Overview

Problem Description, Symptoms & Impact Sometimes an error might occur when installing KSE: KseCheckServicePortIsFreeActionStep has completed with an error: Service network port 13100 is occupied by another application… Diagnostics Screenshot or KSEInfoCollector. Make sure that port 13100 is open and not used by any application, and repeat the installation. This can be done using the command below. You will see a chart with a process ID (PID column) next to the address and port: netstat -aon | findstr 13100 You can then find this process by the ID in Task Manager or using the command below. Use the process ID you found in the previous command instead of the %PID% below: tasklist /fi "pid eq %PID%" Example tasklist /fi "pid eq 18060" Workaround & Solution There's no way to change the port used by KSE. So, the only option here is to free the port used by an application and repeat the installation. Sometimes ISS or W3WP.exe might be using the port. In some cases, this port is occupied after the Exchange updates, and the port should be released after the server restart. RCA Some application is using the port 13100.

It is impossible to detect .bat and .cmd files by format, because these are regular plain text files. If you want to block attachments, you can only configure detection of these files by masks: *.bat, *.cmd. Please check the section "Configuring the general settings and conditions of rules" of the sites https://support.kaspersky.com/KS4Exchange/9.6/en-US/166855.htm Add a condition for the Attachment filtering rule and select File name mask instead of File format and then add *.bat or *.cmd to the list.

Administrator receives the notification about outdated anti-spam (AS) and/or anti-virus (AV) bases because a large time interval for updating AS and/or AV databases is set (every 5 hours or more for AS and every 24 hours or more for AV). Anti-spam and anti-virus bases should be updated much more often. Accordingly, Kaspersky Security Center should also update anti-spam and anti-virus bases more frequently. The best way is to update anti-spam bases directly via Internet from Kaspersky Update servers every 5 minutes. Anti-virus bases should be updated every 1 hour. If it is not possible, try to update Kaspersky Security Center and Kaspersky Security for Microsoft Exchange anti-spam bases every 30 minutes or every 1 hour, but in this case you should not expect a high spam detection rate.

The table below contains the criteria for Kaspersky Security for Microsoft Exchange Servers 9.0 MR6 settings health check. Using the settings as specified in the table ensures meeting the recommended security level of the system. № Parameters (settings) to check Check criterion Expected result 1 Anti-Virus protection for the Transport Hub role 1.1. Anti-Virus protection is enabled In the node Server protection → Protection for the Transport Hub role → Anti-Virus scan settings the Enable anti-virus protection for the Hub Transport role option is selected 1.2. The Delete object action has been set for infected objects In the node Server protection → Protection for the Transport Hub role → Anti-Virus scan settings the Delete object option is selected for infected objects 2 Virus scan of mailboxes 2.1. Scan is enabled In the node Server protection → Protection for the Mailbox role → Anti-Virus scan settings the Enable anti-virus protection for the Mailbox role option is selected 2.2. The Delete object action has been set for infected objects In the node Server protection → Protection for the Mailbox role → Anti-Virus scan settings the Delete object is selected for infected objects 2.3. Periodic scan task run has been configured In the node Server protection → Protection for the Mailbox role → Protection for mailboxes all required mailbox storages are selected (Protected mailbox storages) the task schedule has been defined (Background scan → Schedule) 3 General Anti-Virus protection settings 3.1. Interaction with KSN (KPSN) is enabled for the Anti-Virus module In the node Settings → KSN Settings the I accept the KSN Statement option. Use Kaspersky Security Network or Use Kaspersky Private Security Network (KPSN) option is selected In the node Server protection → Advanced Anti-Virus settings the Use Kaspersky Security Network option is selected 3.2. Scanning of archives and containers is enabled In the node Server protection → Advanced Anti-Virus settings the Scan attached containers/archives option is selected the default value (32) is set for the Scan attached containers/archives with nesting level not higher than setting 4 Anti-Spam and Anti-Phishing scan Anti-Spam parameters are configured 4.1. Anti-Spam is enabled In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Enable anti-spam scanning of messages option is selected 4.2. SCL rating is in use (only if the "Skip" action is selected) In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Add SCL value option is selected for Spam, Potential spam and Blacklisted If mass mailings need to be put into the spam folder: the Add SCL value option is selected for Mass mailing Anti-Phishing parameters are configured 4.3. Anti-Phishing scan is enabled In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Enable anti-phishing scanning of messages option is selected 4.4. SCL rating and PCL rating are in use (only if the "Skip" action is selected) In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Add SCL and PCL rating option is selected for Phishing Parameters for interaction with KSN (KPSN) are configured 4.5. Interaction with KSN (KPSN) for Anti-Spam and Anti-Phishing scans is enabled In the node Settings → KSN Settings the I accept the KSN Statement option. Use Kaspersky Security Network or Use Kaspersky Private Security Network (KPSN) option is selected In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Use Kaspersky Security Network option is selected 4.6. Reputation Filtering service is enabled (only if there is interaction with KSN) In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Use Reputation Filtering option is selected 4.7. Enforced Anti-Spam Updates Service is enabled In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Use Enforced Anti-Spam Updates Service option is selected 5 Database update and network settings 5.1. Automatic update of anti-virus databases is enabled Recommended interval – 1 hour In the node Updates → Update databases of Anti-Virus → Run mode the Periodically value is set to every hour 5.2. Automatic update of Anti-Spam databases is enabled Recommended interval – 5 minutes In the node Updates → Anti-Spam databases update → Run mode the Periodically value is set to every 5 minutes 5.3. Proxy server has been configured for database update (if update sources are accessed through a proxy) In the node Settings → Proxy server settings proxy server settings have been defined In the node Settings → Connection settings the Use proxy server option is selected 5.4. Proxy server has been configured for KSN and the Enforced Anti-Spam Updates Service (if KSN is accessed through a proxy) In the node Settings → Proxy server settings proxy server settings have been defined the Use a proxy server to access KSN, Enforced Anti-Spam Updates Service, and Kaspersky Lab activation servers option is selected 6 Licensing License key is active In the node Settings → Licensing the license key has an active status

KSO365 is a cloud solution. It does not work in the cloud by itself but together with Microsoft Exchange Online (EOL) and its anti-spam and anti-virus protection. In more than 95% of cases, Microsoft Forefront (Ff) performs the spam and virus scans first, due to Microsoft's cloud architecture. Thus, if Ff has identified an email as spam, virus, phishing, etc., and has done with it any action (according to the settings) except “Skip”, we do not check this email and do nothing with it. We cannot change the verdicts given by other applications. If an email went to the user's box without Ff detects or with the “Skip” action, KSO365 comes into play. It performs all the scans that the user has enabled, gives its verdicts and performs the actions configured by the user. Special mention should be made of the SCL parameter, which is necessary when working with spam detection. This is the only general letter parameter that KSO365 can change but only upwards.

To install the solution in the silent mode, run the command line with administrator rights and execute the following command: msiexec /i "<PATH_TO_MSI>" /qn ADDLOCAL="<FEATURES>" SQL_SERVER_NAME="<SQL_SERVER_NAME>" BACKUP_DATABASE_NAME="<DATABASE_NAME>" SQL_ACCOUNT_DLG_USER_TYPE="UserAccount" SQL_ACCOUNT_DLG_USER="<UserName>" SQL_ACCOUNT_DLG_PASSWORD="<Password>" SERVICE_ACCOUNT_DLG_USER_TYPE="UserAccount" SERVICE_ACCOUNT_DLG_USER="<UserName>" SERVICE_ACCOUNT_DLG_PASSWORD="<Password>" INSTALLDIR="<INSTALLATION_DIRECTORY>" DATADIR="<DATA_DIRECTORY>" /l*vx "<LOG_FILE_PATH>" <PATH_TO_MSI> - path to the installer msi file. For example, "c:\temp\kse80_en_us.msi" <FEATURES> - list of components. Examples: All components: Anti-Spam, Anti-Virus for hub, Anti-Virus for mailbox, DLP, Administration console: "Antispam,AvVsapi,Antivirus,AdminConsole,Service,Feature.Complete" Console only: "AdminConsole,Feature.Complete" Anti-Spam only: "Antispam,Service,Feature.Complete" Only Anti-Virus on Hub: "Antivirus,Service,Feature.Complete" Only Anti-Virus on Mailbox: "AvVsapi,Service,Feature.Complete" The Feature.Complete component must always be incuded. The Service component must be included in all cases except for Console only installation. <SQL_SERVER_NAME> - MS SQL SERVER name. For example, MYSERVER\SQLEXPRESS. It is not possible to use a dot to specify a current server. <DATABASE_NAME> - name of the database. For example, "SecurityForExchange". Parameters SQL_ACCOUNT_DLG_USER_TYPE, SQL_ACCOUNT_DLG_USER and SQL_ACCOUNT_DLG_PASSWORD are used for specifying a user account for accessing the SQL Server. If they are not specified, the application will use the parameters of the account under which installation is performed. Example: SQL_ACCOUNT_DLG_USER_TYPE="UserAccount" SQL_ACCOUNT_DLG_USER="Domain\Username" SQL_ACCOUNT_DLG_PASSWORD="Password" Parameters SERVICE_ACCOUNT_DLG_USER_TYPE, SERVICE_ACCOUNT_DLG_USER and SERVICE_ACCOUNT_DLG_PASSWORD are used for specifying a user account under which the application service will run. If they are not specified, the service will run under the Local System account. Example: SERVICE_ACCOUNT_DLG_USER_TYPE="UserAccount" SERVICE_ACCOUNT_DLG_USER="Domain\Username" SERVICE_ACCOUNT_DLG_PASSWORD="Password" <INSTALLATION_DIRECTORY> - path to the installation folder, by default: %ProgramFiles(x86)%. <DATA_DIRECTORY> - path to the data folder. By default it is located in the installation folder. <LOG_FILE_PATH> - path to log files, for example, "c:\temp\kseinstall.log"

Description When installing or upgrading KSE, you may encounter various issues when installing or starting our service. If a user has repeated the installation many times and changed many settings manually, we recommend to remove KSE completely using the instructions below. Cause There are files that remain in the system from a previous KSE installation, so a new installation cannot be successful. Solution Delete the remaining KSE files from the Exchange server manually. Follow the instructions below. 1. Delete all the remaining KSE agents. To do so, start Exchange Management Shell and run the following command: Get-TransportAgent -TransportService FrontEnd If the KSE agent is on the list, run the command: Uninstall-TransportAgent -TransportService FrontEnd -Identity "Kaspersky Security antispam Frontend Cas agent" 2. Run the following command: Get-TransportAgent See what KSE agents are on the list. Run the command below for every KSE agent. For example: Uninstall-TransportAgent “Kaspersky Security routing antispam filter agent” Uninstall-TransportAgent “Kaspersky Security antispam filter agent” Uninstall-TransportAgent “Kaspersky Security antivirus filter agent” Insert the names of KSE agents from your list. 3. Restart the Transport Agent service using the command: Restart-Service "MSExchangeTransport" 4. To make sure that there are no more KSE agents, run the following commands again: Get-TransportAgent -TransportService FrontEnd and Get-TransportAgent 5. Set Disabled for Kaspersky Security For Microsoft Exchange Servers service startup and stop our service. 6. Import the removeregkeys.zip archive to the registry. 7. Restart the MSExchangeIS service: restart-Service MSExchangeIS 8. Remove the folder where KSE was installed. If possible, restart the server.

Description When trying to deliver any message from Backup, the following error occurs: Facade::DeliverMessage failed. [0xeceb0013] Details: Cannot create temporary file, code: 0xeceb0013. Solution Add to the /usr/lib/tmpfiles.d/tmp.conf file the following exclusions: x /tmp/klms* x /tmp/klmstmp/ x /tmp/klms_filter/ x /tmp/klmstmp/* x /tmp/klms_filter/* Restart the klms service. If the issue persists, send a screenshot of the information from the web interface to Kaspersky Support. Click System information - Create and take a screenshot.

Access to the Microsoft quarantine is carried out immediately after the issuance of the consent. Additional quarantine access accounts, that were subject to the MFA restriction in the previous versions, are no longer required for quarantine access. The connection is carried out using the application to which the consent is issued.

Why are emails detected by Microsoft Exchange Online not being detected by KS365? Because "first come, first served"? Yes. In more than 95% of cases, Microsoft Exchange anti-malware and anti-spam filters are processing all objects before KS4O365. That being said, all the detections performed by our application are actually detections of mail flow that has already been scanned by Microsoft filters if they are not disabled. If some email was already scanned and quarantined by Microsoft, then we do not receive it for scanning, as it was already done on the Microsoft side.

If multiple e-mails are selected in Security for Microsoft Office 365, they cannot be saved to disk. You can only save them one by one.

If anti-spam detects an e-mail as not definitely categorized as clean, it moves the e-mail to the "Temporary Quarantine" for 50 minutes to re-scan it with updated anti-spam databases. If upon after this 50 minutes' time the e-mail is not defined as spam, it is released automatically without any interaction with the user. The administrator has an option to manually release such e-mails from "Temporary Quarantine" before the 50 minute period ends. At the same time, the e-mail will remain in quarantine with the status "Released".

Is there any capacity limit of mails in the Quarantine zone? If any, can we modify it? Unfortunately, there is no possibility to customize this setting per user, it is hardcoded in the product (30 days for objects in the backup and 92 days for statistics). Is there any limit on the number of emails that can be stored in the Quarantine? On the KS4O365 side, there isn't a limit to the number of emails that can be saved in the backup. KS4O365 stores only metadata information about the emails in the backup, which is quite small in comparison to the email itself. Whereas the backup emails themselves are stored in the mailbox (in a hidden folder) on the Exchange online server that hosts mailboxes. When the object is restored from the Quarantine, the email from a hidden folder is simply moved to the inbox. That being said, the only limit that can be identified in the said scenario is the one from the Exchange online itself (the size of the mailbox for a particular user). I.e. if the total amount of emails in the inbox + emails in the backup will hit the limit of the free space in the Exchange Online mailbox, then the you will need to increase the size of the mailbox or remove the exceeding emails, etc. The emails from quarantine can be deleted from the Quarantine tab of the console, there you can also sort by date to delete the old ones.

Scenario: Phishing links are detected but some emails are allowed through, even though the selected Action is Move to Junk Email folder . Solution: The original e-mail was already located in the Junk folder when our product started to scan it. The "Allow through" action was performed, in this case it means that we've added the phishing tag to the e-mail and left it in the Junk folder. Most likely this e-mail was detected by some third-party anti-malware/phishing solution (Microsoft anti-malware filters in EWS, for example) and was moved to Junk, then we've scanned it and there was nothing to do with it except adding the tag to it.

In order to send messages from backup with headings without saving them, please navigate to:

Version: Kaspersky Security for Exchange 9.5.10000.64, 9.6.96 Scenario In Kaspersky Security 9.0 for Microsoft Exchange Servers there's the following error event: "AM Error Kernel: The Anti-Virus (Anti-Spam) module has been switched to limited scan mode for next 30 minutes. Some objects may be skipped without being scanned." The same error message appears on the KSE console: Solution Sometimes Exchange tries to give KSE more emails to check than KSE is able to to check. In order to prevent delays in mail delivery, the anti-virus or/and anti-spam engine switches to a special mode of operation called "Limited scan mode". This mode lasts for 30 minutes. During this period, some emails may be skipped for checking. The transition to normal mode is carried out automatically after the time specified above. You can find out about this mode of operation in our Online Help: https://support.kaspersky.com/KS4Exchange/9.6/en-US/28854.htm https://support.kaspersky.com/KS4Exchange/9.6/en-US/99915.htm https://support.kaspersky.com/KS4Exchange/9.6/en-US/28871.htm

Scenario Kaspersky Security for Exchange installation failed with the following error: "Failed to grant rights to run under a different name (impersonation) for Kse Watchdog Service". Solution If you get the error message about impersonation, execute the following command in PowerShell: Add-PsSnapin Microsoft.Exchange.Management.PowerShell.E2010 Remove-ManagementRoleAssignment KSE_IMPERSONATION -Confirm:$False Press the Retry button.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Version: Kaspersky Security for Exchange 9.0 MR5 (9.5.10000.64) Scenario The following error message appears: "Access denied. To manage application features, the user's account must be added to one of the following Active Directory groups: KSE Administrators KSE AV Security Officers KSE AV Operators KSE Security Officers." Solution This error means that the account under which the KSE management console is running is not part of any of the KSE management groups listed above in the error text. The user needs to decide what role the user’s account will perform and include this account in the corresponding KSE group created in their Active Directory (AD). You can learn more about the roles in our Online Help: https://support.kaspersky.com/help/KS4Exchange/9.5/en-US/81511.htm

Version: KSE for Microsoft Exchange Server versions 9.5.10000.64, 9.6.96. Scenario: We have established a workaround to a problem with invalid SQL server parameters during its installation. An error about invalid SQL server parameters occurred during the installation: "The server was not found or was not accessible. Verify that the instance name is correct, and that SQL Server is configured to allow remote connections. Error 26 - Error Locating Server/Instance Specified". We have found the following information from installation log: Installation log showed the SQL server "CRATER\SQLEXPRESS" was used for the installation: We found that the configuration file "BackendDatabaseConfiguration*.config" which was used for configuring the SQL server was using the server name "CRATER". Solution: If you're sure that "CRATER\SQLEXPRESS" is the real name of the SQL server, replace "CRATER" in the SQL server name by "CRATER\SQLEXPRESS" in the following objects: 1. "X:\%KSE_Folder%\Configuration\BackendDatabaseConfiguration*.config" file. If there are several such files in this folder, do it for all of them. 2. In the system registry "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Server". Parameter is BackendSqlServerName. Start the upgrade again.

In most cases the issue is related to processing downloaded bases on the server drive. Databases are downloaded from our sites successfully, but the problem appears during compiling and copying the downloaded bases locally on the KSE server. Such behavior may be caused by the following: Not configured exclusions for KSE in Kaspersky Security for Windows Server or Kaspersky Endpoint Security. Other utilities (backup, for example), that may interfere with the file processing. Incorrect operation of the delete function on high-speed drives, for example, SSD drives. Solution: 1. Configure Kaspersky Security for Windows Server or Kaspersky Endpoint Security for correct simultaneous work with KSE. Completely exclude the KSE folder, all subfolders and KSE processes from the scan scope: Kavscmesrv.exe Antiphishing.OutprocScanner.exe Antispam.OutprocScanner.exe Antivirus.OutprocScanner.exe Kse.Ksn.exe Kse.Licensing.exe Kse.Updater.exe 2. Set the startup type of KSE service to manual. 3. Stop the KSE service. 4. If issue is related to corrupted AS bases, delete all contents from the folders: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\as\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\cache If issue is related to corrupted AV bases, delete all contents from the folders: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache If issue is related to corrupted AS and AV bases, delete all contents from the all folders: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\as\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\cache C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache 5. Set the startup type of KSE service back to automatic/ automatic (Delayed Start), as it was before adjustment at step 2. 6. Start the KSE service. 7. Update anti-spam or/and anti-virus bases manually through KSE Management Console. 8. If the issue persists, contact Kaspersky Support.

Completely exclude the KSE folder with all its subfolders and all KSE processes from the scan scope: Kavscmesrv.exe Antiphishing.OutprocScanner.exe Antispam.OutprocScanner.exe Antivirus.OutprocScanner.exe Kse.Ksn.exe Kse.Licensing.exe Kse.Updater.exe

There're only two known errors during KSMG installation. First one: ksmg.celeryd.service failed because a timeout was exceeded Above error means that DNS and/or DHCP servers are not accessible. Please reinstall and make sure that DNS and/or DHCP is configured properly. Second error: with error code=1 and msg=initdb: error: directory "/var/opt/kaspersky/ksmg/postgresql" exists but is not empty if you want to create a new database system, either remove or empty the directory "/var/opt/kaspersky/ksmg/postgresql" or run initdb with an argument other than "/var/opt/kaspersky/ksmg/postgresql" To fix the error just delete created VM and create a new one.

When administrator attempts to establish a connection between KS4O365 workspace and their Exchange online organization by doing the following in the administration console: Office 365 connection → Exchange Online connection → Grant Access → passes the consent validation algorithm but in the end gets the Error processing the request error: This error is usually triggered by the browser settings on the client host that is performing the consent validation. Upon executing consent validation algorithm we get the access token from Microsoft. Then we redirect browser to our web site's URL and attach access token as a cookie. Upon redirecting, cookie with access token is lost/blocked somehow, usually this is caused by one of the following reasons: Browser filters cookies on its own. For instance due to some extensions, browser settings, or due to some beta version of browser with paranoid default security settings. Some 3rd party program, for example a file anti-virus, is blocking access to the file with the browser's cookies on the local hard drive. Thus, the following action plan is suggested. Step-by-step guide Clear all history, cache and cookie in the web-browser, restart it and check the reproduction. If it doesn’t help, then please make sure that the same error occurs if you try to do the same operation in another web-browser supported by the product (https://support.kaspersky.com/KS4MO365/1.2/en-US/141858.htm) or in incognito mode of the browser. Also, temporarily disabling anti-malware solutions or any 3-rd party products that might be blocking/locking/inspecting browser's cookie files is called for. If the issue will persist, then please do the following: 1. Open Google Chrome web-browser. 2. Press F12 keyboard button. 3. Enable Preserve log option in Network tab. 4. Reproduce the whole scenario from the begging (log into business hub account) and the issue itself. 5. Make an error screenshot with time stamp. 6. Export Network debugging results to HAR-file. 7. Provide HAR-file + screenshot to the Kaspersky Support. Also we will be interested in the URL that will be shown when the error will pop-up in the browser.

Problem Messaged are delayed for 50 minutes and in /var/log/maillog there are following entries: Dec 10 12:07:07 ksmg KSMG: put to asp quarantine: message-id="": relay-ip="10.10.1.1": action="Postponed": size=21958: mail-from="test@example2.com": rcpt-to="test@example.com" Solution This is a a feature which delays some suspicious messages for 50 minutes (by default) and then rescan them with newer bases and information in KSN. This can be turned off in Settings -> Protection -> Anti-Spam -> Use reputation filtering. The delay can be tweaked in Settings -> Protection -> Anti-Spam Quarantine. Delayed (quarantined) messages are visible in Message Queue section of KSMG and can be forced to be delivered from there with 'Flush' button. Which messages to delay or not to delay can be tweaked with bases, so if you get messages that are delayed but shouldn't, then please provide message samples to Kaspersky Support for investigation as 'false positives'. For KSMG 2.0 (Use Anti-Spam Quarantine and Maximum Quarantine duration options accordingly):

Problem OAuth consent validation algorithm is the same for Exchange online, OneDrive and SharePoint online. Initial steps of consent validation algorithm are basically the following: A user is redirected to the Microsoft website, where the user agrees to provide necessary permissions for our Azure application. KS365 receives an OAuth callback confirming that the consent was received. But we do not trust this callback as it can be forged. The user is redirected to the Microsoft website to receive an access token that will be used for the validation of the user authenticity. KS365 receives the callback with the access token. After that, the user is redirected to the KS365 website, where the user's session will be started. Step-by-step guide When the user is redirected back to our website on the 4th step, they can encounter the HTTP 401 error: In theory, the user should have successfully authorized as all the necessary data is stored in the browser cookies. Thus, the issue must be on the user's browser side. In such cases, we recommend to attempt the following: Try to add the integration with Exchange Online/Sharepoint Online/OneDrive in a different browser (or even try a different host with different browser versions/settings). Check browser settings related to cookies: if they are supported/enabled, try disabling auto-delete of cookies if it is enabled, etc.