SOAPUI 5.3.0 calls to online Exchange Web Services fail with 401 Unauthorized
I can no longer login to online Exchange Web Services using SOAPUI after updating from 5.2.1 to 5.3.0. All calls fail with a "HTTP/1.1 401 Unauthorized" error, I get only one HTTP Response (not the usual back and forth to establish the connection):
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/8.5
request-id: 8d593b7a-d934-480d-a890-16ad3f7baa0b
X-Powered-By: ASP.NET
X-FEServer: VI1PR07CA0015
WWW-Authenticate: Basic Realm=""
Date: Wed, 11 Jan 2017 14:21:12 GMT
Content-Length: 0
Other information:
- Endpoint is
https://outlook.office365.com/ews/exchange.asmx, username isxxx@companyname123.onmicrosoft.com, domain iscompanyname123.onmicrosoft.com. - The SOAPUI test calls I'm doing (with all their parameters; e.g. Authentication type NTLM) did not change
- Any administrative settings for Office/Exchange online are the same
- I have no issues whatsoever with Internet connectivity, or using SOAPUI or my Delphi code against our in-house Exchange 2010, 2013 or 2016 test servers, or against (3) other web services that I regularly use. The Delphi program also works fine with Exchange Online.
- I'm running SOAPUI/Delphi Seattle under Win7 in VMWare Workstation 12.1.1
- Differences in the 5.2.1 and 5.3.0 XML files are only a change in version number and a change from
<con:oAuth2ProfileContainer/>to<con:oAuth2ProfileContainer/><con:oAuth1ProfileContainer/>at the end of the file. - Playing with settings 'follow-redirects' or 'authenticate preemptively' make no difference
- I asked this question on the Smartbear Forums on 11 Jan, but no responses.
- There is of course the possibility that something chaned with Exchange Online in the same period; I had not used SOAPUI to connect for some months
FWIW, this is my soapui-settings.xml settings file:
<?xml version="1.0" encoding="UTF-8"?>
<con:soapui-settings xmlns:con="http://eviware.com/soapui/config">
<con:setting id="WsdlSettings@excluded-types"><con:entry xmlns:con="http://eviware.com/soapui/config">schema@http://www.w3.org/2001/XMLSchema</con:entry></con:settin... id="WebRecordingSettings@excluded-headers"><![CDATA[<xml-fragment><con:entry xmlns:con="http://eviware.com/soapui/config">Cookie</con:entry><con:entry xmlns:con="http://eviware.com/soapui/config">Set-Cookie</con:entry><con:entry xmlns:con="http://eviware.com/soapui/config">Referer</con:entry><con:entry xmlns:con="http://eviware.com/soapui/config">Keep-Alive</con:entry><con:entry xmlns:con="http://eviware.com/soapui/config">Connection</con:entry><con:entry xmlns:con="http://eviware.com/soapui/config">Proxy-Connection</con:entry><con:entry xmlns:con="http://eviware.com/soapui/config">Pragma</con:entry><con:entry xmlns:con="http://eviware.com/soapui/config">Cache-Control</con:entry><con:entry xmlns:con="http://eviware.com/soapui/config">Transfer-Encoding</con:entry><con:entry xmlns:con="http://eviware.com/soapui/config">Date</con:entry></xml-fragment>]]></con:setting>
<con:setting id="WsdlSettings@name-with-binding">true</con:setting>
<con:setting id="HttpSettings@http_version">1.1</con:setting>
<con:setting id="HttpSettings@max_total_connections">2000</con:setting>
<con:setting id="HttpSettings@response-compression">true</con:setting>
<con:setting id="HttpSettings@leave_mockengine">true</con:setting>
<con:setting id="UISettings@auto_save_projects_on_exit">true</con:setting>
<con:setting id="UISettings@show_descriptions">true</con:setting>
<con:setting id="WsdlSettings@xml-generation-always-include-optional-elements">true</con:setting>
<con:setting id="WsaSettings@useDefaultRelatesTo">true</con:setting>
<con:setting id="WsaSettings@useDefaultRelationshipType">true</con:setting>
<con:setting id="UISettings@show_startup_page">false</con:setting>
<con:setting id="UISettings@gc_interval">60</con:setting>
<con:setting id="WsdlSettings@cache-wsdls">true</con:setting>
<con:setting id="WsdlSettings@pretty-print-response-xml">true</con:setting>
<con:setting id="HttpSettings@include_request_in_time_taken">true</con:setting>
<con:setting id="HttpSettings@include_response_in_time_taken">true</con:setting>
<con:setting id="UISettings@auto_save_interval">0</con:setting>
<con:setting id="WsaSettings@soapActionOverridesWsaAction">true</con:setting>
<con:setting id="WsaSettings@overrideExistingHeaders">true</con:setting>
<con:setting id="WsaSettings@enableForOptional">true</con:setting>
<con:setting id="VersionUpdateSettings@auto-check-version-update">true</con:setting>
<con:setting id="WSISettings@location">C:\Program Files\SmartBear\SoapUI-5.2.0/wsi-test-tools</con:setting>
<con:setting id="RecentProjects"><![CDATA[<xml-fragment xmlns:con="http://eviware.com/soapui/config">
<con:entry key="" value="Test Exchange 2016"/>
<con:entry key="Test-Exchange-2013-soapui-project.xml" value="Test Exchange 2013"/>
<con:entry key="" value="Test Exchange 2013"/>
<con:entry key="D:\Testing\Web\Exchange Web Services\SoapUI\Tests-Exchange-soapui-project.xml" value="Tests Exchange"/>
<con:entry key="D:\Testing\Exchange server\SoapUI\Test-Exchange-2013-soapui-project.xml" value="Test Exchange 2013"/>
<con:entry key="D:\Testing\Exchange Server\SoapUI\Test-Exchange-soapui-project.xml" value="Test Exchange"/>
<con:entry key="D:\SOAPUIData\Test-Office-365-soapui-project.xml" value="Test Office 365"/>
</xml-fragment>]]></con:setting>
<con:setting id="GlobalPropertySettings@properties"><xml-fragment/></con:setting>
<con:setting id="GlobalPropertySettings@security_scans_properties"><![CDATA[<xml-fragment xmlns:con="http://eviware.com/soapui/config">
<conSmiley Tongueroperty>
<con:name>~(?s).*(s|S)tack ?(t|T)race.*</con:name>
<con:value>[Stacktrace] Can give hackers information about which software or language you are using</con:value>
</conSmiley Tongueroperty>
[.. similar property lines removed ..]
</xml-fragment>]]></con:setting>
<con:setting id="HttpSettings@user-agent"/>
<con:setting id="HttpSettings@request-compression">None</con:setting>
<con:setting id="HttpSettings@disable_response_decompression">false</con:setting>
<con:setting id="HttpSettings@close-connections">false</con:setting>
<con:setting id="HttpSettings@chunking_threshold"/>
<con:setting id="HttpSettings@authenticate-preemptively">false</con:setting>
<con:setting id="HttpSettings@expect-continue">false</con:setting>
<con:setting id="HttpSettings@encoded_urls">false</con:setting>
<con:setting id="HttpSettings@forward_slashes">false</con:setting>
<con:setting id="HttpSettings@bind_address"/>
<con:setting id="HttpSettings@socket_timeout"/>
<con:setting id="HttpSettings@max_response_size"/>
<con:setting id="HttpSettings@max_connections_per_host"/>
<con:setting id="HttpSettings@enable_mock_wire_log">false</con:setting>
<con:setting id="ProxySettings@host">127.0.0.1</con:setting>
<con:setting id="ProxySettings@port">8888</con:setting>
<con:setting id="ProxySettings@username"/>
<con:setting id="ProxySettings@password"/>
<con:setting id="ProxySettings@excludes"/>
<con:setting id="ProxySettings@enableProxy">false</con:setting>
<con:setting id="SSLSettings@keyStore"/>
<con:setting id="SSLSettings@keyStorePassword"/>
<con:setting id="SSLSettings@enableMockSSL">false</con:setting>
<con:setting id="SSLSettings@mockPort"/>
<con:setting id="SSLSettings@mockKeyStore"/>
<con:setting id="SSLSettings@mockPassword"/>
<con:setting id="SSLSettings@mockKeyStorePassword"/>
<con:setting id="SSLSettings@mockTrustStore"/>
<con:setting id="SSLSettings@mockTrustStorePassword"/>
<con:setting id="SSLSettings@needClientAuthentication">false</con:setting>
<con:setting id="WsdlSettings@xml-generation-type-example-value">false</con:setting>
<con:setting id="WsdlSettings@xml-generation-type-comment-type">false</con:setting>
<con:setting id="WsdlSettings@attachment-parts">false</con:setting>
<con:setting id="WsdlSettings@allow-incorrect-contenttype">false</con:setting>
<con:setting id="WsdlSettings@schema-directory"/>
<con:setting id="WsdlSettings@strict-schema-types">false</con:setting>
<con:setting id="WsdlSettings@compression-limit"/>
<con:setting id="WsdlSettings@pretty-print-project-files">false</con:setting>
<con:setting id="WsdlSettings@trim-wsdl">false</con:setting>
<con:setting id="UISettings@close-projects">false</con:setting>
<con:setting id="UISettings@order-projects">false</con:setting>
<con:setting id="UISettings@order-services">false</con:setting>
<con:setting id="UISettings@order-requests">false</con:setting>
<con:setting id="UISettings@create_backup">true</con:setting>
<con:setting id="UISettings@backup_folder"/>
<con:setting id="UISettings@normalize_line-breaks">false</con:setting>
<con:setting id="UISettings@desktop-type">Default</con:setting>
<con:setting id="UISettings@native-laf">false</con:setting>
<con:setting id="UISettings@dont-disable-groovy-log">false</con:setting>
<con:setting id="UISettings@show_logs_at_startup">false</con:setting>
<con:setting id="UISettings@disable_tooltips">false</con:setting>
<con:setting id="UISettings@raw_response_message_size_show">10000</con:setting>
<con:setting id="UISettings@raw_request_message_size_show">10000</con:setting>
<con:setting id="UISettings@wrap_raw_messages">false</con:setting>
<con:setting id="UISettings@disable-browser">false</con:setting>
<con:setting id="UISettings@disable-browser-plugins">false</con:setting>
<con:setting id="UISettings@editor-font">Monospaced.plain 11</con:setting>
<con:setting id="UISettings@no_resize_request_editor">false</con:setting>
<con:setting id="UISettings@start_with_request_tabs">false</con:setting>
<con:setting id="UISettings@auto_validate_request">false</con:setting>
<con:setting id="UISettings@abort_on_invalid_request">false</con:setting>
<con:setting id="UISettings@auto_validate_response">false</con:setting>
<con:setting id="UISettings@show_xml_line_numbers">false</con:setting>
<con:setting id="UISettings@show_groovy_line_numbers">false</con:setting>
<con:setting id="ToolsSettings@jbossws_wstools"/>
<con:setting id="ToolsSettings@axis_1_X"/>
<con:setting id="ToolsSettings@axis_2"/>
<con:setting id="ToolsSettings@jwsdp_wscompile"/>
<con:setting id="ToolsSettings@jwsdp_wsimport"/>
<con:setting id="ToolsSettings@javac"/>
<con:setting id="ToolsSettings@dotnet_wsdl"/>
<con:setting id="ToolsSettings@cxf"/>
<con:setting id="ToolsSettings@xfire"/>
<con:setting id="ToolsSettings@gsoap"/>
<con:setting id="ToolsSettings@ant"/>
<con:setting id="ToolsSettings@xmlbeans"/>
<con:setting id="ToolsSettings@jaxb"/>
<con:setting id="ToolsSettings@tcpmon"/>
<con:setting id="ToolsSettings@wsa"/>
<con:setting id="ToolsSettings@wadl2java"/>
<con:setting id="ToolsSettings@hermesjms"/>
<con:setting id="WSISettings@verbose">false</con:setting>
<con:setting id="WSISettings@results_type">all</con:setting>
<con:setting id="WSISettings@messageEntry">false</con:setting>
<con:setting id="WSISettings@failureMessage">false</con:setting>
<con:setting id="WSISettings@assertionDescription">false</con:setting>
<con:setting id="WSISettings@showLog">false</con:setting>
<con:setting id="WSISettings@outputFolder"/>
<con:setting id="GlobalPropertySettings@enableOverride">false</con:setting>
<con:setting id="SecuritySettings@shadowProxyPassword"/>
<con:setting id="LoadUISettings@loadui_path"/>
<con:setting id="LoadUISettings@cajo_port">1199</con:setting>
<con:setting id="LoadUISettings@cajo_soapui_port">1198</con:setting>
<con:setting id="com.eviware.soapui.SoapUI@versionToSkip">5.1.2</con:setting>
<con:setting id="HttpSettings@start_mock_service">true</con:setting>
<con:setting id="UISettings@disable_analytics">true</con:setting>
<con:setting id="UISettings@analytics_opt_out_version">5.2</con:setting>
<con:setting id="NextAU">1483707576871</con:setting>
</con:soapui-settings>
Solution
The trick was changing the Authentication type to Basic:
Why this is, I have no idea. Earlier Exchange versions still work with NTLM authentication.
As suggested in my question, it looks as if something changed with Exchange Online in the same period that I upgraded SOAPUI.
The MS article Authentication and EWS in Exchange dated 9. March 2015:
- says that NTLM is for Exchange on-premises only - which definitely was not true during the larger parts of 2015 and 2016, when I used SOAPUI with the NTLM setting;
- suggests that I stop using Basic as well, but for now it's a solution.
- Reading header data in Ruby on Rails
- Unable to access cookie in domain that is set in subdomain
- How to configure PHP cache headers to prevent unnecessary browser requests
- How to send HTTP Headers during/after HTTP Body stream? Is there spec work on this?
- Python requests library added an additional header "Accept-Encoding: identity"
- c# [FromForm] List<IFormFile> always results in null
- EntraId Authentication / Authorization via .NET & React
- Handling whitespaces in HTTP headers
- Remove TraceParent header from HttpClient requests
- cURL and etag usage?
- Change Response from HTTP Request sent by a program
- Get value of header in WSO2 Micro Integrator endpoint response
- How to build an HttpResponseHeaders for the FakeItEasy
- What is HTTP "Host" header?
- Access-Control-Allow-Origin: * in tomcat
- Accessing the web page's HTTP Headers in JavaScript
- Content Security Policy report-uri is not being recognized
- Angular HttpClient CORS Error With API Calls
- what characters are allowed in HTTP header values?
- Real life usage of the X-Forwarded-Host header?
- How do I avoid the status error after Http Headers sent?
- Content-Disposition filename in Chinese not supported
- How to fetch status of javascript and css requests from network in selenium python
- Clear-Site-Data "*" : Different behavior in both Firefox and Chrome
- How to use the CSV MIME-type?
- PostAsJsonAsync C# - How to set headers correctly for POST request - BAD REQUEST 400
- SOAPUI 5.3.0 calls to online Exchange Web Services fail with 401 Unauthorized
- What is the difference between HTTP parameters and HTTP headers?
- How to get HTTP request headers in Ktor
- Asking browsers to cache as aggressively as possible