question

Myshkin-1511 avatar image
Myshkin-1511 asked ·

adfs and exchange 2016

Two wap and two adfs 3.0 in use with exchange 2013 for owa and ecp. It has been working fine.

Exchange 2016 was added to the organization for migration. However, pointing the dns identifier to 2016 sso doesn't work. Only regular prompt is received.

Since 2016 uses the same organization settings as 2013 not sure what is missing. Token signing cert thumbprint matches. Had adfs authentication set to true (with others false) on virtual directory as mentioned in the article below and that didn't work.
https://docs.microsoft.com/en-us/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019
Also, imported the cert to 2016 box root store. didn't work.

Thanks.


office-exchange-server-administrationadfsoffice-exchange-server-connectivity
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
AndyDavid answered ·

What do you mean by "dns identifier" points to 2016 SSO?

What is the AdfsAudienceUris set to?

 Get-OrganizationConfig |FL *ADFS*

The 2016 virtual dirs need to be defined there
https://docs.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps
https://docs.microsoft.com/en-us/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019#step-6-configure-the-exchange-organization-to-use-ad-fs-authentication


 Set-OrganizationConfig -AdfsIssuer https://<FederationServiceName>/adfs/ls/ -AdfsAudienceUris "<OotwURL>","<EACURL>" -AdfsSignCertificateThumbprint " 

<Thumbprint>"

10 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I meant the current owa url points to the CAS of 2013 and when we set it to point to 2016 (by modifying the local host dns record).

Since the 2013 and 2016 are within the same organization, the get organization config shows "https://email.mycompany.com/owa, https://email.mycompany.com/ecp"; and the thumbprint also matches with the one from token signing cert.

Right now it works when pointed to 2013. Users can access mailboxes in 2016. But when the dns is set to point to 2016 cas it doesn't work. We want to retire 2013 so need to ensure everything point to 2013.



0 Votes 0 · ·
Myshkin-1511 avatar image Myshkin-1511 Myshkin-1511 ·

typo above: We want to retire 2013 so need to ensure everything point to 2016.

0 Votes 0 · ·
AndyDavid avatar image AndyDavid Myshkin-1511 ·

and you did an iireset after making the change to the auth on the 2016 server and OWA/ECP were both changed? Sorry for the dumb questions!

0 Votes 0 · ·
Show more comments

Marking this as answer since, re-applying

Set-OrganizationConfig -AdfsIssuer https://<FederationServiceName>/adfs/ls/ -AdfsAudienceUris "<OotwURL>","<EACURL>" -AdfsSignCertificateThumbprint "

with same set of values that were already in place worked. Apparentlly, something flipped and re-application of the command set it right again.


0 Votes 0 · ·
EricYin-MSFT avatar image
EricYin-MSFT answered ·

Hi,
Can you post the result of " Get-OrganizationConfig |FL ADFS "?
I just wonder if you add "/" at the end of each url:

The inclusion of the trailing slash / in the URL examples shown below is intentional. It’s important to ensure that both the AD FS relying party trusts and Exchange Audience URI’s are identical. This means the AD FS relying party trusts and Exchange Audience URI’s should both have or both emit the trailing slashes in their URLs. The examples in this section contain the trailing /’s after any url ending with “owa” ( /owa/) or “ecp” (/ecp/).


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


20 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


The Uri don't have a trailing / in both exchange audience URI and the ADFS trust. This works with exchange 2013 which is current environment. We introduced exchange 2016 to the exchange organization and it co-exists with 2013. If "mail.mycompany.com" points to 2013 it works. But if we point it to 2016 it doesn't.

0 Votes 0 · ·
Myshkin-1511 avatar image Myshkin-1511 Myshkin-1511 ·


AdfsIssuer : https://sso.mycompany.com/adfs/ls
AdfsAudienceUris : {https://mail.mycompany.com/owa, https://mail.mycompany.com/ecp}
AdfsSignCertificateThumbprints : {xxxxx}
AdfsEncryptCertificateThumbprint : System.Collections.Hashtable

fyi, the thumbprint matches the thumbprint of the cert in use (again, 2013 has no issues with these settings).

0 Votes 0 · ·
AndyDavid avatar image AndyDavid Myshkin-1511 ·

I have the slashes for both.
I think that article meant " should both have or both OMIT the trailing slashes in their URLs. " lol

Did you do a SAML trace from a workstation to see if it ever attempts to connect to ADFS?
When it fails, what do the IISlogs on the 2016 server show?



1 Vote 1 · ·
Show more comments

Any idea on what would 2016 cause for sso to be broken? 2013 CAS were working fine. But when one of 2013 was rebooted it stopped working. Apparently, something change after 2016 was introduced into the organization.

0 Votes 0 · ·
AndyDavid avatar image AndyDavid Myshkin-1511 ·

Are you sure the org settings weren't messed with at all?
So now the 2013 servers are getting a 401 when trying to use ADFS auth? And nothing in the ADFS logs? i.e. its not even trying to redirect the client to use ADFS?

1 Vote 1 · ·

I think its something within the org settings, too. Since a working cas would not redirect after a restart one thing that jumps to mind is the cert location settings in Organization config for adfs.

<serviceCertificate><certificateReference x509FindType="FindByThumbprint"

                                findValue="System.Collections.Hashtable" storeLocation="LocalMachine" storeName="My" /></serviceCertificate>

Since the signing cert is located in root, I wonder if storeName need to change to root or the signing cert moved to personal store? The technet article references using set-location to root "Set-Location Cert:\LocalMachine\Root; Get-ChildItem | Sort-Object Subject". Just curious if executing this would change the location in org settings and fix it?

0 Votes 0 · ·
Show more comments

Apparently,

Set-OrganizationConfig -AdfsIssuer https://<FederationServiceName>/adfs/ls/ -AdfsAudienceUris "<OotwURL>","<EACURL>" -AdfsSignCertificateThumbprint "

with the same set of values that were already in place did the job. Apparently, something flipped within organization configuration after the introduction of exchange 2016 and the same settings had to be re-applied.

1 Vote 1 · ·
Show more comments