Category Archives: licensing

New Outlook confusion as connection to Exchange Online or Business Basic mailboxes blocked “due to the license provided by your work or school”

What Microsoft gives with one hand, it removes with the other; or so it seemed for users of paid Exchange Online accounts when the company said that “for years, Windows has offered the Mail and Calendar apps for all to use. Now Windows is bringing innovative features and configurations of the Microsoft Outlook app and Outlook.com to all consumers using Windows – at no extra cost, with more to come”.

That post in September 2023 does not mention a significant difference that was introduced with this new Outlook. It is all to do with licensing. Historically, Outlook was always the email client for Exchange, and this is now true for Exchange Online, the email component of Microsoft 365. Microsoft’s various 365 plans for business are differentiated in part by whether or not users purchase a subscription to the desktop Office applications. Presuming though that the user had some sort of license for Outlook, whether from a 365 plan, or from a standalone purchase of Office, they could add their Exchange Online email account to Outlook, even if that particular account was part of a plan that did not include desktop Outlook.

Some executive at Microsoft must have thought about this and decided that with Outlook becoming free for everyone, this would not do. Therefore a special check was added to Outlook: if an account is a business account that does not come with a desktop license for Outlook, block it. The consequence was that users upgrading or trying to add such an account saw the message:

“This account is not supported in Outlook for Windows due to the license provided by your work or school. Try to login with another account or go to Outlook on the web.”

The official solution was to upgrade those accounts to one that includes desktop Outlook. That means at least Microsoft 365 Business Standard at $12.50 per month. By contract, Microsoft 365 Business Basic is $6.00 per month and Exchange Online Plan 1 just $4.00 per month.

Just occasionally Microsoft makes arbitrary and shockingly bad decisons and this was one of them. What was wrong with it? A few things:

  • Administrators of 365 business tenancies were given no warning of the change
  • Exchange Online is supposedly still an email server. Email is an internet standard – though there are already standards issues with Exchange Online such as the requirement for OAuth authentication and SMTP disabled by default. See Mozilla’s support note for Thunderbird, for example. However, Exchange Online accounts still worked with other mail clients such as Apple Mail and eM Client; only Outlook now added this licensing requirement.
  • The new Outlook connected OK to free accounts such as Microsoft’s Outlook.com and to other email services. It was bewildering that a Microsoft email client would connect fine to other services both free and paid, but not to Microsoft’s own paid email service.
  • The description of the Exchange Online service states that “Integration with Outlook means they’ll enjoy a rich, familiar email experience with offline access.” This functionality was removed, meaning a significant downgrade of the service without notification or price reduction.
  • Some organisations have large numbers of Exchange Online accounts – expecting them suddenly to change all the plans to another costing triple the amount, to retain functionality they had before, is not reasonable.
Image from Exchange Online product description showing how it highlights Outlook integration as one of its features
The product description for Exchange Online highlights Outlook integration as one of its features

Users did the only thing they can do in these circumstances and made a public fuss. This long and confusing thread was the result, with comments such as:

The takeaway is: You can no longer add a mail account in the new Outlook if said mail account doesn’t come with its OWN Outlook (apps) license. This is ridiculous beyond understanding. Unacceptable to the point that if they don’t fix this, I’ll cancel BOTH Exchange licenses and move over to Google Business with my domains.

There was also a well reasoned post in Microsoft Feedback observing, among other things, that “At no point is Business Basic singled out as a web-only product in any of the Microsoft Terms or Licensing documents.” 

The somewhat good news is that Microsoft has backtracked, a bit. This month, over 4 months after the problem appeared, the company posted its statement on “How licensing works for work and school accounts in the new Outlook for Windows.” The company now says that there will be a “capability change in the new Outlook for Windows”, rolled out from the start of this month, following which a licensed version of Outlook will work with Exchange Online, Business Basic and similar accounts, provided that an account with a desktop license is set as the primary account. This includes consumer accounts:

“If you have a Business Standard account (which includes a license for desktop apps) added as your primary account, that license will apply, and you can now add any secondary email accounts regardless of licensing status (e.g. Business Basic). This also applies to personal accounts with a Microsoft 365 Personal or Family, as these plans include the license rights to the Microsoft 365 applications for desktop. Once one of these accounts is set as the primary account, you can add Business Basic, E1 or similar accounts as secondary accounts.”

This is a substantial improvement and removes most but not all of the sting of these changes.

How infectious is the GPL? Battle of words between WordPress and Thesis

Matt Mullenweg, the creator of WordPress, is engaged in a battle of words with the maker of one of its premium themes, Chris Pearson, who runs DIYthemes and offers the Thesis theme on a paid-for basis. I listened to their discussion on Mixergy; it is ill-tempered particularly on Pearson’s side.

The issue boils down to this. WordPress is licensed under the GPL, which provides that if you derive a new work from an existing GPL-licensed work, the GPL applies to your new work as well.

Pearson argues, I think, that his work is not so tightly linked to WordPress that the GPL applies. “Thesis does not inherit anything from WordPress” he says.

Mullenweg says that the way themes interact with WordPress is such that all themes much be GPL. “If you build something on top of it, it should be GPL” he says.

Pearson is refusing to license his theme under the GPL. What is to be done – would Mullenweg go to court to protect the GPL?

“You want us to sue you? That would break my heart.” he says. Then later, “I really hope it doesn’t come to that.” Then, “If people decide the GPL doesn’t apply, it’s a serious step for open source.”

Disclosure: this site runs on WordPress and I regard Mullenweg as one of the heroes of open source. Like the Apache web server (also in action here), WordPress is among the greatest achievements of the open source community.

I have no legal expertise; though I know a little about how WordPress works. Themes link very tightly with WordPress and in most cases are built by modifying an existing GPL theme; but I guess if you could show that Pearson’s work does not do this but merely runs on WordPress, as opposed to modifying it, he may have a case. That’s the argument Michael Wasylik makes here. On the other hand, did Pearson really create his theme without including any tiny bit of GPL code?

Another factor: if you choose to build an extension to a platform like WordPress, it is arguably unwise to do something counter to the strong wishes of its founder. There are ethical as well as legal aspects to this.

It is an important discussion for the open source community.

Setting up RemoteApp and secure FTP on Windows

I spent some time setting up RemoteApp and secure FTP for a small business which wanted better remote access without VPN. VPN is problematic for various reasons: it is sometimes blocked by public or hotel wifi providers, it is not suitable for poor connections, performance can be poor, and it means constantly having to think about whether your VPN tunnel is open or not. When I switched from connecting Outlook over VPN to connecting over HTTP, I found the experience better in every way; it is seamless. At least, it would be if it weren’t for the connection settings bug that changes the authentication type by itself on occasion; but I digress.

Enough to say that VPN is not always the best approach to remote access. There’s also SharePoint of course; but there are snags with that as well – it is powerful, but complex to manage, and has annoyances like poor performance when there are a large number of documents in a single folder. In addition, Explorer integration in Windows XP does not always work properly; it seems better in Vista and Windows 7.

FTP on the other hand can simply publish an existing file share to remote users. FTP can be horribly insecure; it is a common reason for usernames and passwords to passed in plain text over the internet. Fortunately Microsoft now offers an FTP service for IIS 7.0 that can be configured to require SSL for both password exchange and data transmission. I would not consider it otherwise. Note that this is different from the FTP service that ships with the original Server 2008; if you don’t have 2008 R2 you need a separate download.

So how was the setup? Pretty frustrating at the time; though now that it is all working it does not seem so bad. The problem is the number of moving parts, including your network configuration and firewall, Active Directory, IIS, digital certificates, and Windows security.

FTP is problematic anyway, thanks to its use of multiple ports. Another point of confusion is that FTP over SSL (FTPS) is not the same thing as Secure FTP (SFTP); Microsoft offers an FTPS implementation. A third issue is that neither of Microsoft’s FTP clients, Internet Explorer or the FTP command-line client, support FTP over SSL, so you have to use a third-party client like FileZilla. I also discovered that you cannot (easily) run a FTPS client behind an ISA Server firewall, which explained why my early tests failed.

Documentation for the FTP server is reasonable, though you cannot find all the information you need in one place. I also found the configuration perplexing in places. Take this dialog for example:

image

The Data Channel Port Range is disabled with no indication why – the reason is that you set it for the entire IIS server, not for a specific site. But what is the “External IP Address of Firewall”? The wording suggests the public IP address; but the example suggests an internal, private address. I used the private address and it worked.

As for RemoteApp, it is a piece of magic that lets you remote the UI of a Windows application, so it runs on the server but appears to be running locally. It is essentially the same thing as remote desktop, but with the desktop part hidden so that you only see the window of the running app. One of the attractions is that it looks more secure, since you can give a semi-trusted remote user access to specified applications only, but this security is largely illusory because under the covers it is still a remote log-in and there are ways to escalate the access to a full desktop. Open a RemoteApp link on a Mac, for example, and you get the full desktop by default, though you can tweak it to show only the application, but with a blank desktop background:

image

Setup is laborious; there’s a step by step guide that covers it well, though note that Terminal Services is now called Remote Desktop Services. I set up TS Gateway, which tunnels the Terminal Server protocol through HTTPS, so you don’t have to open any additional ports in your firewall. I also set up TS Web Access, which lets users navigate to a web page and start apps from a list, rather than having to get hold of a .RDP configuration file or setup application.

If you must run a Windows application remotely, RemoteApp is a brilliant solution, though note that you need additional Client Access Licenses for these services. Nevertheless, it is a shame that despite the high level of complexity in the configuration of TS Gateway, involving a Connection Authorization Policy and a Resource Authorization Policy, there is no setting for “only allow users to run these applications, nothing else”. You have to do this separately through Software Restriction Policies – the document Terminal Services from A to Z from Cláudio Rodrigues at WTS.Labs has a good explanation.

I noticed that Rodrigues is not impressed with the complexity of setting up RemoteApp with TS Gateway and so on on Windows Server 2008 R2:

So years ago (2003/2004) we had all that sorted out: RDP over HTTPS, Published Applications, Resource Based Load Balancing and so on and no kidding, it would not take you more than 30 minutes to get all going. Simple and elegant design. More than that, I would say, smart design.

Today after going through all the stuff required to get RDS Web Access, RDS Gateway and RDS Session Broker up and running I am simply baffled. Stunned. This is for sure the epitome of bad design. I am still banging my head in the wall just thinking about how the setup of all this makes no sense and more than that, what a steep learning curve this will be for anyone that is now on Windows Server 2003 TS.

What amazes me the most is Microsoft had YEARS to watch what others did and learn with their mistakes and then come up with something clean. Smart. Unfortunately that was not the case … Again, I am not debating if the solution at the end works. It does. I am discussing how easy it is to setup, how smart the design is and so on. And in that respect, they simply failed to deliver. I am telling you that based on 15+ years of experience doing nothing else other than TS/RDS/Citrix deployments and starting companies focused on TS/RDS development. I may look stupid indeed but I know some shit about these things.

Simplicity and clean design are key elements on any good piece of software, what someone in Redmond seems to disagree.

My own experience was not that bad, though admittedly I did not look into load balancing for this small setup. I agree though: you have to do a lot of clicking to get this stuff up and running. I am reminded of the question I asked a few months back: Should IT administration be less annoying? I think it should, if only because complexity increases the risk of mistakes, or of taking shortcuts that undermine security.