Microsoft to Disable Legacy Email Protocols 01-10-22

What is happening?

Microsoft are making a mandated change on the 1st of October 2022 and will be retiring Basic Authentication for legacy protocols in Exchange Online.

About email and authentication

When you send an email from your reading.ac.uk or student.reading.ac.uk account, the email contains additional information which advises our Microsoft Exchange email server that you are authorised to send email from that email programme and email account. If you are sending email from an unsupported programme or account, you will get an error message.

The majority of apps, services and websites use Multi-Factor Authentication (MFA), i.e. as well as username and password you need to set up an additional check when logging in, whether via an app or by entering a code sent by email, phone call or text message.

There are some legacy programmes which use Basic Authentication, i.e. username and password only. Support for this is being removed by Microsoft in their Exchange email server on 1st October 2022.

What does this mean for me?

If you are using an email programme with only Basic Authentication, you will not be able to send emails from 1st October and beyond.

Who is affected?

This affects people who are using either an old or nonstandard email app, e.g.

  • If you use older Outlook email programmes, i.e. Outlook 2010 or Outlook 2013
  • If you are on a mobile device and using a non-native email app
  • If you use Thunderbird or Spark as your email client (mainly Mac users)
  • If you manually configured your email client, i.e. you put in your own information when you added your profile, which are now not recommended.

Who is not affected?

You will not be affected if your Microsoft Office is up to date i.e. you use Outlook 2016 or Microsoft 365, you use the built in email client on your mobile (e.g. Microsoft Outlook App), or you use email on the web.

How can I tell?

A simple way to tell if you are affected is how you log in to get your email.

Basic authentication only requires a username (email address) and password, as shown in this screenshot:

Screen capture showing email and password

This is an example of a modern authentication request – it requires additional approval beyond username and password.

Image showing modern authentication method

What do I need to do?

There are several ways to mitigate this by either changing or upgrading your email programme, which are summarised below:

  • All users: Use webmail/Outlook on the web instead. You can access your University email account at https://outlook.office365.com/mail/
  • All users: If you are using Outlook, upgrade your email programme to Outlook 2016 or Outlook 365
  • All users: Change your email programme to Outlook (2016 or 365) or another email client which uses modern authentication such as Gmail.
  • All users: All staff and students are eligible to download Microsoft 365 Apps, following these instructions: KI 0202
  • Mobile users: Change or upgrade your email programme to the Microsoft Outlook app.
  • Mac users: Update iOS to current version and reinstall the Apple Mail application
  • Thunderbird users: update to latest version of Thunderbird following these instructions: KI 1209
  • “Other” mail clients, remove and add back account choosing ‘Microsoft 365’ as the account type

For the technically minded, the full table:

Legacy protocol Description What uses it Solution
Exchange ActiveSync & AutoDiscover Used to connect mailboxes to Exchange online * Windows Mail

* Calendar

* Email clients on mobile device

* Mac OS

Use webmail/ Outlook online

Use Outlook 2016 or Office 365 or Outlook for mobile

Update iOS to current version and reinstall Apple Mail

IMAP Allows access to email without downloading it to the device. Email is read directly from the email service Email clients such as Thunderbird and Spark.

Outlook and Apple Mail when manually configured

Use webmail/ Outlook online

Use Outlook 2016 or Office 365 or Outlook for mobile

Update to current  Thunderbird app

Update iOS to current version and reinstall Apple Mail

MAPI Over HTTP Primary mailbox access protocol used by Outlook 2010 SP2 and later Outlook 2010 and newer email clients on mobile devices Use Outlook 2016 or Office 365 or Outlook for mobile
SMTP Authentication TCP/IP protocol used to send/forward email; it cannot receive messages Email clients such as Thunderbird and Spark.

Outlook and Apple Mail when manually configured

Update Thunderbird

Remove and add back account choosing ‘Microsoft 365’ as the account type

“Other Clients”

(Linux mail clients, custom mail clients, etc)

Any other protocols identified as utilizing legacy authentication Application should be up-to-date and added using modern authentication protocol such as ‘Microsoft Exchange’ or ‘Microsoft 365’ option

What happens if I don’t do anything?

If you don’t do anything, you will not be able to send any emails using your current method from 1st October. As this is mandated by Microsoft, DTS have no ability to grant an extension.

Further information:

This change is examined in further detail in this Microsoft article: Deprecation of basic authentication exchange online

What version of Outlook do I have? You can usually find the Outlook product version by selecting Help > About while in Outlook. Also see this article by Microsoft.

Creating a new Outlook profile to restore default settings: KI 1813 How to create a new profile in Outlook 2016 (Windows 10) 

Contact:

If you want any advice or have any issues, please raise a ticket with the IT Service Desk.

The Retiring Activedition project – 40,000 webpages later 

In DTS and MCE, the retiring Activedition project, which has recently come to an end, has seen nearly 40,000 webpages migrated (or removed) from Activedition to the new CMS system, Sitecore.  The aim of the project was to improve security and make the websites at the University easier to use.  

The project, that spanned over 8 years, with the concentration of work since 2018, also processed nearly 56,000 multimedia files and 23,000 documents. The result left us with 7,000 pages on Sitecore, making the websites easier to navigate and find what you want.  

Burning Platform  

The migration gave a good opportunity to consolidate and freshen up the websites but the main motivation behind the project was fixing an incoming security hole. 

Activedition was coming to the end of its product lifecycle and would no longer be supported by its creators in the future. This end of support means no more security updates and continuing to use it would have opened us up to cyber-attacks.  

Mark Collett, Director of Enterprise Architecture and Digital Transformation, spoke about the need to get off a CMS with looming security issues:  

“The underlying platform was on legacy equipment where the software and databases wouldn’t be supported by the end of this month by Microsoft. 

The hardware was going out of date and would be unsupported. The CMS itself is old, and the company that developed it, its not one of the projects they’re interested in developing.  

So, it meant that we had a hard deadline for the end of this [July 2022] month to get all those pages off because if we didn’t it would pose a risk to the University.  

The website is a front facing thing for the University, so we needed to get off, what we call, a burning platform”  

He also spoke about how DTS balances making sure the University is secure against Cyber Security issues and the impact they have on Colleagues:  

“Our strategy is to try and make our systems as secure and reliable as possible and that’s always a balancing act with user experience and the impact on Colleagues. 

Currently we are running both Sitecore and Activedition. With fewer CMSs we have a simpler web estate and can focus on fewer skills sets and reduce working complexity. 

The more complexity you have in a system, the more resources you need to understand it and run it, which isn’t an efficient approach”  

Understanding and planning 

Once the go ahead for the project was given, a large body of initial analysis and planning work was conducted inside DTS by the Digital Portfolio Team (DPT).  

Part of the DPT’s job is to analyse drivers behind a project; the motivations that are the cause for a project to come into existence. This is done partly by evaluating the problem we are trying to solve. Looking at the people involved and the problems they are experiencing.  Once we have an accurate idea of the problems, we are in an informed position to choose the correct solutions.  

Mary Seddon, Head of Digital Portfolio, spoke about drivers and what she found out from talking to colleagues around the University:  

“I’m sure there are many reasons why the University needed to get off Activedition and the business case talks about several high-level drivers that we needed to meet. One being that the devolution of responsibility to an area or school creating their own webpages meant there was a loss of quality control, for instance no control over retiring or replacing a page.  It was very hard for MCE to assist people.  

Activedition was also very old fashioned to look at.  Lots of people were concerned about that, yet there was lack of control over the look and feel of the websites.  

From a technical perspective, the problems were the burning platform and the fact that the knowledge about Activedition itself, was in the hands of, and supported by, about 3 people on the planet – as far as we could tell.  We were very lucky to find Jim Hazell who knew what Activedition was.”  

She continued with the topic of how, when working on projects that affect lots of different people, you will often come across drivers from different places that conflict with each other:  

“We put a business case that brought all those needs together – those from MCE and DTS, and others – and there was understandable, good, tensions between the drivers.  Some people wanted to do a ‘like for like’ replacement and others wanted to make the websites “better”.    

At the same time, we had to do something to get off that burning platform and this is that unified us.  We were all on the objective that we need to move off Activedition for the sake of security.” 

The Great ‘Lift and Shift’  

After initial analysis work was complete the project moved into working through the websites on Activedition with the Digital Applications and Development team working out which pages could be manually moved to Sitecore, and which ones could be moved through a clever automatic process.  

Dave Jones, Head of Digital Applications and Development, spoke about how the ‘lift and shift’ process wasn’t as unceremonious as the name makes out:  

“Is it actually just straight lift and shift? Or is it lift and shape? Or is it a complete refactor?    

Initially, I think MCE and the Schools were pushing very hard for it to be effectively a refactor. That’s when we had Bunny Foot in (website consultants) and when the school webpage template was redesigned, and the site was greatly improved, but we saw that was taking forever. When we developed the idea of doing an automated process for the functions that’s when it had to be slightly more regimented. 

Functions could still tweak how things looked. Different functions could have different coloured accents on various parts of the site to differentiate them.”   

The project processed over 40,000 webpages from different websites at the University. Mustafa Rahman, CMS Web Team Lead in Dave Jones’ team, spoke about how lack of control over accounts let it get to such a high level:  

“There were easily 500 users on Activedition, and I’d guess about 340 of them were unique users. That was the hardest bit about accounts in Activedition, working out who was still active.   

With Sitecore, It’s much easier to maintain in that way, and we’ve removed a number of old accounts so there’s less accounts to maintain and more control over people adding pages and making changes”  

Collaboration, accessibility and breaking silos 

Universities can often be ‘siloed’ in how their teams operate with each of but with this project it was the opposite. It included many teams from many different departments, working together on different ways to solve one common problem.   

Martin Watts, Head of Content in the Marketing Engagement team, assisted massively with the project and spoke about his approach to multi-team collaboration:  

“This project was about making sure everyone was on board. I think there was a realisation that the only way we would succeed is if we work together and make sure we didn’t let those traditional silos get in the way.  

Ultimately, we’ve all got the same goal at the University. We’re all trying to make sure we do what the University needs us to do in order to achieve its goals”  

He also spoke about how the collaborative relationship that was established between DTS and MCE will have a positive impact on work between the two in the future:  

“The CMS team and the Content Team have worked prior to this, and we’ve had a really good working relationship, but we had worked in a sort of support capacity where if we needed support with something, the CMS team would help us.   

Going through this project was about moving to an actual web development model where we are making new things. We’re not just fixing and maintaining existing things and that required quite a mind shift.”  

Martin finished by talking about how pleased he was that accessibility requirements resonated so well with colleagues around the University:  

“People thought it was an excellent reason for doing this, not just about meeting a simple compliance thing. It’s about ensuring that our websites are inclusive for all users, regardless of their access needs and I thought that was that was really good.  

In terms of what was really helpful, we had Miroslava Flimelova come in and join us and basically supports us with that work throughout the project. She was fantastic to work with because she’s just so knowledgeable but also really keen to help ensure that we make things accessible. If we don’t know what we’re doing, we can ask her a question and she’s always happy to help.”  

A solid state for the future   

The retiring Activedition has provided a solid bed for future web estate development. Sometimes, in order to improve things, you have to revaluate what you are working with and simplify it down to a state that is a solid foundation to work from in the future.  

It was also a collaboration between many different people and teams at the University and showed that digital departments can work together and even improve working relationships and processes for future projects.  

Mark Foster, Project Manager in the PMO, had these closing statements on the project and the people he’d met on the long time he spent managing it:  

“Just given the nature of the project over that period of time, there’s been significant or notable numbers of people leaving, joining, seconding in and out, babies being born, there’s all sorts of stuff going on. So that made it quite a bit of a family thing in the end because people sort of religiously came to stand ups.”  

 

Changes to email distribution lists

Email distribution list logo

Email distribution lists are used throughout the university to send one email to lots of people simultaneously. These mailing lists could include people outside the University (external) as well as University staff and students. Up until now, we’ve used Mailman (https://www.lists.rdg.ac.uk/mailman) for creating the majority of mailing lists, whether for external or internal recipients.

Moving from Mailman Lists to Outlook Distribution Groups

What is happening?

DTS assesses software used at the University to ensure it meets current standards and requirements. Older programs that can’t meet these demands are being replaced and phased out, and Mailman has fallen into this category. For this reason, we are now tackling replacing Mailman with the solution depending on the recipients of the list:

  1. Lists that have internal recipients – these are moving to Microsoft Outlook Distribution Groups (this project has been underway for a while and you may have already been advised and moved to Microsoft Outlook Distribution Groups)
  2. Lists that have external recipients – these will be moving to a new service called LISTSRV (this project is currently in a trial period with a select number of lists; there will be a further post with more information soon)

I’ll explain more about Microsoft Outlook Distribution Groups later in this post, with links to our Knowledge Item articles which will guide you through the main functionality.

Some background

The decision to move away from Mailman has not been taken lightly. The main issue we face with Mailman is that there has been nobody updating or supporting it for several years (last release was 2016).

  • No developer = no patches or updates
  • No vendor = no support
  • No patches or updates or support = security risk

With no changes since 2016, Mailman is increasingly open to vulnerabilities.

  • The Mailman admin panel has not been available offsite since Christmas 2021 due to security concerns which cannot be fixed.
  • New features to improve email security, such as Advanced Threat Protection (ATP) and Safelinks cannot be implemented.
  • Emails from Mailman lists are being marked as Junk or Quarantined. This means that emails coming from reading.ac.uk are being treated as suspicious.

Outlook Distribution Groups (for internal addressees)

If your Mailman list only contains internal recipients, then we are turning your list into an Outlook Distribution Group.

What are the benefits?

We are all familiar with using Microsoft Outlook, so the main benefit is that there’s no new interface to learn, and its contained within your Microsoft 365 environment so no new software to install and manage.

Here are some other benefits:

  • Global Address Lists – There’s no need to remember lengthy email addresses of the Distribution Group. They are all visible in the Distribution Group section of the Global Address Lists in Microsoft Outlook desktop or web app.
  • Software is up to date – Microsoft ensures the application is patched or updated to avert security vulnerabilities and users don’t need to do anything.
  • Better message delivery times – Posts are speedily delivered i.e. Mailman lists currently step through 13 hops (different servers) in order to get to recipients. With the new system, this is now cut down to 3.
  • Managing membership is easier – There’s no need to remember URLs or open a web-based link to manage members. Avoiding such unnecessary step also cuts down on delivery times and remove ghost members.
  • Accurate Membership list – There’s no need for Distribution Groups owners to unsubscribe a leaver as Active Directory is automatically updated. Currently, there are duplicate email aliases, inactive/leavers that cause Non-Delivery Reports (NDR) in Mailman Administrators mailbox on a daily basis. Removing inactive/leavers also cuts down on delivery times.

Key information for existing list owners

Much of the functionality of Mailman is also available in Outlook, but here are a few things that you need to be aware of:

  1. Most mailing list subscribers shouldn’t notice any difference. 
  2. Emails sent to a Distribution Group will appear to come from the sender. If you don’t want your name to appear on the email, please use a Shared Mailbox to send the email (e.g. “IT Communications”). The same is true of sent items, they will appear in your Sent items unless you have sent from a role-based account, in which case they appear in the Sent items of that account.
  3. Any messages you receive about your Distribution Group will come into your inbox (or, if you used a Shared Mailbox to send a message, it will come into that inbox). For example, if you need to moderate a message, you will be notified via your inbox.
  4. Moderating and approving posts can only be done through the web interface (outlook.office.com)
  5. You can only add members who have an @reading.ac.uk email address. If you need to add external members, please contact the IT Service Desk.

Instructions for using Outlook Distribution Groups

How to access your distribution list: You can access your Distribution Groups via Outlook Online (outlook.office.com).

How to send posts to a distribution list: To email your members, put the list address in the To field of a new email (or the BCC field, if you don’t want your recipients to be able to see and contact all members of the Group).

Group Manager admin tools: The preferred way to administer your lists is through Group Manager, which is available on Apps Anywhere.

Outlook Web tools: You can access admin tools through Outlook Online (outlook.office.com).

Note: some lists do not appear in the Global Address list. If you cannot find yours, please raise a ticket with the IT Service Desk to perform these functions.

Further information

The best place to get up to date information for Microsoft products is from Microsoft themselves. This support page is about Outlook Distribution Groups: Microsoft Outlook 365 distribution group support page

Contact

If you have any questions or require advice, please contact our IT Service Desk.

Network Downtime impacting internet service and VPN, University websites and ESS – 06/09/22 between 1800-2200

DTS will be performing maintenance on the core network infrastructure on Tuesday 6th September between 1800-2200.

What is happening?

DTS are making improvements to the core network infrastructure on Whiteknights campus. This requires some downtime as we carry out this important work, which will affect both wired (network) and wireless (Wi-Fi) connections.

When:

This work will take place between 1800-2200 on Tuesday 6 September

This time has been agreed to cause the least disruption.

Location: University of Reading Campuses (excluding Malaysia)

Who is affected?

Staff, students, visitors.

 

There will be no internet service during this change; this means that for Whiteknights, London Road and Cedar Farm, any devices connected to a campus network connection, the University’s Wi-Fi (Eduroam), and Teams telephones will not be able to connect to the internet.

If you are off campus or Greenlands campus, access to the VPN, University Websites, and corporate applications such as the Employee Self Service will be unavailable.

 

Further information and help

This change is being carried out under change reference: C-2208-279

 

If you need to speak to us about this change or would like advice please raise a ticket with the IT Service Desk, https://uor.topdesk.net/ or email dts@reading.ac.uk

New look IT Service Desk emails

We have designed a new streamlined look for the automatic emails sent out by the IT Service Desk. Several of you said you missed our emails as they didn’t stand out as anything important, or they weren’t laid out well so you couldn’t find the information you wanted easily.

The following screenshots show the new emails which will be coming shortly.

New ticket

Here is an example of the email you will get when you log a call.Screenshot of new ticket email

Ticket update

Here is an example of an email telling you about an update to your ticket. If you want or need to reply to the message, you can do this by clicking the “Track my ticket” button, which takes you straight to that particular ticket:

Screenshot of update ticket emailTicket completed

Finally, this is the ticket completed email, with a meaningful reason for closure (usually job completed). If you want to re-open the ticket or have comments to make, clicking the “Track my ticket” button takes you back to that particular ticket on the Self Service Portal.Screenshot of ticket complete email

Further information and contact

You can use the IT Self Service Portal to look up your ticket, add information and give us feedback, and we’ve highlighted this in the new emails with a “track my order” style button. We hope this will make it easier for you (and us) to provide you with an efficient service.

We welcome your feedback about the new email design, and would also like to hear from you if you have any suggestions about improving them. Please contact me via the Feedback section on the IT Self Service Portal, or you can email me directly.

World Password Day May 5th – Update your password!

World password day logo

World Password Day takes place on Thursday May 5. It was set up in 2013 as a day set aside for people to update and strengthen their passwords.

The average person has over 100 different passwords for various apps, websites, and online services. In practice most of us re-use the same handful of passwords, and ignore prompts to “update your password” until we are forced to do something. Unfortunately, there are an increasing number of people who will take advantage of this. 

What is the risk?

Password protection is one of the most important things you can do to safeguard your personal, professional, and sensitive data. Without a strong password, you risk:

  • Giving hackers easy access to your most sensitive accounts
  • Breaches to multiple accounts that share the same or similar passwords
  • Attacks by keystroke loggers who steal common login credentials
  • Loss of data through shared (and easily stolen) passwords

How do I make my passwords stronger?

Strong and secure passwords are crucial, especially now that most of our work is done online. Even if you have strong passwords, they need changing regularly as they may have been exposed in a data breach. The strongest passwords are:

  • At least 12 characters long
  • A mix of uppercase and lowercase letters, numbers and special symbols
  • Not based on your username or other personal information
  • Unique to each account

Our Password page has some more guidance for creating a stronger password.

Further information and reading

As well as the Password page, DTS have several pages dedicated to Cyber Security, https://www.reading.ac.uk/digital-technology-services/cyber-security

For more general information about keeping yourself safe online, have a look at the National Cyber Security Centre website.

Intel, ARM and AMD chip scare (Spectre + Meltdown)

In the last few days Intel, AMD and ARM have publicly announced major security flaws within their CPU chips.  We are working with suppliers to patch our systems as quickly as possible to ensure they remain secure.

Security patches will be applied to your computer over the coming days. Never switch off your computer at the wall or the security patches will not be applied.

The University of Reading IT department will continue to monitor risk and will make updates when needed, however, please do remember to update your home machine. This flaw affects millions of institutions and businesses but will also affect households too. Full details of what the security flaw is and how to deal with it can be found on the BBC website, including how the flaw is exploited and how to keep your personal machine protected.

There has been no evidence that the flaw has been exploited yet but still poses a security threat.

Non managed Mac and Linux users should ensure that they have the latest versions of their OS and software in order to have the security patches applied.

A reminder of some good online security tips:

  1. Use strong passwords and do not share them
  2. Use central file shares or One Drive for Business in preference to local drives
  3. Never switch off your computer at the wall or the security patches will not be applied
  4. Lock/secure your hardware
  5. Encrypt sensitive and personal information
  6. Think carefully before clicking on links in emails, even from friends and colleagues
  7. Ensure that your anti-virus is up to date
  8. Ensure that Windows updates are applied promptly
  9. Keep software applications up to date
  10. Dispose of IT equipment and data securely
  11. Protect your mobile device

If you have any further questions or concerns then please contact IT.

 

15:27 01/04/16 Major power outage

There was a major power outage on campus this morning, affecting two key server rooms. This resulted in the loss of most of the IT services on campus.

The majority of services were restored by 14:00. Notable exceptions being;

  • Wi-Fi authentication
  • Campus card payment services
  • Trent
  • Sports Park web site
  • Network link to Cedar Farm
  • Some networking in Harry Pitt
  • Lyle building power – affects all servers hosted in this server room

 

Some services are running slowly due to re-synchronisation of the server storage. This should complete over the weekend.

There is a backlog of e-mail (incoming and outgoing) which is being processed.

Please accept our apologies for the disruption this has caused.

 

IT

Firewall Issue

We are currently trying to fix an issue with the Whiteknights campus firewalls, which can lead to occasional and very brief losses of connectivity to the Internet for users at Whiteknights and London Road campuses, and when accessing University business systems such as Agresso, RISIS and Trent.  There are some challenging circumstances, so it’s taking us longer than usual to get to the bottom of things.  We are working with our equipment vendor’s advanced technical support and engineering teams with a view to identifying feasible workarounds and a fix for the root cause as quickly as possible.

In order to assist with our diagnostics, and to help us accurately judge the business impact of this issue, it would be helpful if people could contact the IT Service Desk if they are unexpectedly disconnected from any of the University’s business systems during their day to day work. We routinely monitor the University’s Internet connectivity so at the present time do not need to be contacted regarding brief losses of Internet access.

As ever, please feel free to discuss any aspect of this issue with your IT Business Partner if you wish.

Slow Logins Issue

We have recently been experiencing problems with slow logins to some PCs on campus. We are working very hard to resolve this issue. Should you find your login is unacceptably slow (over 4 minutes), you should:

Contact the Service Desk immediately on 0118 378 6262, 6262 from an internal phone.
They will be able to provide you with details of a guest login account.
If required, restart the PC (hold the power button if necessary).
Login using the username and password supplied to you.

NOTE: The guest login will not map your N:\ drive automatically. The Service Desk will be able to assist you with this. You will still be able to access Blackboard and the Internet.

AV technicians are also able to assist with this particular problem.