This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello, been working out the steps to secure exchange server on my test network before tackling it in real life. Used this how to.
https://learn.microsoft.com/en-us/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019
Test network is domain controller, ADFS server, exchange server, WAP server, all windows 2019. It's all newly installed and updated.
Prior to making changes to exchange server (part6), WAP and ADFS worked with exchange server (double login, ADFS login and then Exchange login.) after changing Exchange OWA and ECP login to ADFS, i get Something went wrong error. (i am using edge in a inPrivate window)
:-(
Something went wrong
We can't get that information right now. Please try again later.
X-ClientId: A5ECFAA84B9049B9A6FB9EE0AF1BE4B8
request-id 0c43f21a-f6b3-4e3c-bd00-6cf5fc301259
X-OWA-Error Failed to load script: https://mail.MyDomain.com/owa/prem/15.2.792.3/scripts/boot.owaframe.0.mouse.js?bo=1
X-OWA-Version 15.2.792.3
X-FEServer MAILX
X-BEServer MAILX
Date:2/10/2021 6:41:18 PM
If i refresh the page, the web address changes to https://mail.mydomain.com/
interesting point is if i attempt to go to OWA on internal network, it works fine.
Basically i have run out of ideas.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 8%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXX%3C/text%3E%3C/svg%3E)
Hi Damion, I have the exact same issue as you do, configure WAP and ADFS, when internal access, no issue. But when add WAP in the hop, then we have the issue for boot.owaframe.0.mouse.js, wondering if you figure out a way to resolve this
Sorry, i never got back to solving this problem. We ended up moving the business to office 365. So that's kind of a solution. ;) still have the on premise exchange but use it for relaying photocopiers. sorry I don't have more info.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @20345484
What's your Exchange server and CU version?
According to your information above, you have finished all the configurations list in the official document you shared above. After that, you failed login to both Exchange OWA and ECP from external and get the error information above right? Please correct me if I have any misunderstanding about your question.
Could you please share the configuration of your OWA and ECP virtual directories? Please remember to remove your personal information
Get-EcpVirtualDirectory | FL
Get-OwaVirtualDirectory | FL
In addition, we could also check the application log on the server to get any related error logs when login failed.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
More info.
When i go to https://mail.MyDomain.com/ecp/?ExchClientVer=15, login as exchange admin, i actually get into exchange admin center.
When i go to https://mail.MyDomain.com/ecp login as a user, eventually i end up with the page opening with headers, but with no information.
These are the scripts I used on the exchange server to set for ADFS
Set-EcpVirtualDirectory -Identity "mailx\ecp (default web site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Set-owaVirtualDirectory -Identity "mailx\owa (default web site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
ADFS ssl
Set-OrganizationConfig -AdfsIssuer https://adfs.MyDomain.com.com/adfs/ls/ -AdfsAudienceUris "https://mail.thegeko.com/owa/","https://mail.MyDomain.com/ecp/" -AdfsSignCertificateThumbprint "A77AF0C4E3F92E847730250A75694B12AEF0B29B"
Exchange is 2019 Version 15.2
it's on windows 2019 fully patched.
one small correction to your recap. WAP /ADFS was working prior to me making the changes on exchange server. Gave me ADFS login page and then the exchange login page. OWA would then load. After changes to exchange server it no longer work in any form outside fire wall.
Thanks
RunspaceId : 804765a5-173e-4d79-b593-b0086e22135e
AdminEnabled : True
OwaOptionsEnabled : True
Name : ecp (Default Web Site)
InternalAuthenticationMethods : {Adfs}
MetabasePath : IIS://Mailx.test.MyDomain.com/W3SVC/1/ROOT/ecp
BasicAuthentication : False
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : True
OAuthAuthentication : False
DefaultDomain :
GzipLevel : Low
WebSite : Default Web Site
DisplayName : ecp
Path : E:\microsoft\exchange server\v15\FrontEnd\HttpProxy\ecp
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.2 (Build 792.3)
Server : MAILX
InternalUrl : https://mailx.test.MyDomain.com/ecp
ExternalUrl :
ExternalAuthenticationMethods : {Fba}
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=ecp (Default Web Site),CN=HTTP,CN=Protocols,CN=MAILX,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First
Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=test,DC=MyDomain,DC=com
Identity : MAILX\ecp (Default Web Site)
Guid : c4a8de1c-6d0e-4985-a5d0-5ff8831fc571
ObjectCategory : test.MyDomain.com/Configuration/Schema/ms-Exch-ECP-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchECPVirtualDirectory}
WhenChanged : 2/9/2021 4:34:33 PM
WhenCreated : 2/3/2021 4:48:20 PM
WhenChangedUTC : 2/10/2021 12:34:33 AM
WhenCreatedUTC : 2/4/2021 12:48:20 AM
OrganizationId :
Id : MAILX\ecp (Default Web Site)
OriginatingServer : DC1.test.MyDomain.com
IsValid : True
ObjectState : Changed
RunspaceId : 804765a5-173e-4d79-b593-b0086e22135e
DirectFileAccessOnPublicComputersEnabled : True
DirectFileAccessOnPrivateComputersEnabled : True
WebReadyDocumentViewingOnPublicComputersEnabled : True
WebReadyDocumentViewingOnPrivateComputersEnabled : True
ForceWebReadyDocumentViewingFirstOnPublicComputers : False
ForceWebReadyDocumentViewingFirstOnPrivateComputers : False
WacViewingOnPublicComputersEnabled : True
WacViewingOnPrivateComputersEnabled : True
ForceWacViewingFirstOnPublicComputers : False
ForceWacViewingFirstOnPrivateComputers : False
RemoteDocumentsActionForUnknownServers : Block
ActionForUnknownFileAndMIMETypes : Allow
WebReadyFileTypes : {.xlsx, .pptx, .docx, .xls, .rtf, .ppt, .pps, .pdf, .dot, .doc}
WebReadyMimeTypes : {application/vnd.openxmlformats-officedocument.presentationml.pre
sentation, application/vnd.openxmlformats-officedocument.wordproc
essingml.document, application/vnd.openxmlformats-officedocument.
spreadsheetml.sheet, application/vnd.ms-powerpoint,
application/x-mspowerpoint, application/vnd.ms-excel,
application/x-msexcel, application/msword, application/pdf}
WebReadyDocumentViewingForAllSupportedTypes : True
WebReadyDocumentViewingSupportedMimeTypes : {application/msword, application/vnd.ms-excel,
application/x-msexcel, application/vnd.ms-powerpoint,
application/x-mspowerpoint, application/pdf, application/vnd.open
xmlformats-officedocument.wordprocessingml.document, application/
vnd.openxmlformats-officedocument.spreadsheetml.sheet, applicatio
n/vnd.openxmlformats-officedocument.presentationml.presentation}
WebReadyDocumentViewingSupportedFileTypes : {.doc, .dot, .rtf, .xls, .ppt, .pps, .pdf, .docx, .xlsx, .pptx}
AllowedFileTypes : {.rpmsg, .xlsx, .xlsm, .xlsb, .vstx, .vstm, .vssx, .vssm, .vsdx,
.vsdm, .tiff, .pptx, .pptm, .ppsx, .ppsm, .docx...}
AllowedMimeTypes : {image/jpeg, image/png, image/gif, image/bmp}
ForceSaveFileTypes : {.svgz, .html, .xml, .swf, .svg, .spl, .htm, .dir, .dcr}
ForceSaveMimeTypes : {Application/x-shockwave-flash, Application/octet-stream,
Application/futuresplash, Application/x-director,
application/xml, image/svg+xml, text/html, text/xml}
BlockedFileTypes : {.settingcontent-ms, .printerexport, .appcontent-ms, .appref-ms,
.vsmacros, .website, .msh2xml, .msh1xml, .diagcab, .webpnp,
.ps2xml, .ps1xml, .mshxml, .gadget, .theme, .psdm1...}
BlockedMimeTypes : {application/x-javascript, application/javascript,
application/msaccess, x-internet-signup, text/javascript,
application/prg, application/hta, text/scriplet}
RemoteDocumentsAllowedServers : {}
RemoteDocumentsBlockedServers : {}
RemoteDocumentsInternalDomainSuffixList : {}
FolderPathname :
Url : {}
LogonFormat : FullDomain
ClientAuthCleanupLevel : High
LogonPagePublicPrivateSelectionEnabled : False
LogonPageLightSelectionEnabled : False
FreCardsEnabled : True
InternalSPMySiteHostURL :
ExternalSPMySiteHostURL :
WacEditingEnabled : True
DropboxAttachmentsEnabled : True
BoxAttachmentsEnabled : True
OneDriveAttachmentsEnabled : True
GoogleDriveAttachmentsEnabled : True
ClassicAttachmentsEnabled : True
ReferenceAttachmentsEnabled : True
SaveAttachmentsToCloudEnabled : True
ThirdPartyAttachmentsEnabled : True
IsPublic : False
ExternalDownloadHostName :
InternalDownloadHostName :
FilterWebBeaconsAndHtmlForms : UserFilterChoice
NotificationInterval : 120
DefaultTheme :
UserContextTimeout : 60
ExchwebProxyDestination :
VirtualDirectoryType :
OwaVersion : Exchange2013
ServerName : MAILX
InstantMessagingCertificateThumbprint :
InstantMessagingServerName :
RedirectToOptimalOWAServer : True
DefaultClientLanguage : 0
LogonAndErrorLanguage : 0
UseGB18030 : False
UseISO885915 : False
OutboundCharset : AutoDetect
GlobalAddressListEnabled : True
OrganizationEnabled : True
ExplicitLogonEnabled : True
OWALightEnabled : True
DelegateAccessEnabled : True
IRMEnabled : True
CalendarEnabled : True
ContactsEnabled : True
TasksEnabled : True
JournalEnabled : True
NotesEnabled : True
RemindersAndNotificationsEnabled : True
PremiumClientEnabled : True
SpellCheckerEnabled : True
SearchFoldersEnabled : True
SignaturesEnabled : True
ThemeSelectionEnabled : True
JunkEmailEnabled : True
UMIntegrationEnabled : True
WSSAccessOnPublicComputersEnabled : True
WSSAccessOnPrivateComputersEnabled : True
ChangePasswordEnabled : True
UNCAccessOnPublicComputersEnabled : True
UNCAccessOnPrivateComputersEnabled : True
ActiveSyncIntegrationEnabled : True
AllAddressListsEnabled : True
RulesEnabled : True
PublicFoldersEnabled : True
SMimeEnabled : True
RecoverDeletedItemsEnabled : True
InstantMessagingEnabled : True
TextMessagingEnabled : True
ForceSaveAttachmentFilteringEnabled : False
SilverlightEnabled : True
PlacesEnabled : False
WeatherEnabled : True
LocalEventsEnabled : False
InterestingCalendarsEnabled : True
AllowCopyContactsToDeviceAddressBook : True
AnonymousFeaturesEnabled : True
IntegratedFeaturesEnabled : True
DisplayPhotosEnabled : True
SetPhotoEnabled : True
PredictedActionsEnabled : False
UserDiagnosticEnabled : False
ReportJunkEmailEnabled : True
WebPartsFrameOptionsType : SameOrigin
AllowOfflineOn : AllComputers
SetPhotoURL :
InstantMessagingType : None
Exchange2003Url :
FailbackUrl :
Name : owa (Default Web Site)
InternalAuthenticationMethods : {Adfs}
MetabasePath : IIS://Mailx.Test.MyDomain.com/W3SVC/1/ROOT/owa
BasicAuthentication : False
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : True
OAuthAuthentication : False
DefaultDomain :
GzipLevel : Low
WebSite : Default Web Site
DisplayName : owa
Path : E:\microsoft\exchange server\v15\FrontEnd\HttpProxy\owa
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.2 (Build 792.3)
Server : MAILX
InternalUrl : https://mailx.Test.MyDomain.com/owa
ExternalUrl :
ExternalAuthenticationMethods : {Fba}
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=owa (Default Web
Site),CN=HTTP,CN=Protocols,CN=MAILX,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=test,DC=MyDomain,DC=com
Identity : MAILX\owa (Default Web Site)
Guid : 79dd3416-2f2a-46c6-89f2-90c22c98da22
ObjectCategory : test.MyDomain.com/Configuration/Schema/ms-Exch-OWA-Virtual-Direc
tory
ObjectClass : {top, msExchVirtualDirectory, msExchOWAVirtualDirectory}
WhenChanged : 2/9/2021 4:35:44 PM
WhenCreated : 2/3/2021 4:48:14 PM
WhenChangedUTC : 2/10/2021 12:35:44 AM
WhenCreatedUTC : 2/4/2021 12:48:14 AM
OrganizationId :
Id : MAILX\owa (Default Web Site)
OriginatingServer : DC1.test.MyDomain.com
IsValid : True
ObjectState : Changed
Is this really blank for the Exchange Server URLs?
InternalUrl : https://mailx.test.MyDomain.com/ecp
ExternalUrl :
Also, i am using PFsense firewall, port forwarding 80 and 443 to the WAP server. I don't suspect that has anything to do with it. But just incase. the wan is a routable IP and i was lazy and didn't put WAP in a DMZ since it's just for testing the setup process. External DNS for the test domain is hosted at go daddy. there is an email entry, smtp entry, and adfs entry.
weird, i just double checked and yes it's blank.
Enter the correct external URL for that and OWA if is missing then IISRESET and test.
i added those two entries in exchange. i login to adfs, it transfers me to exchange OWA and i get the "still working on it"
after 3 or 4 min. it must time out and gives me the "something went wrong" error message
Can you post the exact message?
Also, whats in the ADFS logs that matches up with the failures.
there are no errors on the ADFS server.
on the web page i eventually get this message.
:-(
Something went wrong
We can't get that information right now. Please try again later.
X-ClientId: 86BA272B9E0B49EFADCC955B598BB7F7
request-id 9b9541b4-416a-4b39-ae7e-1ab9619f42c2
X-OWA-Error Failed to load script: https://mail.MyDomain.com/owa/prem/15.2.792.3/scripts/boot.owaframe.0.mouse.js?bo=1
X-OWA-Version 15.2.792.3
X-FEServer MAILX
X-BEServer MAILX
Date:2/11/2021 10:01:14 PM
Fewer details...
Refresh the page
if i hit refresh, i get 404 can't be found. the address is changed to mail.MyDomain.com
it drops the OWA from the end.
Can you reverse everything and start over? And by reverse, I mean just the Step 6.
Set back to forms auth or whatever it was set to before, Test that it works again- then reset to ADFS auth
Be sure to follow the exact steps in reverse. IOW, Undo OWA m then EAC , then IISRESET and test.
IF that works, re-so Step 6.
Rolled back exchange using these two scripts
Set-owaVirtualDirectory -Identity "mailx\owa (default web site)" -AdfsAuthentication $true -BasicAuthentication $true -DigestAuthentication $false -FormsAuthentication $true -WindowsAuthentication $false
Set-EcpVirtualDirectory -Identity "mailx\ecp (default web site)" -AdfsAuthentication $false -BasicAuthentication $true -DigestAuthentication $false -FormsAuthentication $true -WindowsAuthentication $false
Then redirected 443 and 80 to exchange server. form shows up and i can login in to OWA and retrieve email. I then directed my fire wall back to WAP. I get ADFS sign in screen. I login. and then OWA form sign in shows up, i sign in. it still says working on it and never shows the mail box.
I started over at 6 with the certificate. i'm assuming it was fine because i fixed that before and have seen those errors.
set-OrganizationConfig -AdfsIssuer https://adfs.MyDomain.com/adfs/ls/ -AdfsAudienceUris "https://mail.MyDomain.com/owa/","https://mail.thegeko.com/ecp/" -AdfsSignCertificateThumbprint "A77AF0C4E3F92E8477302jd45694B12Akd3B29B"
Set-EcpVirtualDirectory -Identity "mailx\ecp (default web site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Set-owaVirtualDirectory -Identity "mailx\owa (default web site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Do you meet all the firewall requirements? With all the port forwarding, I am wondering...
https://www.petenetlive.com/KB/Article/0001546
Firewall Requirements
The WAP server either needs a Static public IP address that is registered in public DNS to the URLS you will be pointing to it, or HTTPS port forwarding form the firewalls outside IP address to the internal IP of the WAP server, (if you don’t have spare public IP addresses).
WAP Server requires TCP Port 443 (HTTPS) open TO it from the outside world.
WAP Server requires TCP Port 443 (HTTPS) open FROM it to BOTH the exchange server and the ADFS Server.
Confirming...
godaddy DNS has both ADFS and mail DNS entries. 443 and 80 are forwarded to WAP. WAP is connecting to ADFS and Exchange, because when i enter mail.MyDomain.com i get the ADFS login, (am i correct in assuming that comes from ADFS?) Then when i login in, i was getting the OWA login screen. (Until i changed exchange to ADFS login.)
Does godaddy need a WAP entry?
Really hard to know from here what is going on. Seems like a FW issue of course, but hard to know., You could always do a fiddler trace and see if that reveals anything.
I would also point out that Microsoft doc to ensure you set the proxy endpoints
Note: All AD FS endpoints that you want to publish through Web Application Proxy need to be proxy enabled. You do this in the AD FS Management console at Service > Endpoints (verify that Proxy Enabled is Yes for the specified endpoint).