This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

ADFS to publish Exchange OWA and ECP claims based

Question
0

Sign in to vote
Hello,

I am using ADFS/WAP 3.0 to publish an Exchange Server 2016 platform. My publication, in order to offer a seamless experience to users should they be accessing the web apps internally or externally is done as following:

OWA and ECP are published relying on a claims based rule
ADFS is configured so whenever a user tries to access Exchange, it will systematically be redirected to the ADFS authentication form, internally as well as externally
My users need to be able to access OWA the most simple way: https://mail.myorg.com (they should never have to type in /owa)

For this, I have created a single publication rule relying on a unique RP that exposes https://mail.myorg.com and redirects is to https://mail.myorg.com/owa once the authentication successfully done.

This works like a charm as long as I do not try to access https://mail.myorg.com/ecp . In this particular case, it seems the rule always tries to redirect me to https://mail.myorg.com/owa which ends with an OWA error 500 "Something went wrong" (URL of the page is then https://mail.myorg.com/owa/auth/errorFE.aspx?httpCode=500).

Checking at the Exchange server logs, I can see two error and one warning:

Error 1003 / MSExchange Front End HTTP Proxy

[Owa] An internal server error occurred. The unhandled exception was: Microsoft.IdentityModel.Protocols.FederationException: ID3206: A SignInResponse message may only redirect within the current web application: '/ecp/' is not allowed. at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.InternalOnAuthenticateRequest(Object sender, EventArgs eventArgs) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Error 4999 / MSExchange Common

Watson report about to be sent for process id: 17176, with parameters: E12IIS, c-RTL-AMD64, 15.01.0466.034, w3wp#MSExchangeOWAAppPool, Microsoft.IdentityModel, M.I.W.WSFederationAuthenticationModule.SignInWithResponseMessage, M.I.Protocols.FederationException, 818b, 06.03.9600.16384. ErrorReportingEnabled: False
It seems the issue is related to the fact the there is a unique relying party on the ADFS side. The RP is not able based on the inbound URL used to redirect selectively to one or the other location https://mail.myorg.com/ecp / https://mail.myorg.com/owa . Is there any possibility to achieve that in the way I am trying to?
Monday, July 4, 2016 10:05 AM

All replies

0

Sign in to vote

Hi,

I know - very old thread but did you ever found a solution for that problem? I'm currently running into the same problem.

Environment: Exchange 2016 CU9 on Windows Server 2016
Peter Forster

Gscheidwaschl
Blog

Note: Posts are provided "AS IS" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Thursday, July 19, 2018 1:15 PM