locked
Server. Error code: 'invalid_client'. Description: 'AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: 'XXXXX'] RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I'm trying to configure OAuth authentication between Exchange and Exchange Online using article:

    https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help

    After completing all steps, when I try to test on-prem using following command:

    Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox msmith@contoso.com -Verbose | Format-List

    then it give error that it cannot find certificate. However, I have verified and same thumbprint exists Exchange on-prem and Online. The thumbprint was matched using following commands:

    On-prem:

    Get-ExchangeCertificate -Thumbprint (Get-AuthConfig).CurrentCertificateThumbprint | fl

    Online:

    Get-MsolServicePrincipalCredential -ServicePrincipalName "00000002-0000-0ff1-ce00-000000000000" -ReturnKeyValues $true

    While testing OAuthConnectivity, below is the complete error details I'm getting. Would anyone know a solution for this issue?

    #TYPE Microsoft.Exchange.Security.OAuth.ValidationResultNode
"PSComputerName","RunspaceId","PSShowComputerName","Task","Detail","ResultType","Identity","IsValid","ObjectState"
"dom2-exh01.testdomain2.local","15d06d5e-3ca1-43a8-be42-4d397275cb26","False","Checking EWS API Call Under Oauth","The configuration was last successfully loaded at 7/24/2020 6:37:58 PM UTC. This was 1 minutes ago.
The token cache is being cleared because ""use cached token"" was set to false.
Exchange Outbound Oauth Log:
Client request ID: 3644586e-1c85-4ab2-927a-167f38ce1209
Information:[OAuthCredentials:Authenticate] entering
Information:[OAuthCredentials:Authenticate] challenge from 'https://outlook.office365.com/ews/Exchange.asmx' received: Bearer client_id=""00000002-0000-0ff1-ce00-000000000000"", trusted_issuers=""00000001-0000-0000-c000-000000000000@*"", token_types=""app_asserted_user_v1 service_asserted_app_v1"", authorization_uri=""https://login.windows.net/common/oauth2/authorize"",Basic Realm="""" 
Information:[OAuthCredentials:GetToken] client-id: '00000002-0000-0ff1-ce00-000000000000', realm: '', trusted_issuer: '00000001-0000-0000-c000-000000000000@*'
Information:[OAuthCredentials:GetToken] Start building a token using organizationId ''
Information:[OAuthTokenBuilder:GetAppToken] start building the apptoken
Information:[OAuthTokenBuilder:GetAppToken] checking enabled auth servers
Information:[OAuthTokenBuilder:GetAppToken] trusted_issuer includes the auth server 'WindowsAzureACS': 00000001-0000-0000-c000-000000000000@ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ, 
Information:[OAuthTokenBuilder:GetAppToken] updating the tenant id with the auth server realm; current tenant id value is '', new value is 'ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ'
Information:[OAuthTokenBuilder:GetAppToken] trying to get the apptoken from the auth server 'WindowsAzureACS' for resource '00000002-0000-0ff1-ce00-000000000000/outlook.office365.com@ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ', tenantId 'ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ', userDomain 'contoso.com'
Information:[TokenCache:GetActorToken] Each key and its counts are L:00000002-0000-0ff1-ce00-000000000000-AS:00000001-0000-0000-c000-000000000000@ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ, 0
Information:[TokenCache:GetActorToken] cache size is 0
Information:[TokenCache:GetActorToken] try to get a new  token synchronously
Information:[ACSTokenBuildRequest:BuildToken] started
Information:[TokenBuildRequest:GetActorTokenFromAuthServer] Sending token request to 'https://accounts.accesscontrol.windows.net/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ/tokens/OAuth/2' for the resource '00000002-0000-0ff1-ce00-000000000000/outlook.office365.com@ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ' with token: grant_type=http%3a%2f%2foauth.net%2fgrant_type%2fjwt%2f1.0%2fbearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im9QZjdDRnNra2MwTkEzeW14QUlITGhVckR4RSJ9.eyJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBANmJhYmNhYWQtNjA0Yi00MGFjLWE5ZDctOWZkOTdjMGI3NzlmIiwiYXVkIjoiMDAwMDAwMDEtMDAwMC0wMDAwLWMwMDAtMDAwMDAwMDAwMDAwL2FjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXRANmJhYmNhYWQtNjA0Yi00MGFjLWE5ZDctOWZkOTdjMGI3NzlmIiwiZXhwIjoxNTk1NjE2NTQ5LCJuYmYiOjE1OTU2MTU5NDl9.XsjAMihN7uatNX5qNSaqVK2F74_nD0ZGZJq8wPopnoROVTylfQj5Yr9-_m0H3SLnL2EHmTp0NIzOTQD6KOPnQYO9yxev_lXVunssNBJUjqYBtfFsOdZ5-g3DXkRzSK0Aytx00hE4vPiyTZjjwj4CW-KYYKNzIKQgo0sKiM6H42uBJnIDSKh5UmY_Rl3RAGz_3V-fQ0vqnpalf_xKwNnNZalRnyuLqYSWJJjg8UjulB-GewSCExU28CydrSpXYr_SupYpH0BXbOFV5lD0iXWyxPhaWJ0TrUptgDBlYibjRaYUh9SNMD_5d88Crz57Lekr7tf3wR2d-IbR4Zg-hfunxg&resource=00000002-0000-0ff1-ce00-000000000000%2foutlook.office365.com%40ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
Information:[TokenBuildRequest:GetErrorDescription] response headers was
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
client-request-id: 3644586e-1c85-4ab2-927a-167f38ce1209
x-ms-request-id: 7c9c2ff1-7325-4ac0-9920-debbbb3d0600
x-ms-ests-server: 2.1.10877.10 - CHI ProdSlices
Cache-Control: no-cache, no-store
Content-Type: application/json; charset=utf-8
Expires: -1
P3P: CP=""DSP CUR OTPi IND OTRi ONL FIN""
Set-Cookie: ----
Date: Fri, 24 Jul 2020 18:39:09 GMT
Content-Length: 602


Error:[TokenBuildRequest:GetActorTokenFromAuthServer] Unable to get the token from auth server 'https://accounts.accesscontrol.windows.net/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ/tokens/OAuth/2'. The request has token grant_type=http%3a%2f%2foauth.net%2fgrant_type%2fjwt%2f1.0%2fbearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im9QZjdDRnNra2MwTkEzeW14QUlITGhVckR4RSJ9.eyJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBANmJhYmNhYWQtNjA0Yi00MGFjLWE5ZDctOWZkOTdjMGI3NzlmIiwiYXVkIjoiMDAwMDAwMDEtMDAwMC0wMDAwLWMwMDAtMDAwMDAwMDAwMDAwL2FjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXRANmJhYmNhYWQtNjA0Yi00MGFjLWE5ZDctOWZkOTdjMGI3NzlmIiwiZXhwIjoxNTk1NjE2NTQ5LCJuYmYiOjE1OTU2MTU5NDl9.XsjAMihN7uatNX5qNSaqVK2F74_nD0ZGZJq8wPopnoROVTylfQj5Yr9-_m0H3SLnL2EHmTp0NIzOTQD6KOPnQYO9yxev_lXVunssNBJUjqYBtfFsOdZ5-g3DXkRzSK0Aytx00hE4vPiyTZjjwj4CW-KYYKNzIKQgo0sKiM6H42uBJnIDSKh5UmY_Rl3RAGz_3V-fQ0vqnpalf_xKwNnNZalRnyuLqYSWJJjg8UjulB-GewSCExU28CydrSpXYr_SupYpH0BXbOFV5lD0iXWyxPhaWJ0TrUptgDBlYibjRaYUh9SNMD_5d88Crz57Lekr7tf3wR2d-IbR4Zg-hfunxg&resource=00000002-0000-0ff1-ce00-000000000000%2foutlook.office365.com%40ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ, the error from Sts is AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: '****************************************']
Trace ID: 7c9c2ff1-7325-4ac0-9920-debbbb3d0600
Correlation ID: 3644586e-1c85-4ab2-927a-167f38ce1209
Timestamp: 2020-07-24 18:39:09Z, the exception is System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.Exchange.Security.OAuth.TokenBuildRequest.GetActorTokenFromAuthServer(Boolean throwOnError, TokenLifeTime tokenLifeTimeInstance, OAuth2AccessTokenRequest oauth2Request, String stsEndpoint)
Error:Unable to get token from Auth Server. Error code: 'invalid_client'. Description: 'AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: '****************************************']
Trace ID: 7c9c2ff1-7325-4ac0-9920-debbbb3d0600
Correlation ID: 3644586e-1c85-4ab2-927a-167f38ce1209
Timestamp: 2020-07-24 18:39:09Z'.

Exchange Response Details:
HTTP response message: 
Exception:
System.Net.WebException: The request was aborted: The request was canceled. ---> Microsoft.Exchange.Security.OAuth.OAuthTokenRequestFailedException: Unable to get token from Auth Server. Error code: 'invalid_client'. Description: 'AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: '****************************************']
Timestamp: 2020-07-24 18:39:09Z'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.Exchange.Security.OAuth.TokenBuildRequest.GetActorTokenFromAuthServer(Boolean throwOnError, TokenLifeTime tokenLifeTimeInstance, OAuth2AccessTokenRequest oauth2Request, String stsEndpoint)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Security.OAuth.TokenBuildRequest.GetActorTokenFromAuthServer(Boolean throwOnError, TokenLifeTime tokenLifeTimeInstance, OAuth2AccessTokenRequest oauth2Request, String stsEndpoint)
   at Microsoft.Exchange.Security.OAuth.ACSTokenBuildRequest.BuildToken(Boolean throwOnError)
   at Microsoft.Exchange.Security.OAuth.TokenCache.GetActorToken(TokenBuildRequest tokenBuildRequest, TokenLifeTime tokenLifeTime, IOutboundTracer tracer, Nullable`1 clientRequestId)
   at Microsoft.Exchange.Security.OAuth.OAuthTokenBuilder.GetAppToken(String applicationId, String destinationHost, String realmFromChallenge, IssuerMetadata[] trustedIssuersFromChallenge, String userDomain)
   at Microsoft.Exchange.Security.OAuth.OAuthTokenBuilder.GetAppWithUserToken(String applicationId, String destinationHost, String realmFromChallenge, IssuerMetadata[] trustedIssuersFromChallenge, String userDomain, ClaimProvider claimProvider)
   at Microsoft.Exchange.Security.OAuth.OAuthCredentials.GetToken(WebRequest webRequest, HttpAuthenticationChallenge challengeObject)
   at Microsoft.Exchange.Security.OAuth.OAuthCredentials.Authenticate(String challengeString, WebRequest webRequest, Boolean preAuthenticate)
   at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials)
   at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
   at System.Net.HttpWebRequest.CheckResubmitForAuth()
   at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
   at System.Net.HttpWebRequest.DoSubmitRequestProcessing(Exception& exception)
   at System.Net.HttpWebRequest.ProcessResponse()
   at System.Net.HttpWebRequest.SetResponse(CoreResponseData coreResponseData)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.Exchange.Monitoring.TestOAuthConnectivityHelper.SendExchangeOAuthRequest(ADUser user, String orgDomain, Uri targetUri, String& diagnosticMessage, Boolean appOnly, Boolean useCachedToken, Boolean reloadConfig)
","Error","Microsoft.Exchange.Security.OAuth.ValidationResultNodeId","True","New"

    Friday, July 24, 2020 6:51 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    What's the detailed version of your Exchange servers? You can check with the following command:

    Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion

    Make sure the certificate is valid, it's enabled for SMTP service, and the correct domain names are included. Verify StartDate and EndDate from Get-MsolServicePrincipalCredential match NotBefore and NotAfter from Get-ExchangeCertificate. You can post the output of Get-ExchangeCertificate and Get-MsolServicePrincipalCredential commands you used, and don't forget to cover your personal information. 

    This Exchange Server 2016 - Setup, Deployment, Updates and Migration Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Regards,

    Lydia Zhou

    Exchange Server 2016 - Setup, Deployment, Updates and Migration forum will be migrating to a new home on Microsoft Q&A! We invite you to post new questions in the new forum.

    For more information, please refer to the sticky post.

    Monday, July 27, 2020 6:49 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Lydia,

    Please see details below:

    Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion


Name                : DOM2-EXH01
Edition             : StandardEvaluation
AdminDisplayVersion : Version 15.1 (Build 2044.4)

    Get-ExchangeCertificate -Thumbprint (Get-AuthConfig).CurrentCertificateThumbprint | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 6/28/2025 2:28:25 AM
NotBefore          : 7/24/2020 2:28:25 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 14839A9471F58CA849DA4EAF0311A576
Services           : SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate
Thumbprint         : A0F7FB085B2491CD0D037CA6C402072E152B0F11

    Get-MsolServicePrincipalCredential -ServicePrincipalName "00000002-0000-0ff1-ce00-000000000000" -ReturnKeyValues $false


Type      : Asymmetric
Value     :
KeyId     : aa824af7-969e-46b7-8d5d-0084a3fa3c1a
StartDate : 2020-07-24 8:28:25 AM
EndDate   : 2025-06-28 8:28:25 AM
Usage     : Verify

Type      : Asymmetric
Value     :
KeyId     : 07d03e4d-40b2-4e08-a9c7-879b15d82214
StartDate : 2020-07-24 8:28:25 AM
EndDate   : 2025-06-28 8:28:25 AM
Usage     : Verify

Type      : Other
Value     :
KeyId     :
StartDate :
EndDate   :
Usage     :

    Tuesday, July 28, 2020 8:38 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Have you run the Hybrid Wizard? No reason to create the OAuth manually really.
    Tuesday, July 28, 2020 9:25 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Andy,

    We only want to setup OAuth that's why we did not run Hybrid Wizard.

    Tuesday, July 28, 2020 9:27 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    As is mentioned in the official document, you have to complete the configuration of your hybrid deployment before configuring OAuth authentication manually.

    Additionally, do you only have Exchange Server 2016 CU17 in your organization? If you don't have legacy servers in your environment, you can configure OAuth authentication when using HCW and it's no need to configure it manually.

    This Exchange Server 2016 - Setup, Deployment, Updates and Migration Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Regards,

    Lydia Zhou

    Exchange Server 2016 - Setup, Deployment, Updates and Migration forum will be migrating to a new home on Microsoft Q&A! We invite you to post new questions in the new forum.

    For more information, please refer to the sticky post.

    Wednesday, July 29, 2020 9:18 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I have completed HCW and manually configured OAuth again as HCW failed to do so.

    Test results from Exchange on-prem to online are successful. However, while testing from Exchange Online to On-prem, they error out:

    Test-OAuthConnectivity -Service EWS -TargetUri https://mail.contoso.com/metadata/json/1 -Mailbox msmith@contoso.com -Verbose | Format-List                      The operation couldn't be performed because object 'msmith@contoso.com' couldn't be found on 'YTBPR01A06DC002.CANPR01A006.PROD.OUTLOOK.COM'.
    + CategoryInfo          : NotSpecified: (:) [Test-OAuthConnectivity], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=YQXPR01MB3270,RequestId=e0ef3744-da47-4ba0-b3f6-29864928e67c,TimeStamp=7/29/2020 8:50:26 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException
   ] AAE3B81E,Microsoft.Exchange.Monitoring.TestOAuthConnectivity
    + PSComputerName        : outlook.office365.com

    To validate above error, I tried to fetch this user and I get below results:

    Get-MsolUser -UserPrincipalName msmith@contoso.com                                                                                                                 
UserPrincipalName     DisplayName isLicensed
-----------------     ----------- ----------
msmith@contoso.com Mike Smith  True

    Errors seems misleading. Why would Test fail from Online to On-prem?

    Wednesday, July 29, 2020 9:00 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Is the mailbox msmith@contoso.com created on on-premise Exchange? Is it moved to O365 successfully?

    You can try to create a new O365 mailbox to test the OAuth connectivity again.

    This Exchange Server 2016 - Setup, Deployment, Updates and Migration Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Regards,

    Lydia Zhou

    Exchange Server 2016 - Setup, Deployment, Updates and Migration forum will be migrating to a new home on Microsoft Q&A! We invite you to post new questions in the new forum.

    For more information, please refer to the sticky post.

    Thursday, July 30, 2020 9:34 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    [Note] This forum will be locked down, you can continue to post in here before 8/10/2020. It is highly recommended to register the Microsoft Q&A Platform and create new thread in Microsoft Q&A Platform to continue the discussion.

    Any updates so far? If you have solved your problem, could you share with us? Maybe it will help more people with similar problems. 

    This Exchange Server 2016 - Setup, Deployment, Updates and Migration Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Regards,

    Lydia Zhou

    Exchange Server 2016 - Setup, Deployment, Updates and Migration forum will be migrating to a new home on Microsoft Q&A! We invite you to post new questions in the new forum.

    For more information, please refer to the sticky post.

    Friday, August 7, 2020 8:19 AM