locked
OWA, WAP and ADFS SPN's RRS feed

  • Question

  • Hopefully this is a simple question.

    We are attempting to configure WAP to proxy OWA via ADFS.

    I've gotten to a point where i believe everything is in place however the confusion is over this SPN business. This is a non-claims aware situation with Exchange 2010 on the backend. Is there any documentation I'm missing that details the SPN's that are required and which objects i need to create them on?

    For OWA i have the following SPN's configured.

    EXCAS01(Exchange computer account) - HTTP/owa.mycompany.corp

    EXCAS02(Exchange computer account) - HTTP/owa.mycompany.corp

    I have then delegated the WAP server access to "Trust this computer for delegation to specified service only" & "use any authentication protocol".

    With the service type HTTP and owa.mycompany.corp in the list of delegate credentials.

    The WAP computer account also has HTTP/WAP01 & HTTP/WAP01.mycompany.corp

    The OWA dns address is load balanced to both the EXCAS servers.

    As it stands this config does not work. I get presented with the adfs login page, enter credentials and then it fails with the following errors.

    Log Name:      Microsoft-Windows-WebApplicationProxy/Admin

    Source:        Microsoft-Windows-WebApplicationProxy
    Date:          03/11/2016 14:12:46
    Event ID:      13019
    Task Category: None
    Level:         Warning
    Keywords:      
    User:          NETWORK SERVICE
    Computer:      WAP01.mycompany.corp
    Description:
    Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The specified target is unknown or unreachable
     (0x80090303).

    Details:
    Transaction ID: {f0993ea3-2079-0000-8d90-a9f07920d201}
    Session ID: {f0993ea3-2079-0000-8c90-a9f07920d201}
    Published Application Name: Exchange (Prod) - OWA
    Published Application ID: 3273e461-4f28-1f3c-81f6-ca4dc3dfa492
    Published Application External URL: https://owa.mycompany.corp/
    Published Backend URL: https://owa.mycompany.corp/
    User: user01@mycompany.corp
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
    Device ID: <Not Applicable>
    Token State: OK
    Cookie State: NotFound
    Client Request URL: https://owa.mycompany.corp/?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkFUSUprWDBSNGxBR3g4dGtCRXVGb2dvdFFLVSJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL2FkZnMuZnNjcy5vcmcudWsvYWRmcy9zZXJ2aWNlcy90cnVzdCIsImlhdCI6MTQ3ODE4MjM2NiwiZXhwIjoxNDc4MTg1OTY2LCJyZWx5aW5ncGFydHl0cnVzdGlkIjoiMmFmZTc3OGUtZjczMi1lNjExLTgwZDktMDA1MDU2ODM3OGJmIiwidXBuIjoiYWRtLmtoYXJkaW5nQGZzY3Mub3JnLnVrIiwiY2xpZW50cmVxaWQiOiJmMDk5M2VhMy0yMDc5LTAwMDAtOGM5MC1hOWYwNzkyMGQyMDEiLCJhdXRoX3RpbWUiOiIyMDE2LTExLTAzVDE0OjEyOjQ1Ljk5MVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.TYTmdS-mVy2_V9vv51h6QGf5GI1-73iqmcrFPCt-1VROrxm36udecqqPyMhHYUkhlEVMOrFc-dFxBYyk122exeJCXXCanwHVg91ZOauN5WtbRcG5UZ_CV0tIrCFrUdyXHYp4wwPqV6yKzrKnRKPqWeBp4hijIK9yPIAqkJtGzcULuIsFChGXchGM0OLfFTH8Yb2Vqx7e-7-gEOERJdyLHXOZXzR28YwBzt08yfuqszoyiyaa6zXvE87ZnwzbzmTWHXKfI5ks31g_cI-HKWzlT3pUEX6PDeB1deY3J7B9MqQhXMl0DMqludd328opnvzpa1kMShLRhVti1c6SObCMBA&client-request-id=f0993ea3-2079-0000-8c90-a9f07920d201
    Backend Request URL: <Not Applicable>
    Preauthentication Flow: PreAuthBrowser
    Backend Server Authentication Mode: WIA
    State Machine State: BackendRequestProcessing_Pending
    Response Code to Client: <Not Applicable>
    Response Message to Client: <Not Applicable>
    Client Certificate Issuer: <Not Found>

    Log Name:      Microsoft-Windows-WebApplicationProxy/Admin
    Source:        Microsoft-Windows-WebApplicationProxy
    Date:          03/11/2016 14:12:46
    Event ID:      12027
    Task Category: None
    Level:         Error
    Keywords:      
    User:          NETWORK SERVICE
    Computer:      WAP01.mycompany.corp
    Description:
    Web Application Proxy encountered an unexpected error while processing the request.
    Error: The specified target is unknown or unreachable
     (0x80090303).

    Details:
    Transaction ID: {f0993ea3-2079-0000-8d90-a9f07920d201}
    Session ID: {f0993ea3-2079-0000-8c90-a9f07920d201}
    Published Application Name: Exchange (Prod) - OWA
    Published Application ID: 3273e461-4f28-1f3c-81f6-ca4dc3dfa492
    Published Application External URL: https://owa.mycompany.corp/
    Published Backend URL: https://owa.mycompany.corp/
    User: user01@mycompany.corp
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
    Device ID: <Not Applicable>
    Token State: OK
    Cookie State: NotFound
    Client Request URL: https://owa.mycompany.corp/?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkFUSUprWDBSNGxBR3g4dGtCRXVGb2dvdFFLVSJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL2FkZnMuZnNjcy5vcmcudWsvYWRmcy9zZXJ2aWNlcy90cnVzdCIsImlhdCI6MTQ3ODE4MjM2NiwiZXhwIjoxNDc4MTg1OTY2LCJyZWx5aW5ncGFydHl0cnVzdGlkIjoiMmFmZTc3OGUtZjczMi1lNjExLTgwZDktMDA1MDU2ODM3OGJmIiwidXBuIjoiYWRtLmtoYXJkaW5nQGZzY3Mub3JnLnVrIiwiY2xpZW50cmVxaWQiOiJmMDk5M2VhMy0yMDc5LTAwMDAtOGM5MC1hOWYwNzkyMGQyMDEiLCJhdXRoX3RpbWUiOiIyMDE2LTExLTAzVDE0OjEyOjQ1Ljk5MVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.TYTmdS-mVy2_V9vv51h6QGf5GI1-73iqmcrFPCt-1VROrxm36udecqqPyMhHYUkhlEVMOrFc-dFxBYyk122exeJCXXCanwHVg91ZOauN5WtbRcG5UZ_CV0tIrCFrUdyXHYp4wwPqV6yKzrKnRKPqWeBp4hijIK9yPIAqkJtGzcULuIsFChGXchGM0OLfFTH8Yb2Vqx7e-7-gEOERJdyLHXOZXzR28YwBzt08yfuqszoyiyaa6zXvE87ZnwzbzmTWHXKfI5ks31g_cI-HKWzlT3pUEX6PDeB1deY3J7B9MqQhXMl0DMqludd328opnvzpa1kMShLRhVti1c6SObCMBA&client-request-id=f0993ea3-2079-0000-8c90-a9f07920d201
    Backend Request URL: <Not Applicable>
    Preauthentication Flow: PreAuthBrowser
    Backend Server Authentication Mode: WIA
    State Machine State: OuOfOrderFEHeadersWriting
    Response Code to Client: 500
    Response Message to Client: <Not Applicable>
    Client Certificate Issuer: <Not Found>


    I have also run a kerberos check on the owa.mycompany.corp and get the below failure message.

    C:\>klist get HTTP/owa.mycompany.corp

    Current LogonId is 0:0xe717d47
    Error calling API LsaCallAuthenticationPackage (GetTicket substatus): 0x6fb

    klist failed with 0xc000018b/-1073741429: The SAM database on the Windows Server
     does not have a computer account for this workstation trust relationship.

    I'm fairly sure this is the issue. The question is why do i get this and how can i fix it?

    The SPN exists, but should it be applied to both EXCAS computer accounts? SETSPN -X does'n't pick this u-p as a duplicate entry.

    Thursday, November 3, 2016 2:57 PM

All replies

  • Is your WAP domain joined and configured for Kerberos Constraint Delegation? This is a requirement when publishing non-claim aware applications.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, November 3, 2016 3:25 PM
  • It is.

    I have now managed to get this working by removing the HTTP/owa.mycompany.corp SPN from the second CAS computer account.

    The issue i have now, is how do i get both CAS servers working with the HTTP/owa.mycompany.corp SPN if only 1 SPN is allowed in the domain?

    Do i use a service account on the OWA application pool and then associate the SPN with that service account?

    Does OWA even support running under a custom application pool identity? or has LocalSystem got to be used.

    Thanks

    Thursday, November 3, 2016 4:39 PM