none
Exchange 2010 Federation OrgRelationsship 401 unauthorized RRS feed

  • Question

  • Hi,

    we set up successfully a FederationTrust.

    RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44
    Id         : FederationTrustConfiguration
    Type       : Success
    Message    : FederationTrust object in ActiveDirectory is valid.
    
    RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44
    Id         : FederationMetadata
    Type       : Success
    Message    : The federation trust contains the same certificates published by the security token service in its federation m
                 etadata.
    
    RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44
    Id         : StsCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.
    
    RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44
    Id         : StsPreviousCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.
    
    RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44
    Id         : OrganizationCertificate
    Type       : Success
    Message    : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.
    
    RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44
    Id         : OrganizationPreviousCertificate
    Type       : Success
    Message    : Valid certificate referenced by property OrgPrevPrivCertificate in the FederationTrust object.
    
    RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44
    Id         : TokenRequest
    Type       : Success
    Message    : Request for delegation token succeeded.
    
    RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44
    Id         : TokenValidation
    Type       : Success
    Message    : Requested delegation token is valid.

    I created also a OrgRelationship with for out PartnerCompany.
    When i start a test-organizationrelationship cmdlet i get an error "401 Unauthorized" . The partner TMG doesn´t block this requests. We see in the TMG Logs that the traffic is allowed. the error come directly from the PartnerExchange 2010 Server.

    The WebSites /Autodiscover and /EWS are set to {Basic, Ntlm, WindowsIntegrated, WSSecurity} and also Anonymous Auth is enabled.

    VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Active Directory session settings for
    'Test-OrganizationRelationship' are: View Entire Forest: 'False', Default Scope: 'ttcon.local', Configuration Domain
    Controller: 'DC02.ourownintdomain.local', Preferred Global Catalog: 'DC01.ourownintdomain.local', Preferred Domain Controllers: '{
    TTEL-DC01.ttcon.local }'
    VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Runspace context: Executing user: intdomain.local/Company/Department/Schmidtke, Jörg (Domainadmin), Executing user organization: , Current organization: , RBAC-enabled: Enabled.
    VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Beginning processing &
    VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Instantiating handler with index 0 for cmdlet extension agent
    "Admin Audit Log Agent".
    VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient
    Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient
    Scope(s): {}, Exclusive Configuration Scope(s): {} }
    VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Searching objects "jschmidtke@extdomain.de" of type
    "ADUser" under the root "$null".
    VERBOSE: [14:40:14.608 GMT] Test-OrganizationRelationship : Previous operation run on global catalog server 'DC01.intdomain.local'.
    VERBOSE: [14:40:14.608 GMT] Test-OrganizationRelationship : Searching objects "agens" of type "OrganizationRelationship"
    under the root "$null".
    VERBOSE: [14:40:14.608 GMT] Test-OrganizationRelationship : Previous operation run on domain controller 'DC02.intdomain.local'.
    VERBOSE: Test that organization relationships are properly configured.
    VERBOSE: [14:40:14.608 GMT] Test-OrganizationRelationship : Resolved current organization: .
    VERBOSE: [14:40:14.623 GMT] Test-OrganizationRelationship : Calling the Microsoft Exchange Autodiscover service for the
    remote federation information.
    VERBOSE: [14:40:14.858 GMT] Test-OrganizationRelationship : The Microsoft Exchange Autodiscover service failed to be called
    at 'https://mail.federatedpartner.de/EWS/Exchange.asmx' because the following error occurred: Exception:
    Microsoft.Exchange.SoapWebClient.GetFederationInformationException: Discovery for domain partnerdomain.com failed. --->
    System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response,
    Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.<>c__DisplayClass4.<Invoke>b__3()
       at
    Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NoHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol
    client, AuthenticateAndExecuteHandler`1 handler)
       at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client,
    AuthenticateAndExecuteHandler`1 handler)
       at
    Microsoft.Exchange.SoapWebClient.AutoDiscover.DefaultBinding_Autodiscover.GetFederationInformation(GetFederationInformationR
    equest Request)
       at
    Microsoft.Exchange.SoapWebClient.GetFederationInformationClient.<>c__DisplayClass6.<Endpoint>b__5(DefaultBinding_Autodiscove
    r binding)
       at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.<>c__DisplayClassf.<InvokeAndFollowSecureRedirects>b__c(IWebProxy
    webProxy)
       at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeWithWebProxy(String url, InvokeWithWebProxyDelegate
    invokeWithWebProxy)
       at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeAndFollowSecureRedirects(InvokeDelegate invokeDelegate, Uri
    url)
       at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeForUrl(InvokeDelegate invokeDelegate, Uri url)
       --- End of inner exception stack trace ---
    
    WebException.Response = <cannot read response stream>
    Exception:
    System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response,
    Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.<>c__DisplayClass4.<Invoke>b__3()
       at
    Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NoHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol
    client, AuthenticateAndExecuteHandler`1 handler)
       at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client,
    AuthenticateAndExecuteHandler`1 handler)
       at
    Microsoft.Exchange.SoapWebClient.AutoDiscover.DefaultBinding_Autodiscover.GetFederationInformation(GetFederationInformationR
    equest Request)
       at
    Microsoft.Exchange.SoapWebClient.GetFederationInformationClient.<>c__DisplayClass6.<Endpoint>b__5(DefaultBinding_Autodiscove
    r binding)
       at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.<>c__DisplayClassf.<InvokeAndFollowSecureRedirects>b__c(IWebProxy
    webProxy)
       at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeWithWebProxy(String url, InvokeWithWebProxyDelegate
    invokeWithWebProxy)
       at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeAndFollowSecureRedirects(InvokeDelegate invokeDelegate, Uri
    url)
       at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeForUrl(InvokeDelegate invokeDelegate, Uri url)

    What can be the problem?
    Thanks in advance!


    Kind regards Joerg



    • Edited by JörgS Wednesday, February 29, 2012 3:41 PM
    Tuesday, February 21, 2012 2:51 PM

Answers

  • Problem is solved!

    Solution is following:

    on our side the TargetApplicationUri must set to: exchangedelegation.partnerdomain.com
    set-OrganizationRelationship -identity agens -TargetOwaURL "https://mail.partnerdomain.com/owa"
    set-OrganizationRelationship -identity agens -TargetApplicationUri "exchangedelegation.partnerdomain.com"
    set-OrganizationRelationship -identity agens - TargetAutodiscoverEpr "https://mail.partnerdomain.com/Autodiscover/autodiscover.svc/WSSecurity"

    and the "Enable Free/Busy information access" must set to TRUE!

    on the partner side they must set the TargetApplicationUri must set to: FYDIBOHF25SPDLT.ourexternaldomain.de
    set-OrganizationRelationship -identity agens -TargetOwaURL "https://mail.ourexternaldomain.de/owa"
    set-OrganizationRelationship -identity agens -TargetApplicationUri "FYDIBOHF25SPDLT.ourexternaldomain.de"
    set-OrganizationRelationship -identity agens - TargetAutodiscoverEpr "https://mail.ourexternaldomain.de/Autodiscover/autodiscover.svc/WSSecurity"

    So now we can Access the Free/Busy Informations from the room mailboxes of our partner!


    Kind regards Joerg

    • Marked as answer by JörgS Friday, July 20, 2012 9:03 AM
    Friday, July 20, 2012 9:03 AM

All replies

  • I created also a OrgRelationship with for out PartnerCompany.
    When i start a test-organizationrelationship cmdlet i get an error "401 Unauthorized" . The partner TMG doesn´t block this requests. We see in the TMG Logs that the traffic is allowed. the error come directly from the PartnerExchange 2010 Server.

    The WebSites /Autodiscover and /EWS are set to {Basic, Ntlm, WindowsIntegrated, WSSecurity} and also Anonymous Auth is enabled.

    Hi Joery,

    You run the test-organizationrelationship cmdlet and get an error "401 Unauthorized", but what's the meaning of "the error come directly from the PartnerExchange 2010 Server."?

    You run the cmdlet on your parter's Exchange server?

    What's the cmdlet output on your server?

    Please make sure you and your partner created relationship as following Technet document first:

    Configure Federated Delegation

    http://technet.microsoft.com/en-us/library/ff601760.aspx

     

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Frank Wang

    TechNet Community Support

    Thursday, February 23, 2012 5:35 AM
  • Hi Frank,

    sorry for the not clearly information.

    i ran the  test-organizationrelationship cmdlet on my exchange server and the output/response is from the partner exchange-server.

    when the partner ran this cmlet, the get the same error on his exchange.

    we have created your org-relationships exactly like it´s described in the the article. 


    Kind regards Joerg

    Thursday, February 23, 2012 8:39 AM
  • Hello Joerg,

    As per the error log that you mentioned it seems like we are not able to browse the EWS 

    'https://mail1.agensgruppe.de/EWS/Exchange.asmx'

    When happens if you try to manually  browse the URL, when i tried to browse i am getting 403 forbidden..

    Also get us the Get-organizationrelationship | FL output from both the ends

    Tuesday, February 28, 2012 7:56 AM
  • hi,

    the access to https://mail1.federatedpartner.de/EWS/Exchange.asmx is only allowed from out ip address on the tmg from our partner, also on our tmg is only the ip of the partner allowed to access our https://mail.extdomain.de/EWS/Exchange.asmx

    When i browse https://mail1.federatedpartner.de/EWS/Exchange.asmx in ie from my exchange cas, i get an authentication dialog and when i enter my credentials i get the xml successfully.
    when i enter no credentials i get a blank page.

    my get-organizationrelationship | fl output:

    RunspaceId : 5917db66-571f-4ac6-a0ec-da497c6451c6 DomainNames : {federatedpartner.com} FreeBusyAccessEnabled : True FreeBusyAccessLevel : LimitedDetails FreeBusyAccessScope : MailboxMoveEnabled : False DeliveryReportEnabled : False MailTipsAccessEnabled : False MailTipsAccessLevel : None MailTipsAccessScope : TargetApplicationUri : mail1.federatedpartner.de TargetSharingEpr : TargetOwaURL : https://mail.federatedpartner.de/owa TargetAutodiscoverEpr : https://mail1.federatedpartner.de/EWS/Exchange.asmx OrganizationContact : Enabled : True ArchiveAccessEnabled : False AdminDisplayName : ExchangeVersion : 0.10 (14.0.100.0) Name : Agens DistinguishedName : CN=federatedpartner,CN=Federation,CN=Company Name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=intdomain,DC=local Identity : Agens Guid : 73f16f45-748a-474b-92ab-849383791ca0 ObjectCategory : intdomain.local/Configuration/Schema/ms-Exch-Fed-Sharing-Relationship ObjectClass : {top, msExchFedSharingRelationship} WhenChanged : 21.02.2012 15:40:08 WhenCreated : 06.02.2012 22:18:20 WhenChangedUTC : 21.02.2012 14:40:08 WhenCreatedUTC : 06.02.2012 21:18:20 OrganizationId : OriginatingServer : DC02.intdomain.local IsValid : True

    federatedpartner get-organizationrelationship | fl output:

    RunspaceId : 834e7ef2-0f02-415d-bf33-f2ab00ffda20 DomainNames : {companyname.de} FreeBusyAccessEnabled : True FreeBusyAccessLevel : AvailabilityOnly FreeBusyAccessScope : MailboxMoveEnabled : False DeliveryReportEnabled : False MailTipsAccessEnabled : False MailTipsAccessLevel : None MailTipsAccessScope : TargetApplicationUri : mail.extdomain.de TargetSharingEpr : TargetOwaURL : https://mail.extdomain.de/owa TargetAutodiscoverEpr : https://mail.extdomain.de/EWS/Exchange.asmx OrganizationContact : Enabled : True ArchiveAccessEnabled : False AdminDisplayName : ExchangeVersion : 0.10 (14.0.100.0) Name : TopTech DistinguishedName : CN=CompanyName,CN=Federation,CN=Federatedpartner,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=federatedpartnerintdomain,DC=local Identity : CompanyName Guid : 684612e9-27b5-4549-bb5e-d420bf40d216 ObjectCategory : federatedpartnerintdomain.local/Configuration/Schema/ms-Exch-Fed-Sharing-Relationship ObjectClass : {top, msExchFedSharingRelationship} WhenChanged : 10.02.2012 16:21:01 WhenCreated : 01.02.2012 16:33:00 WhenChangedUTC : 10.02.2012 15:21:01 WhenCreatedUTC : 01.02.2012 15:33:00 OrganizationId : OriginatingServer : DC01.federatedpartnerindomain.local IsValid : True

    Kind regards Joerg



    • Edited by JörgS Wednesday, February 29, 2012 3:29 PM
    Tuesday, February 28, 2012 5:52 PM
  • Hello Joerg,

    I only see the FL from you end and dont see the FL of the other.

    Other question is how is the organization relationship created ( Is it manully created or you used Autodiscover to create it). Beause if you look at the output you should see TargetAutodiscoverEpr will be filled with the Autodiscover URL not the EWS URL.

    Also the EWS URL will be populated in TargetSharingEpr.

    If you have manually created it, Remove the org relationship and do it using Autodiscover.

    Also run this command on both the ends and get us the output

    get-federationinformation -domainname "Name of the domain"  -verbose

    Wednesday, February 29, 2012 11:22 AM
  • Hi,

    i get today the output from our partner, sorry for delay, i input it in the last thread of me.

    yes you are right we must create the OrgRelationsships manually on both sides.

    My get-federationinformation -domainname "Name of the domain"  -verbose:

    [PS] C:\Windows\system32>get-federationinformation -domainname federatedparnter.com  -verbose
    VERBOSE: [15:42:02.045 GMT] Get-FederationInformation : Active Directory session settings for 'Get-FederationInformation'
    are: View Entire Forest: 'False', Default Scope: 'ourintdomain.local', Configuration Domain Controller: 'DC01.ourintdomain.local',
    Preferred Global Catalog: 'dc02.ourintdomain.local', Preferred Domain Controllers: '{ dc02.ourintdomain.local }'
    VERBOSE: [15:42:02.045 GMT] Get-FederationInformation : Runspace context: Executing user: ourintdomain.local/CompanyName/Department/Schmidtke, Jörg (Domainadmin),
     Executing user organization: , Current organization: , RBAC-enabled: Enabled.
    VERBOSE: [15:42:02.045 GMT] Get-FederationInformation : Beginning processing &
    VERBOSE: [15:42:02.045 GMT] Get-FederationInformation : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} }
    VERBOSE: [15:42:02.045 GMT] Get-FederationInformation : Resolved current organization: .
    VERBOSE: [15:42:02.061 GMT] Get-FederationInformation : Using the following trusted host names: *.outlook.com.
    VERBOSE: [15:42:03.030 GMT] Get-FederationInformation : The discovery process returned the following results:
    Type=Failure;Url=https://autodiscover.federatedparnter.com/autodiscover/autodiscover.svc;Exception=Discovery for domain federatedparnter.com
    failed.;Details=(Type=Failure;Url=https://autodiscover.federatedparnter.com/autodiscover/autodiscover.svc;Exception=The request failed
    with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.  ).;);
    Type=Failure;Url=https://federatedparnter.com/autodiscover/autodiscover.svc;Exception=Discovery for domain federatedparnter.com
    failed.;Details=(Type=Failure;Url=https://federatedparnter.com/autodiscover/autodiscover.svc;Exception=The underlying connection was closed: An unexpected error occurred on a send.;);
    Type=Failure;Url=http://autodiscover.federatedparnter.com/autodiscover/autodiscover.xml;Exception=Discovery for domain federatedparnter.com
    failed.;Details=(Type=Failure;Url=http://autodiscover.federatedparnter.com/autodiscover/autodiscover.xml;RedirectUrl=https://autodiscov
    er.federatedparnter.com/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.federatedparnter.com/autodiscover/autodisco
    ver.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the
    request. Access to the Web server is denied. Contact the server administrator.  ).;););
    Type=Failure;Url=http://federatedparnter.com/autodiscover/autodiscover.xml;Exception=Discovery for domain federatedparnter.com
    failed.;Details=(Type=Failure;Url=http://federatedparnter.com/autodiscover/autodiscover.xml;Exception=Unexpected status code in
    response: MovedPermanently.;);
    .
    Federation information could not be received from the external organization.
        + CategoryInfo          : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException
        + FullyQualifiedErrorId : ABBC82A4,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation
    
    VERBOSE: [15:42:03.061 GMT] Get-FederationInformation : Ending processing &

    Here The output of get-federatedinformation from my partner:

    [PS] C:\Windows\system32>get-federationinformation -domainname "ourexternaldomain.de" -verbose
    VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Active Directory session settings for
    'Get-FederationInformation' are: View Entire Forest: 'False', Default Scope: 'partnerintdomain.local', Configuration Domain
    Controller: 'DC02.partnerintdomain.local', Preferred Global Catalog: 'DC02.partnerintdomain.local', Preferred Domain
    Controllers: '{ DC02.partnerintdomain.local }'
    VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Runspace context: Executing user:
    partnerintdomain.local/Department/Admin/UserAdmin, Executing user organization: , Current organization: ,RBAC-enabled: Enabled.
    VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Beginning processing &
    VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient
    Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient
    Scope(s): {}, Exclusive Configuration Scope(s): {} }
    VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Resolved current organization: .
    VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Using the following trusted host names: *.outlook.com.
    VERBOSE: [15:38:04.012 GMT] Get-FederationInformation : The discovery process returned the following results:
    Type=Failure;Url=https://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain
    ourexternaldomain.de
    failed.;Details=(Type=Failure;Url=https://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.svc;Exception=The
    request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to
    the Web server is denied. Contact the server administrator.  ).;);
    Type=Failure;Url=https://ourexternaldomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain
    ourexternaldomain.de
    failed.;Details=(Type=Failure;Url=https://ourexternaldomain.de/autodiscover/autodiscover.svc;Exception=The request failed
    with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web
    server is denied. Contact the server administrator.  ).;);
    Type=Failure;Url=http://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain
    ourexternaldomain.de
    failed.;Details=(Type=Failure;Url=http://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.xml;RedirectUrl=http
    s://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The
    server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server
    administrator.  ).;););
    Type=Failure;Url=http://ourexternaldomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain
    ourexternaldomain.de
    failed.;Details=(Type=Failure;Url=http://ourexternaldomain.de/autodiscover/autodiscover.xml;RedirectUrl=https://mail.ourexternaldomain.de/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://mail.ourexternaldomain.de/autodiscover/a
    utodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to
    fulfill the request. Access to the Web server is denied. Contact the server administrator.  ).;););
    .
    Federation information could not be received from the external organization.
        + CategoryInfo          : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException
        + FullyQualifiedErrorId : A9A4DB75,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation
     
    VERBOSE: [15:38:04.012 GMT] Get-FederationInformation : Ending processing &

    Kind regards Joerg

    • Edited by JörgS Thursday, March 1, 2012 10:49 AM
    Wednesday, February 29, 2012 3:38 PM
  • Hello Joerg,

    I see from the output we are getting failed...

    Type=Failure;Url=http://autodiscover.federatedparnter.com/autodiscover/autodiscover.xml;Exception=Discovery for domain federatedparnter.com
    failed.;Details=(Type=Failure;Url=http://autodiscover.federatedparnter.com/autodiscover/autodiscover.xml;RedirectUrl=https://autodiscov
    er.federatedparnter.com/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.federatedparnter.com/autodiscover/autodisco
    ver.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the
    request. Access to the Web server is denied. Contact the server administrator.  ).;););

    So we are getting a authentication error when browsing the URL.

    We have seen issue where in TMG if have not set a rule to allow all for Autodiscover and EWS. Also make sure is it not asking for authentication in the TMG.

    Update me if you find anything on the TMG lines..


    Sunday, March 4, 2012 2:07 PM
  • Hi,

    we analyzed an error on our federatedpartner tmg, that ist solved.

    also we made a litlle step forward, we changed our "TargetAutodiscoverEpr to: https://autodiscover.federatedpartnerdomain.de/autodiscover/autodiscover.svc"

    Now we get a "Failed to get delegation token" errror:

    [PS] C:\Windows\system32>Test-OrganizationRelationship -Identity agens -UserIdentity jschmidtke@ourextdomain.de -verbose
    VERBOSE: [09:42:52.151 GMT] Test-OrganizationRelationship : Active Directory session settings for
    'Test-OrganizationRelationship' are: View Entire Forest: 'False', Default Scope: 'ourintdomain.local', Configuration Domain
    Controller: 'dc01.ourintdomain.local', Preferred Global Catalog: 'dc01.ourintdomain.local', Preferred Domain Controllers: '{
    dc01.ourintdomain.local }'
    VERBOSE: [09:42:52.151 GMT] Test-OrganizationRelationship : Runspace context: Executing user: ourintdomain.local/OurCompanyName/Department/Schmidtke, Jörg (Domainadmin), 
    Executing user organization: , Current organization: , RBAC-enabled: Enabled.
    VERBOSE: [09:42:52.151 GMT] Test-OrganizationRelationship : Beginning processing &
    VERBOSE: [09:42:52.151 GMT] Test-OrganizationRelationship : Instantiating handler with index 0 for cmdlet extension agent
    "Admin Audit Log Agent".
    VERBOSE: [09:42:52.151 GMT] Test-OrganizationRelationship : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient
    Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient
    Scope(s): {}, Exclusive Configuration Scope(s): {} }
    VERBOSE: [09:42:52.166 GMT] Test-OrganizationRelationship : Searching objects "jschmidtke@ourextdomain.de" of type
    "ADUser" under the root "$null".
    VERBOSE: [09:42:52.307 GMT] Test-OrganizationRelationship : Previous operation run on global catalog server
    'dc01.ourintdomain.local'.
    VERBOSE: [09:42:52.323 GMT] Test-OrganizationRelationship : Searching objects "FederatedPartnerCompany" of type "OrganizationRelationship"
    under the root "$null".
    VERBOSE: [09:42:52.369 GMT] Test-OrganizationRelationship : Previous operation run on domain controller
    'dc01.ourintdomain.local'.
    VERBOSE: Test that organization relationships are properly configured.
    VERBOSE: [09:42:52.369 GMT] Test-OrganizationRelationship : Resolved current organization: .
    VERBOSE: [09:42:52.385 GMT] Test-OrganizationRelationship : Calling the Microsoft Exchange Autodiscover service for the
    remote federation information.
    VERBOSE: [09:42:52.729 GMT] Test-OrganizationRelationship : The Autodiscover call succeeded for the following URL:
    https://mail.federatedpartnerextdomain.de/autodiscover/autodiscover.svc.
    VERBOSE: [09:42:52.745 GMT] Test-OrganizationRelationship : Generating delegation token for user
    jschmidtke@ourextdomain.de for application mail.federatedpartnerextdomain.de.
    VERBOSE: [09:42:54.292 GMT] Test-OrganizationRelationship : Failed to get delegation token: <S:Fault
    xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:InvalidRequest<
    /S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang="en-US">Invalid Request</S:Text></S:Reason><S:Detail><psf:error
    xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:value>0x80048820</psf:value><psf:internalerror
    ><psf:code>0x8004788d</psf:code><psf:text>Target is missing or invalid.
    </psf:text></psf:internalerror></psf:error></S:Detail></S:Fault>
    Microsoft.Exchange.Net.WSTrust.SoapFaultException: Soap fault exception received.
       at Microsoft.Exchange.Net.WSTrust.SoapClient.Invoke(IEnumerable`1 headers, XmlElement bodyContent)
       at Microsoft.Exchange.Net.WSTrust.SecurityTokenService.IssueToken(DelegationTokenRequest request)
       at Microsoft.Exchange.Management.Sharing.TestOrganizationRelationship.GetDelegationToken().
    
    
    RunspaceId  : d3125974-0aad-487f-8cf6-879c899ddcd4
    Identity    :
    Id          : FailureToGetDelegationToken
    Status      : Error
    Description : Failed to get delegation token: Soap fault exception received..
    IsValid     : True
    
    VERBOSE: [09:42:54.307 GMT] Test-OrganizationRelationship : Admin Audit Log: Entered Handler:OnComplete.
    VERBOSE: [09:42:54.307 GMT] Test-OrganizationRelationship : Ending processing &

    Kind regards Joerg

    • Edited by JörgS Wednesday, March 7, 2012 11:09 AM
    Wednesday, March 7, 2012 11:08 AM
  • Hello Joerg,

    As per the error we are getting in the Delegation Token.

    I would suggest run the Test-federationtrust -verbose  from both  your domain and the partner domain.

    http://technet.microsoft.com/en-us/library/dd979787.aspx

    Thanks

    Venkat

    Wednesday, March 7, 2012 12:11 PM
  • hi

    here output from get-federationinformation from us to our partner:

    [PS] C:\Windows\system32>Get-FederationInformation -domainname federatedextpartnerdomain.de -verbose
    Creating a new session for implicit remoting of "Get-FederationInformation" command...
    VERBOSE: [12:28:21.095 GMT] Get-FederationInformation : Initializing Active Directory server settings for the remote Windows PowerShell session.
    VERBOSE: [12:28:21.095 GMT] Get-FederationInformation : Active Directory session settings for 'Get-FederationInformation'
    are: View Entire Forest: 'False', Default Scope: 'ourintdomain.local', Configuration Domain Controller: 'dc01ourintdomain.local',
    Preferred Global Catalog: 'dc02ourintdomain.local', Preferred Domain Controllers: '{ dc02ourintdomain.local }'
    VERBOSE: [12:28:21.111 GMT] Get-FederationInformation : Runspace context: Executing user: ttcon.local/OutCompanyName/Department/Schmidtke, Jörg (Domainadmin),
     Executing user organization: , Current organization: , RBAC-enabled: Enabled.
    VERBOSE: [12:28:21.111 GMT] Get-FederationInformation : Beginning processing &
    VERBOSE: [12:28:21.252 GMT] Get-FederationInformation : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write
     Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s): {},
     Exclusive Configuration Scope(s): {} }
    VERBOSE: [12:28:21.252 GMT] Get-FederationInformation : Resolved current organization: .
    VERBOSE: [12:28:24.799 GMT] Get-FederationInformation : Using the following trusted host names: *.outlook.com.
    VERBOSE: [12:28:28.582 GMT] Get-FederationInformation : The discovery process returned the following results:
    Type=Failure;Url=https://autodiscover.federatedextpartnerdomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain federatedextpartnerdomain.de
    failed.;Details=(Type=Failure;Url=https://autodiscover.federatedextpartnerdomain.de/autodiscover/autodiscover.svc;Exception=The request failed
    with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.  ).;);
    Type=Failure;Url=https://federatedextpartnerdomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain federatedextpartnerdomain.de
    failed.;Details=(Type=Failure;Url=https://federatedextpartnerdomain.de/autodiscover/autodiscover.svc;Exception=The underlying connection was closed: An unexpected error occurred on a send.;);
    Type=Failure;Url=http://autodiscover.federatedextpartnerdomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain federatedextpartnerdomain.de
    failed.;Details=(Type=Failure;Url=http://autodiscover.federatedextpartnerdomain.de/autodiscover/autodiscover.xml;RedirectUrl=https://autodiscov
    er.federatedextpartnerdomain.de/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.federatedextpartnerdomain.de/autodiscover/autodisco
    ver.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the
    request. Access to the Web server is denied. Contact the server administrator.  ).;););
    Type=Failure;Url=http://federatedextpartnerdomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain federatedextpartnerdomain.de
    failed.;Details=(Type=Failure;Url=http://federatedextpartnerdomain.de/autodiscover/autodiscover.xml;Exception=Unexpected status code in
    response: MovedPermanently.;);
    .
    Federation information could not be received from the external organization.
        + CategoryInfo          : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException
        + FullyQualifiedErrorId : A9E4445F,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation
    
    VERBOSE: [12:28:28.644 GMT] Get-FederationInformation : Ending processing &

    the partner output to us follows

    [PS] C:\Windows\system32>get-federationinformation -domainname ourextdomain.de -verbose
    VERBOSE: [13:24:52.524 GMT] Get-FederationInformation : Active Directory session settings for
    'Get-FederationInformation' are: View Entire Forest: 'False', Default Scope: 'partnerintdomain.local', Configuration Domain
    Controller: 'DC01.partnerintdomain.local', Preferred Global Catalog: 'DC01.partnerintdomain.local', Preferred Domain
    Controllers: '{ DC01.partnerintdomain.local }'
    VERBOSE: [13:24:52.524 GMT] Get-FederationInformation : Runspace context: Executing user:
    partnerintdomain.local/Department/Admin/Admin, Executing user organization: , Current organization: ,
    RBAC-enabled: Enabled.
    VERBOSE: [13:24:52.524 GMT] Get-FederationInformation : Beginning processing &
    VERBOSE: [13:24:52.602 GMT] Get-FederationInformation : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient
    Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient
    Scope(s): {}, Exclusive Configuration Scope(s): {} }
    VERBOSE: [13:24:52.602 GMT] Get-FederationInformation : Resolved current organization: .
    VERBOSE: [13:24:52.602 GMT] Get-FederationInformation : Using the following trusted host names: *.outlook.com.
    VERBOSE: [13:24:53.492 GMT] Get-FederationInformation : The discovery process returned the following results:
    Type=Failure;Url=https://autodiscover.ourextdomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain ourextdomain.de
    failed.;Details=(Type=Failure;Url=https://autodiscover.ourextdomain.de/autodiscover/autodiscover.svc;Exception=The
    request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.  ).;);
    Type=Failure;Url=https://ourextdomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain ourextdomain.de
    failed.;Details=(Type=Failure;Url=https://ourextdomain.de/autodiscover/autodiscover.svc;Exception=The request failed
    with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Webserver is denied. Contact the server administrator.  ).;);
    Type=Failure;Url=http://autodiscover.ourextdomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain ourextdomain.de
    failed.;Details=(Type=Failure;Url=http://autodiscover.ourextdomain.de/autodiscover/autodiscover.xml;RedirectUrl=http
    s://autodiscover.ourextdomain.de/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.topt
    echnologies.de/autodiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The
    server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.  ).;););
    Type=Failure;Url=http://ourextdomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain ourextdomain.de
    failed.;Details=(Type=Failure;Url=http://ourextdomain.de/autodiscover/autodiscover.xml;RedirectUrl=https://mail.topt
    echnologies.de/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://mail.ourextdomain.de/autodiscover/a
    utodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to
    fulfill the request. Access to the Web server is denied. Contact the server administrator.  ).;););.
    Federation information could not be received from the external organization.
        + CategoryInfo          : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException
        + FullyQualifiedErrorId : A9A4DB75,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation
     
    VERBOSE: [13:24:53.492 GMT] Get-FederationInformation : Ending processing &
     
    

    Kind regards
    Joerg

    • Edited by JörgS Wednesday, March 7, 2012 1:29 PM
    Wednesday, March 7, 2012 12:33 PM
  • Hello Joerg,

    As per my last post i have suggested to run Test-federationtest.

    Please update with the output.

    thanks

    venkat

    Friday, March 9, 2012 3:12 AM
  • hi

    here ist my test-federationtrust output:

    [PS] C:\Windows\system32>Test-FederationTrust -UserIdentity jschmidtke@ourexternaldomain.de
    
    
    RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269
    Id         : FederationTrustConfiguration
    Type       : Success
    Message    : FederationTrust object in ActiveDirectory is valid.
    
    RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269
    Id         : FederationMetadata
    Type       : Success
    Message    : The federation trust contains the same certificates published by the security token service in its federation m
                 etadata.
    
    RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269
    Id         : StsCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.
    
    RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269
    Id         : StsPreviousCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.
    
    RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269
    Id         : OrganizationCertificate
    Type       : Success
    Message    : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.
    
    RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269
    Id         : TokenRequest
    Type       : Success
    Message    : Request for delegation token succeeded.
    
    RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269
    Id         : TokenValidation
    Type       : Success
    Message    : Requested delegation token is valid.

    here the output from our partner:

    [PS] C:\Windows\system32>Test-FederationTrust -UserIdentity surname.name@partnerexternaldomain.com
     
    RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294
    Id         : FederationTrustConfiguration
    Type       : Success
    Message    : FederationTrust object in ActiveDirectory is valid.
     
    RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294
    Id         : FederationMetadata
    Type       : Success
    Message    : The federation trust contains the same certificates published by the security token service in its federat
                 ion metadata.
     
    RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294
    Id         : StsCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.
     
    RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294
    Id         : StsPreviousCertificate
    Type       : Success
    Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.
     
    RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294
    Id         : OrganizationCertificate
    Type       : Success
    Message    : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.
     
    RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294
    Id         : TokenRequest
    Type       : Success
    Message    : Request for delegation token succeeded.
     
    RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294
    Id         : TokenValidation
    Type       : Success
    Message    : Requested delegation token is valid.
    

    Kind regards Joerg

    Friday, March 9, 2012 8:43 AM
  • Hello Joerg,

    If you are still facing the issue with federation, I would recommend creating a support ticket as this might require some additional tracing and troubleshooting..

    Thanks

    Venkat

    Monday, March 26, 2012 5:37 AM
  • Problem is solved!

    Solution is following:

    on our side the TargetApplicationUri must set to: exchangedelegation.partnerdomain.com
    set-OrganizationRelationship -identity agens -TargetOwaURL "https://mail.partnerdomain.com/owa"
    set-OrganizationRelationship -identity agens -TargetApplicationUri "exchangedelegation.partnerdomain.com"
    set-OrganizationRelationship -identity agens - TargetAutodiscoverEpr "https://mail.partnerdomain.com/Autodiscover/autodiscover.svc/WSSecurity"

    and the "Enable Free/Busy information access" must set to TRUE!

    on the partner side they must set the TargetApplicationUri must set to: FYDIBOHF25SPDLT.ourexternaldomain.de
    set-OrganizationRelationship -identity agens -TargetOwaURL "https://mail.ourexternaldomain.de/owa"
    set-OrganizationRelationship -identity agens -TargetApplicationUri "FYDIBOHF25SPDLT.ourexternaldomain.de"
    set-OrganizationRelationship -identity agens - TargetAutodiscoverEpr "https://mail.ourexternaldomain.de/Autodiscover/autodiscover.svc/WSSecurity"

    So now we can Access the Free/Busy Informations from the room mailboxes of our partner!


    Kind regards Joerg

    • Marked as answer by JörgS Friday, July 20, 2012 9:03 AM
    Friday, July 20, 2012 9:03 AM