Background

This is an article that describe a recent Deaddrop authentication issue with intune managed computers. In this article we describe the issue, we describe some workarounds and we describe or path forward with a new solution.

As more and more organisation start to manage their computers with Microsoft Intune, we have found out that there are some sysctl customers that have problems with deaddrop when they in turn have users that connects from computers that is managed with Microsoft Intunes. In such organisations and computer environments, Windows clients that use Edge or Chrome may receives policy settings centrally that disables authentication methods, which are authentication methods used by deaddrop. The result of this is that the user can not authenticate against deaddrop and instead receives a message that the password is incorrect. In reality, the actual result is that the password is never sent at all, since the client is disallowed to use basic auth by a central configuration setting.

The issue is amplified by the fact that this is a client issue, in the configuration of the web browser itself, and the client is often centrally managed by some IT staff on work computers. Hence there is few changes that an end-user can do.

Finding if this is an issue

If a user have connectivity issues when trying to reach Deaddrop, to see if this intune configuration issue is the root cause, this can be verified by viewing the relevant windows registry keys;

In the HKLM/HKCU hive, please verify the settings of the following two registry keys:

  • Software\Policies\Google\Chrome\AuthSchemes
  • Software\Policies\Microsoft\Edge\AuthSchemes

If the authscheme lacks the word “basic”, the browser will not work. If the authscheme contains “basic” but there is still problems reaching Deaddrop, there is most probably other issues like proxy settings or firewall issues.

Workaround

We describe three workarounds in this chapter:

  1. A quick workaround is to test another browser than Edge or Chrome, e.g. Firefox
  2. Another workaround is to test on a platform that is not centrally managed with intune the same way, e.g. on a PDA or a smart phone
  3. A better workaround is to add the basic authentication the registry keys. This can be performed by an administator or by updating a GPO

Solution

Sysctl is currently working to get a more permanent solution in place which is not dependant on the “basic auth” authentication scheme. We have evaluated multiple different technical solutions that can resolve this issue, and have decided to go with one of these solutions. When having performed some internal testing during a new version of deaddrop will be released to all customer with support contracts, that resolve this problem.

References

More background information on the changes to the security baseline can be found in this Microsoft description of intune . More details related the Microsoft Edge policies can be found in this Microsoft description of Microsoft Edge policies .

Contact

Contact us at sysctl if you are have any question related to this issue or if you are in need of support

Contact us at sysctl if you are interested in knowing more on how deaddrop can be used to help you protect your file transfers