询问者
ADFS 3.0 with OWA or ECP Fails

问题
-
Windows server 2012 R2(ADFS + EXCHANGE)
Build: AdminDisplayVersion : Version 15.0 (Build 1263.5)
When setup according: https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx
Error:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 5/10/2017 2:31:40 AM
Event time (UTC): 5/9/2017 6:31:40 PM
Event ID: d6f90872e3d74ecb8f82ac8caf258337
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/owa-7-131388282971179591
Trust level: Full
Application Virtual Path: /owa
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\
Machine name: MAIL
Process information:
Process ID: 1268
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: AdfsConfigurationException
Exception message: Encryption certificate is absent
at Microsoft.Exchange.Security.Authentication.Utility.GetCertificates()
at Microsoft.Exchange.Security.Authentication.AdfsSessionSecurityTokenHandler.CreateTransforms()
at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
at Microsoft.IdentityModel.Web.FederatedAuthentication.get_ServiceConfiguration()
at Microsoft.IdentityModel.Web.HttpModuleBase.Init(HttpApplication context)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
Request information:
Request URL: https://mail.sky.lab:443/owa/
Request path: /owa/
User host address: 192.168.21.1
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
Thread information:
Thread ID: 25
Thread account name: NT AUTHORITY\SYSTEM
Is impersonating: False
Stack trace: at Microsoft.Exchange.Security.Authentication.Utility.GetCertificates()
at Microsoft.Exchange.Security.Authentication.AdfsSessionSecurityTokenHandler.CreateTransforms()
at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
at Microsoft.IdentityModel.Web.FederatedAuthentication.get_ServiceConfiguration()
at Microsoft.IdentityModel.Web.HttpModuleBase.Init(HttpApplication context)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
Custom event details:ECP Access----------------
Server Error in '/ecp' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".<!-- Web.Config Configuration File --> <configuration> <system.web> <customErrors mode="Off"/> </system.web> </configuration>
-----------------------------
OWA ACCESS
https://mail.sky.lab/owa/auth/errorFE.aspx?httpCode=500
全部回复
-
Windows server 2012 R2(ADFS + EXCHANGE)
Build: AdminDisplayVersion : Version 15.0 (Build 1263.5)
When setup according: https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx
Error:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 5/10/2017 2:31:40 AM
Event time (UTC): 5/9/2017 6:31:40 PM
Event ID: d6f90872e3d74ecb8f82ac8caf258337
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/owa-7-131388282971179591
Trust level: Full
Application Virtual Path: /owa
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\
Machine name: MAIL
Process information:
Process ID: 1268
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: AdfsConfigurationException
Exception message: Encryption certificate is absent
at Microsoft.Exchange.Security.Authentication.Utility.GetCertificates()
at Microsoft.Exchange.Security.Authentication.AdfsSessionSecurityTokenHandler.CreateTransforms()
at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
at Microsoft.IdentityModel.Web.FederatedAuthentication.get_ServiceConfiguration()
at Microsoft.IdentityModel.Web.HttpModuleBase.Init(HttpApplication context)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
Request information:
Request URL: https://mail.sky.lab:443/owa/
Request path: /owa/
User host address: 192.168.21.1
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
Thread information:
Thread ID: 25
Thread account name: NT AUTHORITY\SYSTEM
Is impersonating: False
Stack trace: at Microsoft.Exchange.Security.Authentication.Utility.GetCertificates()
at Microsoft.Exchange.Security.Authentication.AdfsSessionSecurityTokenHandler.CreateTransforms()
at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
at Microsoft.IdentityModel.Web.FederatedAuthentication.get_ServiceConfiguration()
at Microsoft.IdentityModel.Web.HttpModuleBase.Init(HttpApplication context)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
Custom event details:ECP Access----------------
Server Error in '/ecp' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".<!-- Web.Config Configuration File --> <configuration> <system.web> <customErrors mode="Off"/> </system.web> </configuration>
-----------------------------
OWA ACCESS
https://mail.sky.lab/owa/auth/errorFE.aspx?httpCode=500
- 已合并 Allen_WangJF 2018年5月28日 2:11 Duplicate
-
您好,
从Event日志上看,我发现“Encryption certificate is absent”, 所以怀疑是ADFS证书出错导致的。
ADFS需要两种类型的证书,一种是SSL的证书,另一种是授权的证书。而且需要将证书导入到所有Exchange、ADFS及反向代理的Trust Root Certification Authorities中。
在Exchange中,可以运行以下命令检查证书。
Get-OrganizationConfig | Select ADFS*
在ADFS中,运行以下回复查看证书:
Get-ADFSCertificate -CertificateType “Token-signing”
详情请参考:http://msexchangeguru.com/2017/01/16/secure-owa-ecp-with-mfa/
注:本文包含的部分链接为非微软第三方网站链接,所以微软公司不会对其合法性、可靠性和潜在危险做任何暗示或者保证,您可以自行确定是否最终访问。如有其相关问题,请直接联系相关网站。
此致,
敬礼Allen Wang
如果以上回复对您有所帮助,建议您将其“标记为答复”. 如果您对我们的论坛支持有任何的建议,可以通过此邮箱联系我们:tnsf@microsoft.com.
- 已编辑 Allen_WangJF 2018年5月28日 7:09
- 已建议为答案 Allen_WangJF 2018年5月30日 2:02
-
您好,
请问该问题是否有解决呢?
如果已被解决的话,能否将有帮助的回复标记为解答?
此致,
敬礼Allen Wang
如果以上回复对您有所帮助,建议您将其“标记为答复”. 如果您对我们的论坛支持有任何的建议,可以通过此邮箱联系我们:tnsf@microsoft.com.
- 已编辑 Allen_WangJF 2018年6月1日 1:41
- 已建议为答案 Allen_WangJF 2018年6月6日 2:39