Saturday, July 26, 2014

SharePoint Online Cookies Cookie365 - mount SharePoint online share

I was looking for a solution being able to mount a OneDrive for Business share in a ADFS federated environment. So I started googling around to find a way to mount transparently the OneDrive4Business space as a disk drive or a share on terminal server as a logon script.

Unfortunately I found out that the only option seemed to be a manual login to share point before using the usual "net use * \\ORG.sharepoint.com@SSL\DavWWWRoot" which would not be an option for my users...

So I went through reading many articles and blogs, and overnight (I'm not a programmer :-) I decided to adapt and enrich code chunks and C# samples, to build an utility to set the cookies needed to mount the OneDrive share without user intervention.

The following resources were fundamental:
How to Use Fiddler Web Debugger to Analyze a WS-Federation Passive Sign-In
- Troubleshooting Federation, ADFS and more

To make a long story short... I produced an utility, baptized Cookie365, able to set the "FedAuth" and "rtFA" cookies needed to seamlessly mount a SharePoint share from the command line or from a script.

From a domain PC or Domain Server, just launch

Cookie365 -s https://yoursite.sharepoint.com

and the utility will logon to Office365 using the domain credentials, generating all the SAML tokens and cookies needed to mount the share (e.g. "net use * \\ORG.sharepoint.com@SSL\DavWWWRoot". Beware, in order to use it, you have to have the WebClient service running and your sharepoint site added to the trusted sites inside Internet Explorer).

The utility is also able to manage non-domain PCs, so you can specify the user ("user@domain.com") and password:
Cookie365 -s https://yoursite.sharepoint.com -user user@domain.com -p password

I was able to test it on Windows server 2012R2 and Windows7SP1, both from domain joined and from workgroup machines, but I don't have extensive test cases, so any feedback is welcome.

I also added the support for NTLM proxy (like ISA and TMG). I have not tried with other proxies... so I don't know if it will work.

Here you can find the source code (VisualStudio2013 solution).
Here you can download the compiled version of Cookie365 (prerequisite = .NET 4.5)

As stated before... I am not a professional programmer.
My last programming was back in 1998 with Java... So.. any suggestion to ameliorate the code will be welcome !

Cheers
Fabio Cuneaz

PS Just a legal statement.... The source code and the exe version are provide "AS IS" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

58 comments:

  1. Hi Fabio,

    I have tried running your utility and get the following error, any ideas why this is?

    Use Windows Integrated Authentication: True
    Quiet Mode: False
    Retrieving ADFS URL...[OK]
    Retrieving STS Token...[OK]
    Retrieving Cookies....[ERROR]:Buffer cannot be null.
    Parameter name: buffer
    [ERROR]:One or more errors occurred.

    ReplyDelete
  2. Hi Olive,
    there could be several causes for the error.

    I ask you some questions in order to better identify the problem:
    a) I see you are trying to use Windows Integrated Authentication. The utility should print a message telling you the username which will be used for authentication. Something like:

    C:\>cookie356 -s https://yoursite.sharepoint.com
    === Cookie365 v0.1 - (C)opyright 2014 by Fabio Cuneaz ===

    SharePoint URL: https://yoursite.sharepoint.com
    User: user@yourdomain.com
    Use Windows Integrated Authentication: True
    Quiet Mode: False
    Retrieving ADFS URL...[OK]
    Logging in and retrieving SAML Token...[OK]
    Retrieving STS Token...[OK]
    Retrieving Cookies....[OK]
    Setting Cookies in OS...[OK]

    Is the username appearing ? Is it correct ? I mean, is it the same user you are using to do the interactive logon to Office365 ?

    b) Is your ADFS federation working correctly ? Logging in from Internet Explorer with user@yourdomain.com from a domain joined PC are you able to access without entering your password ?

    c) A trivial question.. But I went through it during my tests… :-) Is the share point URL you are using typed correctly ?

    d) Are you able to get it working using username and password options ?

    Kind Regards,
    Fabio

    ReplyDelete
  3. Hi fabio,

    When trying to set this up with the username en password option i get the following.
    The sharepoint URL is correct.

    This is a non-domain pc

    SharePoint URL: ********
    User: ***localwindowsusername**
    Use Windows Integrated Authentication: False
    Quiet Mode: False
    Retrieving ADFS URL...[OK]
    Retrieving STS Token...[OK]
    Retrieving Cookies....[ERROR]:Buffer cannot be null.
    Parameter name: buffer
    [ERROR]:One or more errors occurred.

    The sharepoint URL is correct.

    This is a non-domain pc

    Do you have any idea?

    Regards,

    Randy

    ReplyDelete
    Replies
    1. Hi Randy,
      unfortunately the default .NET error messages are not very meaningful, I will definitely work on that.

      Looking at the sequence of messages I suppose there could be something wrong with the syntax of the username you are using. Is it the same syntax you use when you do an interactive login via Browser ? It should be something like user@yourdomain.com.

      Please let me know if it works, otherwise I will investigate further.

      Kind Regards,
      Fabio

      Delete
    2. Hi Fabio,

      First of all I want to thank you for sharing this piece of software.

      I'm a colleague of Randy and I'm experiencing the same issue.
      Since I'm a developer I've looked into your code.

      The error occurs because stsToken.Token equals null at line 189 in SpoAuthUtility.cs.

      If I have some spare time I will look into this, but I think it might be easier for your to figure this out.

      Kind regards,
      Roel

      Delete
    3. I am working on that currently as well. It seems to be the Token. Please post if anybody finds something.

      Thank!

      Delete
    4. It looks like stsToken.Token is used as a buffer, but is never initialized.

      So I've added a constructor to the internal class SamlSecurityToken to initialize the buffer.

      But then I ran into another issue, there is no cookie named "FedAuth" or "rtFA" in the response.

      Delete
    5. There are three cookies in the response.

      - One named "RpsContextCookie" with no value for the domain "[sensored]-my.sharepoint.com"
      - Another named "MSPRequ" with a value "lt=[a timestamp]&co=1&id=[some ID]" for the domain "login.microsoftonline.com"
      - Another named "MSPOK" with a value "$uuid-[some guid]" for the domain "login.microsoftonline.com"

      Delete
    6. Hello Randy, Hello Roel,
      sorry for my late reply but I was on vacation.

      I tried but I am not able to reproduce the issue you are experiencing. I will try to setup a trial Office365 account to see if it can be reproduced.

      I know from a security standpoint it's not a good option, but I'm wondering if it's possible for you to setup a temporary readonly user for me on your share point online site in order to do some troubleshooting. In that case we could setup a communication on a private channel.

      Delete
    7. Hi Fabio,

      I can provide you a test account.
      How can we get in touch?

      Delete
    8. Hello Roel, I suggest you try to add me as a contact on linkedin. My profile is public. Then we will be able to Exchange private messages.

      Delete
  4. Hi Fabio,

    Great article and code.

    I tried your code and every thing succeeds, but still the network drive is not authenticating. I can login fine from browser and renew the token. Any ideas?

    FYI: We have ADFS 3.0, Windows 8.1 client, Integrated Authentication.

    Regards,
    Suresh

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. This comment has been removed by the author.

      Delete
    3. This comment has been removed by the author.

      Delete
    4. Hi Suresh,
      if you login through Internet Explorer, are you able to map the network drive ?
      You should try the procedure described here http://blogs.technet.com/b/sharepoint_made_easy/archive/2013/03/20/map-network-drive-webdav-with-sharepoint-online-o365.aspx

      If you are able to Mount the drive using the manual procedure, it should also work using cookie365 to set the same cookies.

      This is the command I use to Mount the share:

      net use *
      \\SHAREPOINTSITE-my.sharepoint.com@SSL\DavWWWRoot\personal\USERNAME_DOMAINNAME_TOPDOMAIN

      You should change the parameters SHAREPOINTSITE, USERNAME, DOMAINNAME, TOPDOMAIN to match you specific configuration

      Example:
      net use *
      \\fabiosite-my.sharepoint.com@SSL\DavWWWRoot\personal\fabio_cuneaz_it

      fabiosite is the SHAREPOINTSITE
      fabio is the USERNAME
      cuneaz is the DOMAINNAME
      it is the TOPDOMAIN

      You will be able to get those parameters from the URL displayed in internet Explorer once you successfully logon to your SharePoint online site.

      Please let me know if it works,

      Best Regards
      Fabio

      Delete
    5. Hi Fabio,

      Thank you very much for your prompt response. I was able to manually map network drive from IE without any problem. Using cookie365, it retrieves and sets cookies correctly but I still get access denied when mapping network drive.

      FYI: I am mapping to our intranet site instead of my personal one drive for business.

      Are you using ADFS 3.0 in your scenario? do you know if saml version changed (urn:oasis:names:tc:SAML:1.0:assertion) to (urn:oasis:names:tc:SAML:1.1:assertion). I am debugging with fiddler to check if the version changed?

      Regards,
      Suresh

      Delete
    6. Hi Suresh,
      yes I am using adsf 3.0 and everything is working fine.
      Did you try with the latest version ?
      Regards,
      Fabio

      Delete
  5. Hi Fabio,

    I am in a non-domain environment and it doesn't work.

    C:\Users\JFFortin\Downloads>Cookie365.exe -s https://********.sharepoint.com -u ********@******** -p ********
    ============= Cookie365 v0.1 - (C)opyright 2014 by Fabio Cuneaz =============

    SharePoint URL: https://********.sharepoint.com
    User: ********@******** (O365 login name)
    Use Windows Integrated Authentication: False
    Quiet Mode: False
    Retrieving ADFS URL...[OK]
    Retrieving STS Token...[OK]
    Retrieving Cookies....[ERROR]:Buffer ne peut pas être null.
    Nom du paramètre : buffer
    [ERROR]:Une ou plusieurs erreurs se sont produites.

    I looked at your answer on August 11. I can access my OneDrive folder, but I still can't access any SharePoint sites.

    Thanks.

    ReplyDelete
    Replies
    1. Hi Anonymous, could you try the latest version ?

      Delete
    2. I tried with the latest version and it still doesn't work. :-(

      Delete
    3. Hi Anonymous, if you want you can contact me on linked in to start a private thread and try to find a solution...
      Regards,
      Fabio

      Delete
  6. Fabio, Great Utility and rally a stable app from the testing that I have donwand currently at looking at using this. Just for your information I have seen the buffer error as well, but I only saw it when I clear the IE History (clearing cookies and passwords). We are running Windows 8.1 and the latest IE.

    Thanks for Sharing!!

    Regards

    Matt

    ReplyDelete
  7. Thanks for Sharing the code.
    There is a minor bug in it, the code creates the cookies but does not save them to cookie folder, because the expiration time is set the same as the creation time, and when it reaches the point to actually store the cookie in INetCache folder, the cookie is already expired. InternetSetCookie method only saves the cookie to memory if no expiration data is present, therefore nothing is saved to cookie folder by this method, since the cookie already expired at this point. A quick fix is add a day to InternetSettCookie(expires = blahblah) and the cookie will no longer be expired by the point of actually saving it to folder.
    Other than that, the script works well.

    Thanks for Sharing,

    Yu

    ReplyDelete
  8. I have tested on Windows 7 SP1, Server 2012 R2 and Windows 8.1 all with the same result as some other users.

    Retrieving Cookies....[ERROR]:Buffer cannot be null.
    Parameter name: buffer
    [ERROR]:One or more errors occurred.

    Has anyone figured out what needs to be changed in the code to resolve this issue ?

    Yu Zhang do you know how to modify the code for the expiry date bug ?

    This program is going to be the saviour of Office365 Sharepoint being used as a mapped drive, why Microsoft cant have just made a sign in tool with an option to save some mapped drives is beyond me and i guess the 1000's of other people all being plagued by these very same problems.

    Good work so far, just hope it can be made stable :)

    ReplyDelete
    Replies
    1. I ran into the same problem with certain sites. If you run a the program under debug mode, you'll see that stsToken is null right before the exception is thrown. So my guess is SharePoint STS need to be turned on for the script to work, haven't confirmed yet. You can try the script on sites you know have STS configured, I'd love to find out if its STS problem.

      Delete
    2. Hi Yu, I completely agree with you... I hope Microsoft will introduce an official feature to map office365 sites to shares....
      Thank you for the suggestions regarding the stsToken, I will check that.

      Delete
  9. Hi Fabio,

    I have tried running your utility and get the following error, any ideas why this is?

    ============= Cookie365 v0.2 - (C)opyright 2014 by Fabio Cuneaz =============

    SharePoint URL: https://university-my.sharepoint.com/personal/name_famname_univ_org/documents
    User: name.famname@univ.org
    Use Windows Integrated Authentication: True
    Mount as disk O:
    Retrieving ADFS URL...[OK]
    Logging in and retrieving SAML Token...[ERROR]:Reference to undeclared entity 'nbsp'. Line 69, position 98.
    Retrieving STS Token...[ERROR]:Problems with authentication or SAML token retrieval
    [ERROR]:One or more errors occurred.

    I am running Windows 8.1 x64 in Windows 2003 domain. If I login through Internet Explorer, I am able to map the network drive.

    Regards,
    Janez

    ReplyDelete
    Replies
    1. HI Janez,
      if you want to contact me in private I can try to troubleshoot the issue.
      Regards,
      Fabio

      Delete
  10. Hello Fabio,

    Thank you very much!
    It's a shame Microsoft still haven't solved this issue in Windows 10/IE11

    We're developping a version of your program with the possibility to fill in the O365 credentials in a prompt.
    If someone already did this, please feel free to post it :-)

    Keep up the good work!

    Regards,
    Jasper

    ReplyDelete
  11. Still getting the error:
    Retrieving Cookies...[ERROR] : Buffer cannot be null

    This happens when using the it with the -username -p switch for credentials on a Windows 10 system (Not a domain). Would love to get this working, been looking for a resolution just like this. I did use the most recent version of cookie365 (v0.5). Any ideas?

    ReplyDelete
    Replies
    1. Hi. I just installed Windows 10 Enterprise on my PCs. I will try and let you know...

      Delete
    2. Great Thanks!!! So after some testing I have determined that if I go to the Microsoft Portal, then to the share, click "Library" then use the "Open in File Explorer", fallowed by running Cookie365 it seems to still alter the cookies so that a restart of the computer keeps the Mapped Network Drive to the share live and working... May I ask what the new expiration time-frame is for the cookies after running Cookie365?

      Also if I run through the process I mentioned, and run the Cookie365 command at startup would it keep modifying the same cookies allowing access to the mapped drive? Or will there be eventually a point where they need to go through the process of logging back into the portal eventually since the Cookie365 is giving the buffer error?
      Thanks Fabio! This is pretty cool!

      Delete
    3. Hi, I tested the utility both on W10 domain-joined and on non domain-joined PCs and it works for my Office365 Subscription.

      Delete
    4. Hi. In my production deployment I run the utility at startup and I map the network drive once. As long as the user is logged in the drive works fine (for hours or days), no need to login again.

      Delete
    5. This comment has been removed by the author.

      Delete
    6. This comment has been removed by the author.

      Delete
  12. Hi Fabio. I have a new build Windows 8.1 machine, working into a client's sharepoint in an environment where all the other earlier built machines are working fine with Cookie365.
    On this new machine, I can't get it to work with the following response:

    c:\Program Files (x86)\Cookie365>cookie365.exe -s "https://******.sharepoint.com/S
    hared%20Documents" -u ******@******.com -p ******* -mount s:
    ============= Cookie365 v0.5 - (C)opyright 2014-2015 Fabio Cuneaz =============

    SharePoint URL: https://m*****.sharepoint.com/Shared%20Documents
    User: ******@******.com
    Use Windows Integrated Authentication: False
    Mount as disk: s:
    Retrieving ADFS URL...[KO] (Probably not ADFS Federated)
    Retrieving STS Token...[OK]
    Retrieving Cookies....[OK]
    [ERROR]:One or more errors occurred.

    Why might this one machine be behaving differently?

    ReplyDelete
    Replies
    1. I have reinstalled Win8.1 from scratch and the problem has changed slightly. I now get Cookie365 finishing , I get the "Setting Cookies in OS" line, but without [OK], and the drive is not mapped. (I do have Office 2016 on this machine where the others are all Office 2013)

      Delete
    2. Hi,
      I saw this a few times where it failed at the setting cookies in OS line.
      I deleted browsing history via IE (make sure cookies is ticked) which seems to fix it. It seems to be the cookie already exists and it can't overwrite it.
      Thanks,
      Mark.

      Delete
    3. Thanks Mark, but i'd already tried that. I meant to post what fixed it for me and hadn't got around to it yet.

      I went into Programs and Features/Windows Components, and added all of the non-default parts of .NET, and this fixed the issue. I removed them again as a test and the problem came back, so I'm fairly sure a vital part of .NET was not installed by default.

      I hope this helps someone else.

      Delete
  13. This comment has been removed by the author.

    ReplyDelete
  14. I'm working on a way of getting a drive to map to One drive via a login script. Can this be setup that way? Right now I'm stick with the error "must browser to the site and select the option to login automatically. IS there any way around that?

    ReplyDelete
  15. Fabio, just wanted to congratulate and thank you for your excellent work and tool.
    This works like a charm in my environment!
    In case I want to use it for business purposes, what are your conditions?
    Mark, Zurich, Switzerland.

    ReplyDelete
  16. Hi, I know this article is a few years old, but are there any new links to access the script?

    ReplyDelete
  17. I too would love to have access to this script if possible. Sounds perfect for my environment.

    ReplyDelete
  18. I'm interested in this as well, apparently the shorturls for OneDrive are no longer supported so the links to download don't work. Any updated ones that might or does anyone have a version they could share?

    ReplyDelete
  19. Hi Anonymous. I tested the link and it seems to be working. Please let me know. Fabio

    ReplyDelete
  20. Hi Fabio, Do you have an email I can reach you on? I am using this but sometimes find I need to re-run the utility several times a day as my connection is timing out. I have other users using this for the same SharePoint site and it doesn't have to be run as much as what I have too?

    ReplyDelete
    Replies
    1. Hi Matthew, you can find me on Linkedin
      Regards,
      Fabio

      Delete
  21. Hi Fabio, Does this application require logging into Office 365 OneDrive through IE browser before it will allow mapping drive on PC? After adding the sharepoint.com address to trusted sites in IE I'm getting "Access Denied Error" after successfully logging in but mount of drive fails.

    ReplyDelete
    Replies
    1. Hi Trap N. No the application does not require to login via IE.
      Regards,
      Fabio

      Delete
  22. Links in your post are not working. Getting the message "Link not supported". I would like to test your tool. Could you please provide actual links for download?

    ReplyDelete
  23. Links in your post are not working. Getting the message "Link not supported". I would like to test your tool. Could you please provide actual links for download?

    ReplyDelete
  24. Hi Dennis, take a look at the most recent page https://fabiocuneaz.blogspot.it/2015/03/new-cookie-365-release-hi-all-i-am.html . The link seems to be working to me. Regards,
    Fabio

    ReplyDelete
  25. Office 365 Project

    http://www.glms.com.au/small-medium-business/


    Please Click below website here & Get information about Office 365 Project. It will be Ppm Consultants.

    ReplyDelete