question

MikkelAndreasenModuloApS-9560 avatar image
1 Vote"
MikkelAndreasenModuloApS-9560 asked ·

Error configuring OAuth from Exchange 2016 (AADSTS700027)

Hi,
I'm in the process of configuring OAuth from en on-premises Exchange 2016 CU19+ install to in order to have calendar integration within Microsoft Teams.
The HCW wizard has completed successfully, but no calender tab is visible within the Teams client (thick or web - same issue).

I've tested with

 Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox mailbox@localdomain.tld 

And the error is

AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: xxxxxxxxx

I've tried verifying the certificate used for OAuth and it looks OK.

Running this command I've saved the certificate and compared it to the thumbprint from get-authConfig - they match and have not expired

 Get-MsolServicePrincipalCredential -ServicePrincipalName "00000002-0000-0ff1-ce00-000000000000" -ReturnKeyValues $true

I'm kind of stumped as to how to solve this issue.


office-exchange-server-administration
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered ·
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikkelAndreasenModuloApS-9560 avatar image
0 Votes"
MikkelAndreasenModuloApS-9560 answered ·

Wow! That was quick.

I've already tried the test connectivity, and that gives the following error

The specified user mailbox is marked as undiscoverable by the Teams middle-tier service.


Running through the troubleshooting tips from https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/known-issues/teams-exchange-interaction-issue
I get to step number two
Invoke-RestMethod -Uri "https://autodiscover.domain.tld/autodiscover/autodiscover.json?Email=mymailbox@domain.tld&Protocol=EWS&RedirectCount=5" -UserAgent Teams

Running it from a computer within the domain I get the following error
78888-image.png



Running the same command from a computer outside of the windows domain, it completes as expected


image.png (48.6 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered ·

Hmmm, I wonder if you should open a ticket with 365 support. I havent seen that one before

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikkelAndreasenModuloApS-9560 avatar image
0 Votes"
MikkelAndreasenModuloApS-9560 answered ·

Doing the invoke-restmethod failed, but I've tried the same URI from a regular browser, and that completes as expected
78808-image.png



I was looking through the next step, https://testconnectivity.microsoft.com/tests/TeamsCalendarMissing/input
but cannot quite figure out how to do it as I have NO on-line mailboxes. Only On-premises.

We actually do not need the hybrid configuration - only OAuth, but that is the supported way of configuring it so we completed the HCW.


image.png (13.6 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EricYin-MSFT avatar image
0 Votes"
EricYin-MSFT answered ·
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikkelAndreasenModuloApS-9560 avatar image
0 Votes"
MikkelAndreasenModuloApS-9560 answered ·

Thank you all for your suggestions - I've gotten a bit further
- OAuth is now working. Found a error in the WindowsAzureACS AuthServer configuration.
- The Invoke-RestMethod -Uri "https://autodiscover.domain.tld/autodiscover/autodiscover.json?Email=mymailbox@domain.tld&Protocol=EWS&RedirectCount=5" -UserAgent Teams is working as well. Turned out to a client side issue. With only TLS1.2 enabled on the Exchange server I needed to force my powershell client to use TLS1.2 as well

Unfortunately the issue with the Teams client persists, and I've opened a case with Microsoft - I'll make sure to update this thread once it has been resolved. It may help others facing the same issue.

/mikkel



· 5 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Any updates till now?
Thanks in advance for your information.

0 Votes 0 ·

Unfortunately not as of yet.
Working with o365 support on it, but so for I've just run various scripts to verify the oncfiguration. They did ask me to update to the very latest CU (from March 16th) - I've asked for clarification on that as CU19 should be fully supported still, and we are not in the habit of installing CU so soon after publication.

/mikkel

0 Votes 0 ·
GavinRoss-3568 avatar image GavinRoss-3568 MikkelAndreasen-8266 ·

Were you able to resolve this issue? We had no issues with the calendar not showing with our users, but recently we have started to have this problem. Some work and some dont. All new users have this issue and we cannot seem to figure out why this is happening.

0 Votes 0 ·
Show more comments