none
Test-FederationTrust error in Requesting delegation token from the STS

    Question

  • Hello, Do you have anyone idea which password has to be changed / where? The org. relationship test passes almost OK, except the last step #4. We are just trying to debug issues like F/B visibility at brand new Ex2k10 / O365 hybrid. As one of debugging steps, we've re-created federation to MS gateway and this is our current status..

    Thank you!

    test-OrganizationRelationship -Identity "O365 to On-premises - ********" -UserIdentity ****@****.com

    1: Validating user configuration
    WARNING: The federated domain '*****.com' of the user is in the local organizational relationship which normally only contains the domains of external
    organizations.

    RESULT: Success.
    STEP 2: Getting federation information from remote organization...
    RESULT: Success.
    STEP 3: Validating consistency in returned federation information
    RESULT: Success.
    STEP 4: Requesting delegation token from the STS...
    RESULT: Error.

    LAST STEP: Writing results...

    RunspaceId  : *************
    Identity    :
    Id          : FailureToGetDelegationToken
    Status      : Error
    Description : Failed to get delegation token: <S:Fault xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:FailedAuthentication</S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang="en-US">Authentication Failure</S:Text></S:Reason><S:Detail><psf:error xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:value>0x80048827</psf:value><psf:internalerror><psf:code>0x80041084</psf:code><psf:text>The password has to be changed.
                  </psf:text></psf:internalerror><psf:flowurl>https://login.microsoftonline.com/login.srf?lc=1033&amp;st=******;seclog=10&amp;ppsit=1</psf:flowurl></psf:error></S:Detail></S:Fault>
                  Microsoft.Exchange.Net.WSTrust.SoapFaultException: Soap fault exception received.
                     at Microsoft.Exchange.Net.WSTrust.SoapClient.Invoke(IEnumerable`1 headers, XmlElement bodyContent)
                     at Microsoft.Exchange.Net.WSTrust.SecurityTokenService.IssueToken(DelegationTokenRequest request, XmlTextWriter debugStream)
                     at Microsoft.Exchange.Management.Sharing.TestOrganizationRelationship.GetDelegationToken().

    Sunday, November 19, 2017 7:48 PM

Answers

  • Self solved. The problem was that AD connect was not synchronizing passwords. Pass-thru authentication has been working well for logon onto portal, migrated mailbox etc. but org. relationship (incl. free/busy) has been affected. So I have simply enabled that feature and enforced full sync to cloud. 
    Monday, November 20, 2017 5:19 AM
  • Self solved. The problem was that AD connect was not synchronizing passwords. Pass-thru authentication has been working well for logon onto portal, migrated mailbox etc. but org. relationship (incl. free/busy) has been affected. So I have simply enabled that feature and enforced full sync to cloud. 

    Ran into this as well at a customer and this fixed it for us as well.  Wrote a blog article on it.

    http://www.shudnow.net/2017/12/01/pass-through-authentication-without-password-hash-synchronization-breaks-online-to-on-premises-freebusy/


    MVP | MCSE:M | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net

    Friday, December 01, 2017 4:55 PM

All replies

  • Self solved. The problem was that AD connect was not synchronizing passwords. Pass-thru authentication has been working well for logon onto portal, migrated mailbox etc. but org. relationship (incl. free/busy) has been affected. So I have simply enabled that feature and enforced full sync to cloud. 
    Monday, November 20, 2017 5:19 AM
  • Great, thanks for your sharing.

    Please mark your solution as answer, thanks again for your cooperation.

    Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, November 20, 2017 9:46 AM
    Moderator
  • Self solved. The problem was that AD connect was not synchronizing passwords. Pass-thru authentication has been working well for logon onto portal, migrated mailbox etc. but org. relationship (incl. free/busy) has been affected. So I have simply enabled that feature and enforced full sync to cloud. 

    Ran into this as well at a customer and this fixed it for us as well.  Wrote a blog article on it.

    http://www.shudnow.net/2017/12/01/pass-through-authentication-without-password-hash-synchronization-breaks-online-to-on-premises-freebusy/


    MVP | MCSE:M | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net

    Friday, December 01, 2017 4:55 PM
  • @henryl007, would you please mark your reply as answer?
    It can benefit other community members and help them quickly find helpful reference.

    Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, December 04, 2017 9:46 AM
    Moderator
  • Ive had this issue for couple of weeks and found this blogpost at last! When i enable password sync my freebust started working! yay..  Is there any official documentation that password sync needs to be enable when you use Pass-thru-auth?
    Monday, December 04, 2017 2:11 PM
  • Hi Erik,

    Yes, Pass-thru-auth will work with password hash synchronization to use same passwords.

    More information, refer to: 
    Azure Active Directory Pass-through Authentication: Quick start
    Implement password synchronization with Azure AD Connect sync

    Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, December 06, 2017 3:00 AM
    Moderator
  • I opened a case when I ran into this and Microsoft created a KB:

    https://support.microsoft.com/en-gb/help/4056251/free-busy-lookup-fails-from-exchange-on-premises-to-exchange-online

    They mention to do the following:

    Set-MsolUserPassword -UserPrincipalName user@domain.com -ForceChangePassword $false

    I'm not sure if this can be done beforehand or if it has to be done after the fact.  The environment that I experienced this at has already enabled password has synchronization as an optional feature to pass-through authentication.  Because of that, I can't currently try this.


    MVP | MCSE:M | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net

    Monday, December 11, 2017 9:30 PM