I. Problem description
During the process of email migration (server migration), configuring the migration information of the source email service and authentication are essential steps for administrators and members. However, there are cases where authentication may fail.
In this article, we will introduce how administrators and members can identify the causes of authentication failure during email migration and how to resolve these issues.
II. Administrator: Failing to verify migration parameters
Scenario 1: Business mail services with automated IMAP or SMTP setup
For some business mail services such as Zoho Mail, the Configure email migration parameters page, as shown below, requires administrators to enter only the email account and password of the source mail service. Other information is pre-filled by Lark, such as the IMAP, SMTP, or SSL settings.
250px|700px|reset
Problem: When you fill in the email account and password for the source email service and then click Enable Migration, a pop-up appears stating Original email configuration failed.
250px|700px|reset
Troubleshooting method:
- Check if the entered password is incorrect.
- Check whether IMAP and SMTP functionality for the original business email service is turned on. For specific operations, please refer to third-party help guides. For example, Zoho Mail - Access via IMAP.
- Check whether the original business email has specifically created an app authorization code for verification. For specific operations, please refer to third-party help guides. For example, Zoho Mail - Enable/Disable TFA for Specific Users.
Scenario 2: Other email services where IMAP / SMTP is not pre-configured
For some business email services or in-house email services, administrators need to manually enter migration information on the Configure email migration parameters page after they select Others under Original email server. This information includes details such as IMAP and SMTP settings for the original email service.
250px|700px|reset
Problem: After the administrator enters the email account and its password, as well as the IMAP/SMTP server address and port number for the original email service, when clicking on Enable Migration, a pop-up screen appears stating Original email configuration failed.
250px|700px|reset
Troubleshooting method:
- Check password and two-step verification
- Make sure your account and password are correct.
- Check whether the account you entered has a two-step verification (such as an SMS verification code) set up. If so, generate a dedicated authentication password and use that password instead.
- Check if the entered IMAP and SMTP server address and port are correct and can be connected.
Method 1: If you are using a Windows device, open PowerShell. If you are using a Mac device, open Terminal. Then, enter the commands telnet imap.example.com 993 and telnet smtp.example.com 465.
Note: Replace imap.example.com/smtp.example.com and 993/465 with your IMAP and SMTP server addresses and port numbers.
250px|700px|reset
250px|700px|reset
If you can successfully establish a connection using telnet, it indicates that the server address and port are properly enabled.
Method 2: If you are using third-party apps such as Foxmail or Outlook, please check whether the account settings that are being used successfully in those apps match the information entered in the migration configuration screen of the Lark Admin Console.
- Confirm whether the server's encryption certificate is set.
Lark Mail uses SSL encrypted channels (default receiving port number is 993, sending port number is 465) when authenticating with the original mail service. It performs strong validation of end-to-end encryption certificates by default. You need to verify that the certificate of the original mail service is CA authenticated and that the certificate chain is complete.
Method 1: Using the OpenSSL tool, you can check the status of the SSL certificate chain and the trust status of the CA by executing the following command:
openssl s_client -connect imap.example.com:993 -servername imap.example.com
Note: Replace imap.example.com and 993 with your IMAP server addresses and port number.
When you run this command, it will provide you with the certificate chain information and other details regarding the connection. If the certificate chain is complete, you will see a series of certificates from the server certificate to the root CA certificate. Look for the output line that says Verify return code: 0 (ok). If you see this, it means that the SSL certificate verification was successful, the certificate chain is complete, and it was issued by a trusted CA.
250px|700px|reset
Method 2: You can also use third-party certificate detection websites for detection.
If you are an email administrator and you are unable to manage the certificate of your email service or if the maintenance of a self-built service has expired, contact Support.
Scenario 3: Microsoft 365 email service
For Microsoft 365 email, administrators can log in using the OAuth (Open Authorization) method to authenticate migration information.
250px|700px|reset
Problem: Authentication fails after the administrator enters the administrator account for authentication and redirects to the authentication page.
Troubleshooting method:
- Please verify if the domain suffix of the administrator account's email address for authentication matches the domain you are initiating the email migration for.
- Please confirm that the permissions for the authentication administrator account are set up correctly. For more details, refer to Configure an authorized Outlook account for Lark email migration.
Scenario 4: On-premises Exchange
When migrating from an on-premises Exchange server, after the administrator enters the password for the authentication administrator account and the EWS server URL, they can perform a verification.
Problem: After the administrator enters the authentication account and server URL on the Configure email migration parameters page and clicks Enable Migration, the verification fails.
250px|700px|reset
Troubleshooting method:
- The email address of the authentication administrator account and any email account from the source mail service must have a domain suffix that matches the domain you are initiating the email migration for. If the login domain and email domain do not match, the authentication administrator account should be entered in the following format: login domain\authorized account@email domain. For example: login.com\impersonation@email.com.
- Check whether the permissions of the authorized account are configured correctly. For more details, refer to Configure an authorized Outlook account for Lark email migration.
- Check whether the authorized account can log in normally. Type the server URL in the browser, and then enter the account password of the authorized account for verification.
- Verify that the entered server URL (required field) is correct. A standard EWS server URL address is as follows: https://mail.example.com/ews/exchange.asmx.
Note: Please replace example.com with the email domain you are migrating to.
III. Member: Failing to authenticate
For email migration in the IMAP and SMTP format, after the administrator initiates the migration task for the members in the Lark Admin Console, the members need to enter the password of their original email service on the Lark app's email interface to officially start the migration.
Problem: After entering the password of the original email service, when the member clicks Start Migration, authentication fails.
Troubleshooting methods:
- Check if the entered password is incorrect.
- Check whether IMAP and SMTP functionality for the original email service is turned on. For specific operations, please refer to third-party help guides. For example, Zoho Mail - Access via IMAP.
- Check whether the original business email has specifically created an app authorization code for verification. For specific operations, please refer to third-party help guides. For example, Zoho Mail - Enable/Disable TFA for Specific Users.