locked
ADFS to publish Exchange OWA and ECP claims based RRS feed

  • Question

  • Hello,

    I am using ADFS/WAP 3.0 to publish an Exchange Server 2016 platform. My publication, in order to offer a seamless experience to users should they be accessing the web apps internally or externally is done as following:

    • OWA and ECP are published relying on a claims based rule
    • ADFS is configured so whenever a user tries to access Exchange, it will systematically be redirected to the ADFS authentication form, internally as well as externally
    • My users need to be able to access OWA the most simple way: https://mail.myorg.com (they should never have to type in /owa)

    For this, I have created a single publication rule relying on a unique RP that exposes https://mail.myorg.com and redirects is to https://mail.myorg.com/owa once the authentication successfully done.

    This works like a charm as long as I do not try to access https://mail.myorg.com/ecp . In this particular case, it seems the rule always tries to redirect me to https://mail.myorg.com/owa which ends with an OWA error 500 "Something went wrong" (URL of the page is then https://mail.myorg.com/owa/auth/errorFE.aspx?httpCode=500).

    Checking at the Exchange server logs, I can see two error and one warning:

    • Error 1003 / MSExchange Front End HTTP Proxy
    [Owa] An internal server error occurred. The unhandled exception was: Microsoft.IdentityModel.Protocols.FederationException: ID3206: A SignInResponse message may only redirect within the current web application: '/ecp/' is not allowed.
       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
       at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.InternalOnAuthenticateRequest(Object sender, EventArgs eventArgs)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
    • Error 4999 / MSExchange Common
    Watson report about to be sent for process id: 17176, with parameters: E12IIS, c-RTL-AMD64, 15.01.0466.034, w3wp#MSExchangeOWAAppPool, Microsoft.IdentityModel, M.I.W.WSFederationAuthenticationModule.SignInWithResponseMessage, M.I.Protocols.FederationException, 818b, 06.03.9600.16384.
    ErrorReportingEnabled: False 
    
    It seems the issue is related to the fact the there is a unique relying party on the ADFS side. The RP is not able based on the inbound URL used to redirect selectively to one or the other location https://mail.myorg.com/ecp / https://mail.myorg.com/owa . Is there any possibility to achieve that in the way I am trying to?

    Monday, July 4, 2016 10:05 AM

All replies

  • Hi,

    I know - very old thread but did you ever found a solution for that problem? I'm currently running into the same problem.

    Environment: Exchange 2016 CU9 on Windows Server 2016


    Peter Forster

    Gscheidwaschl

    Blog

    Note: Posts are provided "AS IS" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, July 19, 2018 1:15 PM