Code This

std::cout <<me.ramble() <<std::endl;

An Inside Look At Exchange Support In K-9 Mail

with 25 comments

When I first bought my Droid Eris, around a year ago, it came loaded with HTC replacements for most of the stock Google apps, including the mail app, the dialer, mms, etc… The HTC mail app just worked – it supported Exchange, handled multiple in-boxes, and the notifications worked like a charm. Sadly, when I switched to a Froyo ROM, the HTC applications where no longer available and I was stuck with the stock Google apps. Well, as far as the mail application was concerned, this was a very bad thing. The Google mail app came with some significant bugs, and a notification system that was pretty much useless. So I set out to find an acceptable replacement for the HTC app.

This is when I found K-9. It was reviewed well, and boasted Exchange support, which is apparently hard to find on Android. I was saddened when I discovered the state of the Exchange support, which wasn’t great. Firstly, there was a bug in it that prevented it from working with the domain\username format. But alas, the project was open source and, being a developer, this was good news. So I took it upon myself to dive in and fix whatever bug(s) was preventing it from working correctly. I had no idea what I was in for at that point.

What was going to hopefully be a few line patch turned into 2,000 lines or so – and I was only half done at that point. By now I have completely rewritten the process of making the initial connection to Exchange and authenticating. After my initial patch was (reluctantly) reviewed and merged, the project head offered me the position of taking over as maintainer for Exchange support. I accepted, but warned him that I don’t have much free time these days. Either way, I have gained a lot of knowledge about how Exchange with OWA and WebDAV work, and am able to share that knowledge with you.

First, let me describe a little bit about how WebDAV access works. Each user has a mailbox, which by default can be accessed by a URL in the form: Tack ‘/Inbox’ on to that path, and you have the user’s inbox. You can type that into your browser and you will be kindly redirected to an OWA login page. If you were to send an HTTP GET request to that URL, you would find that the Exchange server responds with a 302 status code, which is a redirect. This is exactly what K-9 does when making its initial connection to your exchange server.

Assuming this request is “successful” (I won’t go into what qualifies as success), K-9 then attempts to authenticate you. Based on the initial response, this will either be through basic authentication or form-based authentication. The greater majority of Exchange servers are setup for form-based authentication, and this is the only configuration I have actually tested. Unless the user has overridden the default authentication path in their configuration (which is completely unnecessary), the path used is: If Exchange gives K-9 back authentication cookies on the response, the user is authenticated and K-9 retrieves the user’s list of folders. Otherwise, it tries a more brute-force approach. It will check the response for an HTML form target. If it does not find one, it will send a request to the redirect URL from our initial connection and check this response for an HTML form target. Assuming one of these searches yields a valid form target, it will then try to authenticate again using a URL constructed with this form target. For this reason, the user can enter complete junk into the ‘Authentication path’ field, and K-9 will still be able to authenticate the user (albeit less efficiently). I could have removed this field entirely, but chose not to just in case a user has a completely custom/bizarre Exchange configuration.

The only reason I have encountered for why a user would need to enter a value for one of the “advanced” configuration options is if their mailbox alias does not match their user name. Unfortunately, this was not the case for versions of K-9 prior to 3.400. For this reason, upgrading K-9 to the most recent version will break Exchange support for some users until their configuration is corrected. I didn’t really want to do this, but it was a necessary improvement so that these advanced options have a specific and deterministic affect on how K-9 connects to your Exchange server. I don’t want users spending hours “tinkering” with their options trying to get K-9 to work anymore.

To cap off this blog post, I’d like to show some screen shots of the updated screen for configuring an Exchange account. As of the writing of this post, these changes have not even been merged into trunk yet.

Let me know what you think.


Written by Kris Wong

January 7, 2011 at 7:06 pm

Posted in Android, Exchange, HTC, K-9 Mail, OWA

25 Responses

Subscribe to comments with RSS.

  1. Ho Kris,

    Gr8 to see someone is still working on it. Frankly speaking, K9 webdav exchange never perked for me. Only Touchdown did, but recently that too stopped working. So I resorted to K9 mail trying to figure out a ‘lucky’ configuration. No success so far.

    Here are my details. :
    Server : https :// changed)
    User Id : abcde
    Email id. : firstname.lastname

    There is something I noticed. – completue URL is not in the format you specified. It appears after a successful login into the mailbox using browser :

    Hope it helps you in your design.



    January 9, 2011 at 8:01 am

  2. Hi Kris,
    Does K9 work with NTLM Authentication?
    Thanks for your help.


    January 9, 2011 at 11:20 pm

    • @Sri, does your Exchange server require NTLM authentication? I have no idea where K-9 would get credentials for NTLM authentication on the Android platform.

      Kris Wong

      January 10, 2011 at 8:53 am

  3. Hi Kris,

    have you planned on implementing support for basic http authentication?

    Thank you :)

    Marius Krämer

    January 14, 2011 at 5:38 am

    • @Marius: It is implemented, it is just untested. I do not have an Exchange server configured with basic authentication to test against.

      Kris Wong

      January 14, 2011 at 6:40 am

      • I Have NTLM on my works server and can not connct, any ideas?e



        January 18, 2011 at 8:23 am

      • @ade: Login using your username and password as you would login to your domain account.

        Kris Wong

        January 18, 2011 at 8:59 am

  4. Hi Kris,

    Thanks have all details correct username, password, etc tried with and without authentication and can not get it to connect to the server. The origional email account has no problem with the same settings,have also tried domain/accout name all with no joy?

    Thanks Again


    January 18, 2011 at 9:13 am

  5. I have never been able to get k-9 to authenticate. In the default android email app, I have to check the option “Accept all SSL certificates” K-9 does not appear to have a similar option. Is there another way to accomplish that or could it be added to K-9?


    January 25, 2011 at 7:17 pm

    • @rstokc: You are correct, K-9 does not have this option. I do plan to add it in the future. I would recommend though, if your organization can afford to run exchange, they can afford the insignificant amount it costs for a valid certificate signed by a trusted authority.

      Kris Wong

      January 26, 2011 at 9:09 am

      • I recently committed a change that allows you to accept invalid SSL certificates on a per certificate basis. This change should be in K-9 3.601.

        Kris Wong

        February 1, 2011 at 1:07 pm

  6. Hi Kris,
    Some strange behavior here for K9 for Pure widget. The exchange account setting installs fine with minimum detail provided (server, username, password, etc) but no email is pulled.
    If I go to “Folder view”, I see just a part of error message:” A valid URL for Exchange au…” and the rest is not visible.

    Do you have any clue?


    February 7, 2011 at 9:14 am

    • @Adrian: I am not sure what K-9 for Pure is, but if you have a problem with K-9 mail, please open a bug report including a description of your issue, the version you’re using, your configuration, and logcat output.

      Kris Wong

      February 7, 2011 at 12:58 pm

  7. Hi Kris,
    Really appreciate your work on Exchange support. Want your opinion on if you want me to file a bug request or not (it might be unique to me, I’ve never been able to get Exchange support with native, K-9, or Touchdown). At first I received “A valid URL for Exchange authentication could not be found.” Then I put in my Authentication path, and now I receive “Unable to authenticate in sendRequest()”. Think this could be related to certificates? (3.601 isn’t in the market yet)


    February 7, 2011 at 1:27 pm

  8. @Joel: If it was a certificate error, it would be obvious in your logcat output. In order for me to be able to troubleshoot, I need you to open an issue with the above requested information.

    Kris Wong

    February 7, 2011 at 6:55 pm

    • Much appreciated. Issue #2954


      February 7, 2011 at 9:55 pm

  9. Still won’t allow me to do a push with exchange. How does K-9 handle this? The option is greyed out?

    Justin B

    August 30, 2011 at 10:40 am

    • Push is not currently supported for Exchange. You will be happy to know that this is under development, however.

      Kris Wong

      August 30, 2011 at 10:56 am

  10. I spend months trying to make this work, and at the end, the only thing that worked was…
    In my case, my account is

    – username (not the same than the account name in my case)
    – SSL always
    – name.lastname



    September 16, 2011 at 2:31 pm

    • Alex you are the best! It just worked for me! Like you said!!!!

      THanx oodles!!!


      September 24, 2012 at 9:31 am

  11. I am sorry this might be a bit of topic but i could not find a solution anywhere. I have set up K9 with my exchange with no problems. I have an additional mailbox that my company uses and i need access to it on the phone. How do i set it up?


    February 22, 2012 at 11:08 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: