OneDrive authorization timing out in corporate network

Help and Support
1

#### What is the problem you are having with rclone?
I'm trying to get rclone work in our company environment. We would like to use for single migration purpose but so far I'm struggling with config part. Configuration is timing out on POST request (see logfile below). I managed to get firewall disabled for my machine for testing purpose and also proxy team did allowed URLs they found blocked related to rclone but there has to be something else causing blocks but according to our security team they see nothing suspicious. Would be really handy to know which connections/urls need to be allowed in order to get rclone work. I found list of from microsoft (can't post them here). I bet our security department didn't allowed whole list, just those required by standard OneDrive client, but in order to argue with them I need to know which one of these are required by rclone. Of course everything works in my home lab. We did also comparisons of tcpdumps from my home lab and inside company network while running command below, but network engineers see no differences. Any tip, advice, idea would be highly appreciated.

#### What is your rclone version (output from rclone version)
rclone v1.53.3
also tried latest beta with same result

#### Which OS you are using and how many bits (eg Windows 7, 64 bit)
Windows 10 Enterprise 64bit 1809

#### Which cloud storage system are you using? (eg Google Drive)
Microsoft OneDrive

#### The command you were trying to run (eg rclone copy /tmp remote:tmp)
rclone authorize onedrive

#### The rclone config contents with secrets removed.
config wasn't created because I cannot successfully finish initial configuration

#### A log from the command with the -vv flag8

2020/12/07 21:26:50 NOTICE: Config file "path-To-rclone.conf" not found - using defaults
2020/12/07 21:26:50 DEBUG : Starting auth server on 127.0.0.1:53682
2020/12/07 21:26:53 DEBUG : Received GET request on auth server to "/"
2020/12/07 21:28:53 DEBUG : Closing auth server
2020/12/07 21:28:53 DEBUG : Closed auth server with error: accept tcp 127.0.0.1:53682: use of closed network connection
2020/12/07 21:28:53 Failed to configure token: failed to get token: Post "loginMicrosoftonlineComCommonOauth2v20token": dial tcp 40.126.0.68:443: i/o timeout
2

Looks like you have a company firewall/virus/etc blocking the connection out. You'd want to check with your IT folks.

3

If you run with -vv --dump headers then rclone will print the headers of the HTTP transactions. You'll be able to see from the Host: headers which machines rclone needs to connect to.

I don't have a list of those machines, alas, but the above will tell you what you need to know.

4

Thanks for quick response. Dumping headers revealed just more details for already known POST request timeout towards loginDOTmicrosoftDOTcom. It's definitely something else blocking it.

5

:frowning: Sorry that is probably as far as I can get debugging your corp. network. You'll have to badger IT some more!

6

Of course you cannot debug our infrastructure :slight_smile: but every tip/idea counts. I badger everyone already. I was told that we have federated setup so logins are actually happening on our login servers. By default it's loginDOTmicrosoftonlineDOTcom so if I want to define our login servers I need to go with advanced settings. Everything is blank there by default, but I assume one of the auth_url or token_url parameters should do the trick or do I need to provide some more details?

7

Once you hit MS, it redirects to your login servers, but to my knowledge, you need to allow that redirect to happen as it's MS giving you that redirect and your firewall is blocking that outbound traffic.

Can you test on a machine that doesn't have the same restrictions and validate?

8

I see what you mean, but I'm afraid restrictions are global and authorization is possible only for whitelisted corporate IPs. Of course I will ask if we have some unrestricted space for testing, but I'm sure I will get negative answer :slight_smile: Anyway I will forward this redirection info to the network guys.

9

:slight_smile: (I didn't intend to be snarky - apologies if it came across that way.)

I think this is the root of the problem - POST requests timing out to login.microsoft.com

So I think is is probably a network block. However we can test this out quite easily.

Have you got / can you get curl - could you try this from the command line?

curl -vv -X POST https://login.microsoft.com

That is just doing a POST request the login server should reject straight away. If it hangs then there is definitely a network block in place.

Do you have a corporate proxy that you need to go through? You can configure rclone to use a proxy if necessary.

10

Of course we do have proxy and your proxy link is worth of gold :ok_hand: I created environment variables with correct proxy value and it works :grinning: I passed configuration. I don't know why did I thought when proxy is set in Control Panel -> Internet Options it's like system wide setting used by every application/software/tool whatever. Thank you so much for great tip. Btw is there some global flag available where I can define proxy while executing rclone? I didn't found in documentation so I assume it's only variable way at the moment.

11

Great - glad that is working :smiley:

This is only settable by environment variable. However you can make these persistent in windows with setx I think.

12

Thing is that I do want the exact opposite of it, set it temporary and just for script scope for example. It's OK, I already figured it out in powershell :slight_smile: Thanks again for your assistance.

1 Like
13

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.