint like this and was told yes, and when I followed up with this issue, I was asked to submit a support ticket with the log drawer, which is below:

HEAD / HTTP/1.1
Host: gencon.sharepoint.com
Connection: Keep-Alive
User-Agent: Cyberduck/4.7.3.18402 (Mac OS X/10.11.1) (x86_64)
Accept-Encoding: gzip,deflate
Authorization: Basic ZGVyZWsuZ3VkZXJAZ2VuY29uLmNvbTpTdW1tZXIyMDE1
HTTP/1.1 403 FORBIDDEN
Content-Length: 13
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/8.5
X-SharePointHealthScore: 0
SPRequestGuid: 54af3e9d-d03b-2000-09e6-f7ec7ac089b7
request-id: 54af3e9d-d03b-2000-09e6-f7ec7ac089b7
X-Forms_Based_Auth_Required: https://gencon.sharepoint.com/_forms/default.aspx?ReturnUrl=/_layouts/15/error.aspx&Source=/
X-Forms_Based_Auth_Return_Url: https://gencon.sharepoint.com/_layouts/15/error.aspx
X-MSDAVEXT_Error: 917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.
X-IDCRL_AUTH_PARAMS_V1: IDCRL Type="BPOSIDCRL", EndPoint="/_vti_bin/idcrl.svc/", RootDomain="sharepoint.com", Policy="MBI"
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 16.0.0.4608
X-Content-Type-Options: nosniff
X-MS-InvokeApp: 1; RequireReadOnly
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Date: Thu, 05 Nov 2015 17:53:44 GMT
PROPFIND / HTTP/1.1
Depth: 1
Content-Type: text/xml; charset=utf-8
Content-Length: 99
Host: gencon.sharepoint.com
Connection: Keep-Alive
User-Agent: Cyberduck/4.7.3.18402 (Mac OS X/10.11.1) (x86_64)
Accept-Encoding: gzip,deflate
Authorization: Basic ZGVyZWsuZ3VkZXJAZ2VuY29uLmNvbTpTdW1tZXIyMDE1
HTTP/1.1 403 FORBIDDEN
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/8.5
X-SharePointHealthScore: 0
SPRequestGuid: 54af3e9d-604d-2000-09e6-f830f60d162b
request-id: 54af3e9d-604d-2000-09e6-f830f60d162b
X-Forms_Based_Auth_Required: https://gencon.sharepoint.com/_forms/default.aspx?ReturnUrl=/_layouts/15/error.aspx&Source=/
X-Forms_Based_Auth_Return_Url: https://gencon.sharepoint.com/_layouts/15/error.aspx
X-MSDAVEXT_Error: 917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.
X-IDCRL_AUTH_PARAMS_V1: IDCRL Type="BPOSIDCRL", EndPoint="/_vti_bin/idcrl.svc/", RootDomain="sharepoint.com", Policy="MBI"
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 16.0.0.4608
X-Content-Type-Options: nosniff
X-MS-InvokeApp: 1; RequireReadOnly
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Date: Thu, 05 Nov 2015 17:53:44 GMT
Content-Length: 13

Change History (15)

comment:1 Changed on Nov 6, 2015 at 12:44:28 PM by dkocher

Description modified (diff)

comment:2 Changed on Nov 6, 2015 at 12:44:42 PM by dkocher

Summary changed from Unable to connect to Sharepoint on Office 365 to Interoperability with Sharepoint on Office 365

comment:3 Changed on Nov 20, 2015 at 12:45:51 PM by dkocher

Looks like a proprietary authentication model that we cannot currently support.

comment:4 Changed on Nov 20, 2015 at 5:56:03 PM by frequentbeef

I coulda told you that it was non-standard, certainly :)

You might want to let your social media team know, they had informed me that it should work.

I'd also like to lodge a feature request for this support. From what I understand there is a way to work with it now. I'm not sure about the details, but a couple other programs I've been experimenting with said that they were currently working on adding the feature in a future update.

comment:5 Changed on Jan 5, 2016 at 1:57:51 PM by dkocher

#6131 closed as duplicate.

comment:6 Changed on Jan 6, 2016 at 8:10:09 AM by yla

Unless you have setup Active Directory Federation Services (ADFS), Sharepoint Online exclusively needs Claims-Based Authentication based on WS-Federation which Cyberduck currently does not support. With ADFS configured you can authenticate through NTLM which Cyberduck supports. There is currently no Java library supporting Claims-Based Authentication against Sharepoint Online. A few resources that could help to implement it in Java:

https://msdn.microsoft.com/en-us/library/hh147177.aspx

http://blogs.msdn.com/b/cjohnson/archive/2011/05/03/authentication-with-sharepoint-online-and-the-client-side-object-model.aspx

http://blogs.msdn.com/b/cjohnson/archive/2011/05/14/part-2-headless-authentication-with-sharepoint-online-and-the-client-side-object-model.aspx

https://technet.microsoft.com/en-us/magazine/jj631606.aspx

http://allthatjs.com/2012/03/28/remote-authentication-in-sharepoint-online/

Version 0, edited on Jan 6, 2016 at 8:10:09 AM by yla (next)