locked
Exchange 2013 OWA SSO using ADFS 3.0 RRS feed

  • Question

  • Single Sign On is not working for Exchange 2013 Cu12 OWA.I am trying it for the first time.

    My environment has  one DC collocated with ADFS 3.0  and Exchange 2013 CU12 and Exchange 2016 CU1 on separate vm box.

    I have followed technet article https://technet.microsoft.com/en-us/library/dn635116%28v=exchg.150%29.aspx i am getting below event id ;However i have configured my Relying Party as Https://Mail.contoso.local/owa but i am seeing https://localhost/owa in the event id.I am not sure why it is not redirecting to right url.DC time is synced with the exchange server in the domain.Windows Firewall

    When i try to browse https://mail.contoso.local/owa i get a credential prompt from ADFS server when i enter the credentials i get 400 Bad request and when i check the ADFS event id i see the below error no error found in Exchange server.I have recreated the relying party trust and claim rule ,Rebooted the ADFS server  and exchange servers same issue.But currently i want Exchange 2013 OWA single sign on to be working internally any hep is much appreciated.


    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          4/15/2016 5:19:57 AM
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          CONTOSO\AdfsService
    Computer:      FQDN.Contoso.Local
    Description:
    Encountered error during federation passive request.

    Additional Data

    Protocol Name:
    wsfed

    Relying Party:
    https://localhost/owa/

    Exception details:
    Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'https://localhost/owa/' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationSignInContext.Validate()
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>364</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2016-04-15T09:19:57.357321000Z" />
        <EventRecordID>1149</EventRecordID>
        <Correlation ActivityID="{00000000-0000-0000-1D00-0080010000D9}" />
        <Execution ProcessID="7000" ThreadID="6424" />
        <Channel>AD FS/Admin</Channel>
        <Computer>pnwvads1001.Contoso.Local</Computer>
        <Security UserID="S-1-5-21-2436829481-2076273062-547070292-1157" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>wsfed</Data>
            <Data>https://localhost/owa/</Data>
            <Data>Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'https://localhost/owa/' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationSignInContext.Validate()
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>


    Lakz


    • Edited by Lakz Friday, April 15, 2016 10:29 AM
    Friday, April 15, 2016 10:10 AM

Answers

  • Hi Lakz,

    You can try the following method and check if any helps:

    • Open the AD FS management console
    • go to the Relying Party Trusts
    • right-click the relying party trust definition, select "Properties"
    • List item
    • In the dialog presented, select "Identifiers" tab
    • Copy the right url :"Https://Mail.contoso.local/owa" 
    • Paste that into "Relying Party Identifier" text-box, click "Add".
       

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    • Proposed as answer by Niko.Cheng Friday, May 6, 2016 2:29 AM
    • Marked as answer by Niko.Cheng Friday, May 6, 2016 2:29 AM
    Saturday, April 23, 2016 7:59 AM

All replies

  • Why are you using .local in the address?
    Are you able to browse with FQDN successfully with the credential?

    Cheers,

    Gulab Prasad

    Technology Consultant

    Blog: http://www.exchangeranger.com    Twitter:   LinkedIn:
       Check out CodeTwo’s tools for Exchange admins

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, April 17, 2016 12:27 PM
  • did you follow the steps in Step#3

    Where Technology Meets Talent

    Monday, April 18, 2016 1:29 AM
  • Did you modify the log? Curious why the request is coming from https://localhost/owa/ as this is an invalid name that would not be on your SSL certificate.

    One other item. It is strongly recommended to not install ADFS on a DC. See this article.
    https://technet.microsoft.com/en-us/library/cc778681(WS.10).aspx


    Blog | Find me on Twitter | Find me on LinkedIn

    Monday, April 18, 2016 3:44 AM
  • Hi Lakz,

    You can try the following method and check if any helps:

    • Open the AD FS management console
    • go to the Relying Party Trusts
    • right-click the relying party trust definition, select "Properties"
    • List item
    • In the dialog presented, select "Identifiers" tab
    • Copy the right url :"Https://Mail.contoso.local/owa" 
    • Paste that into "Relying Party Identifier" text-box, click "Add".
       

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    • Proposed as answer by Niko.Cheng Friday, May 6, 2016 2:29 AM
    • Marked as answer by Niko.Cheng Friday, May 6, 2016 2:29 AM
    Saturday, April 23, 2016 7:59 AM
  • I'm having the same problem.

    I have confirmed that I have exactly the same URL's for OWA and ECP in Exchange Admin Centre and ADFS Relying part identifier.

    Tuesday, October 18, 2016 7:15 PM
  • Same here with Exchange 2013 and AD FS on Server 2016. Has anyone found a resolution?
    Friday, November 11, 2016 3:34 PM
  • Hi Guys,

    i am facing same issue,i am trying to sso with exchange 2016+ADFS 2016 and getting same issue-

    Encountered error during federation passive request. 

    Additional Data 

    Protocol Name: 
    wsfed 

    Relying Party: 
    https://localhost/owa/ 

    Exception details: 
    Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'https://localhost/owa/' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationSignInContext.ValidateCore()

    ------------------------------------------------------------------------------------------------------------------------------------------


    relying party trust definition, having correct address. 

    any one solve this issue ??

    Regards,

    Kamlesh Bhatt

     
    Saturday, November 26, 2016 3:33 PM
  • Hi Kamlesh,

    I have created a Microsoft support-call with my Exchange 2013 and AD FS 2016 problems. Microsoft answered me that there are compatibility issues with Exchange 2013 and AD FS 2016. Because of this issue and the issue described in this article https://blogs.technet.microsoft.com/pie/2016/10/23/adfs-2016-cannot-addupdate-relying-party-from-the-gui-from-metadata-files/ we decided to downgrade to Server 2012 R2 (AD FS 3.0). Now everything works pretty fine.

    Regards,

    soch234 

     

    Monday, November 28, 2016 7:56 AM
  • I know this is a reply to an old issue, but i just ran into the same issue and i was able to solve the issue by simply adding https://localhost/owa/ as an identifier on my relaying party trust for OWA. (under Indentifier and Relaying Party Identifier)

    Maybe this can solve and remove the issue for others as well.


    • Proposed as answer by KimMatthiesen Wednesday, December 13, 2017 10:04 AM
    • Edited by KimMatthiesen Wednesday, December 13, 2017 10:05 AM
    Wednesday, December 13, 2017 10:04 AM