question

djtheri avatar image
0 Votes"
djtheri asked djtheri commented

Using ADFS & Azure MFA for Exchange 2019 OWA/ECP On-Premise

Hi,
So, I have a working ADFS 2019 Server, fronted by a WAP 2019 Server, that is currently working to serve requests for an on-premise Exchange 2019 Server for OWA/ECP.

I'm trying to add Azure MFA to my ADFS authentication for OWA mainly, using Azure Active Directory Free which is included with my Office365 subscription.

My domain is federated & when I authenticate to Office365 with a user I have assigned to use MFA, they are properly asked & able to authenticate using Azure MFA, but the same doesn't happen for my OWA/ECP connections & I get this error after entering in my email only:

 •    Activity ID: 3f40b225-b4f0-41c4-5500-0080020000c1
 •    Relying party: Mail - OWA
 •    Error details: Exception calling SAS.
 •    Node name: 67599f4b-8fec-4830-8baa-b6baffd154d5
 •    Error time: Wed, 22 Sep 2021 20:21:13 GMT
 •    Cookie: enabled
 •    User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Edg/93.0.961.52

This is the associated error on my ADFS server:

 Encountered error during federation passive request. 
    
    
 Additional Data 
    
    
 Protocol Name: 
 wsfed 
    
    
 Relying Party: 
 https://xxx.com/owa/ 
    
    
 Exception details: 
 System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
 at System.Net.HttpWebRequest.GetResponse()
 at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
 at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
 at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
 --- End of inner exception stack trace ---
 at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
 at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& outgoingClaims)
 at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims)
 at Microsoft.IdentityServer.Web.Authentication.Azure.AzurePrimaryAuthenticationHandler.Process(ProtocolContext context)
 at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
 at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
    
    
 System.Net.WebException: The remote server returned an error: (401) Unauthorized.
 at System.Net.HttpWebRequest.GetResponse()
 at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
 at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
 at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)

Lastly, these are the steps I followed to configure my ADFS server for Azure MFA.

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

Thinking it's something in the claim issuance I need to adjust, but I'm not exactly sure what?

azure-active-directoryoffice-exchange-online-itproadfsazure-cloud-servicesoffice-exchange-server-dev
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars-msft avatar image
0 Votes"
sikumars-msft answered djtheri edited

Hello @djtheri,

Thanks for reaching out and apologies for delayed response.

Looking at above error message it seems to be related with "Azure MFA Certificates" which used by AD FS for authenticating so if Azure MFA certificate expired then you may get (401) Unauthorized.

I would recommend you to check the validity period of Azure MFA certificate on each AD FS server to determine the expiration date. If you find expired then create new certificate or nearing expiry date then renew it per this guidance.

Hope this helps



Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm not so sure that's right. As I mentioned I am able to use Azure MFA for O365 authentications without a problem and I'd think this error would come up there too.

0 Votes 0 ·

Thanks for the update.

Wondering how did you configured MFA for O365 federated user in working scenario from Azure AD or on ADFS ? because Azure MFA adapter for AD FS enables users to do MFA on AD FS when respective "Replying Party" or users is part of MFA condition. Lets say if you had configured MFA for user directly in Azure AD or through Conditional access then user always performed MFA directly in cloud rather than through ADFS MFA adaptor for federated users so guessing that could be reason why MFA works for cloud scenario and fail for on-premises application (Exchange) in your setup.

To verify this one, run following cmdlet from ADFS server and share with me Get-MsolDomainFederationSettings -DomainName "contoso.com"

In addition to that could you please confirm current active "Office365 subscription" ? because ADFS MFA setup require Azure AD premium license which included in Microsoft 365 Business Premium, EMS, Microsoft 365 E3 and E5 licenses.

0 Votes 0 ·
djtheri avatar image djtheri sikumars-msft ·

I configured this on my ADFS. The steps I took to configure this, were in this document:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

I tried to run your command, first running Connect-MsolService, but it keeps returning nothing. I did get an error before connecting, but now nothing.

On your last question, we have Azure Active Directory Free, which was included with our Microsoft 365 licensing. It's working for O365, so I don't think this is licensing. From what I see, I should have full access according to this:

https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing

0 Votes 0 ·
mohameehussien-4660 avatar image
1 Vote"
mohameehussien-4660 answered djtheri commented

am facing the same issue!!

any suggestion please?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Let me know if you find an answer. Upvote the question so it gets more attention!

0 Votes 0 ·