none
ADFS 3.0 with OWA or ECP Fails RRS feed

  • 问题

  • Windows server 2012 R2(ADFS + EXCHANGE)

    Build: AdminDisplayVersion : Version 15.0 (Build 1263.5)

    When setup according: https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx

    Error:

    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 5/10/2017 2:31:40 AM
    Event time (UTC): 5/9/2017 6:31:40 PM
    Event ID: d6f90872e3d74ecb8f82ac8caf258337
    Event sequence: 2
    Event occurrence: 1
    Event detail code: 0
     
    Application information:
        Application domain: /LM/W3SVC/1/ROOT/owa-7-131388282971179591
        Trust level: Full
        Application Virtual Path: /owa
        Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\
        Machine name: MAIL
     
    Process information:
        Process ID: 1268
        Process name: w3wp.exe
        Account name: NT AUTHORITY\SYSTEM
     
    Exception information:
        Exception type: AdfsConfigurationException
        Exception message: Encryption certificate is absent
       at Microsoft.Exchange.Security.Authentication.Utility.GetCertificates()
       at Microsoft.Exchange.Security.Authentication.AdfsSessionSecurityTokenHandler.CreateTransforms()
       at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
       at Microsoft.IdentityModel.Web.FederatedAuthentication.get_ServiceConfiguration()
       at Microsoft.IdentityModel.Web.HttpModuleBase.Init(HttpApplication context)
       at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
       at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
       at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
       at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

     
     
    Request information:
        Request URL: https://mail.sky.lab:443/owa/
        Request path: /owa/
        User host address: 192.168.21.1
        User:  
        Is authenticated: False
        Authentication Type:  
        Thread account name: NT AUTHORITY\SYSTEM
     
    Thread information:
        Thread ID: 25
        Thread account name: NT AUTHORITY\SYSTEM
        Is impersonating: False
        Stack trace:    at Microsoft.Exchange.Security.Authentication.Utility.GetCertificates()
       at Microsoft.Exchange.Security.Authentication.AdfsSessionSecurityTokenHandler.CreateTransforms()
       at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
       at Microsoft.IdentityModel.Web.FederatedAuthentication.get_ServiceConfiguration()
       at Microsoft.IdentityModel.Web.HttpModuleBase.Init(HttpApplication context)
       at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
       at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
       at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
       at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
     
     
    Custom event details:

    ECP Access----------------

    Server Error in '/ecp' Application.

    Runtime Error

    Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

    Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".
    <!-- Web.Config Configuration File -->
    
    <configuration>
        <system.web>
            <customErrors mode="Off"/>
        </system.web>
    </configuration>

    -----------------------------

    OWA ACCESS

    https://mail.sky.lab/owa/auth/errorFE.aspx?httpCode=500

    2018年5月27日 17:35

全部回复

  • Windows server 2012 R2(ADFS + EXCHANGE)

    Build: AdminDisplayVersion : Version 15.0 (Build 1263.5)

    When setup according: https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx

    Error:

    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 5/10/2017 2:31:40 AM
    Event time (UTC): 5/9/2017 6:31:40 PM
    Event ID: d6f90872e3d74ecb8f82ac8caf258337
    Event sequence: 2
    Event occurrence: 1
    Event detail code: 0
     
    Application information:
        Application domain: /LM/W3SVC/1/ROOT/owa-7-131388282971179591
        Trust level: Full
        Application Virtual Path: /owa
        Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\
        Machine name: MAIL
     
    Process information:
        Process ID: 1268
        Process name: w3wp.exe
        Account name: NT AUTHORITY\SYSTEM
     
    Exception information:
        Exception type: AdfsConfigurationException
        Exception message: Encryption certificate is absent
       at Microsoft.Exchange.Security.Authentication.Utility.GetCertificates()
       at Microsoft.Exchange.Security.Authentication.AdfsSessionSecurityTokenHandler.CreateTransforms()
       at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
       at Microsoft.IdentityModel.Web.FederatedAuthentication.get_ServiceConfiguration()
       at Microsoft.IdentityModel.Web.HttpModuleBase.Init(HttpApplication context)
       at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
       at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
       at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
       at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

     
     
    Request information:
        Request URL: https://mail.sky.lab:443/owa/
        Request path: /owa/
        User host address: 192.168.21.1
        User:  
        Is authenticated: False
        Authentication Type:  
        Thread account name: NT AUTHORITY\SYSTEM
     
    Thread information:
        Thread ID: 25
        Thread account name: NT AUTHORITY\SYSTEM
        Is impersonating: False
        Stack trace:    at Microsoft.Exchange.Security.Authentication.Utility.GetCertificates()
       at Microsoft.Exchange.Security.Authentication.AdfsSessionSecurityTokenHandler.CreateTransforms()
       at Microsoft.Exchange.Security.Authentication.AdfsFederationAuthModule.FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
       at Microsoft.IdentityModel.Web.FederatedAuthentication.get_ServiceConfiguration()
       at Microsoft.IdentityModel.Web.HttpModuleBase.Init(HttpApplication context)
       at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
       at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
       at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
       at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
     
     
    Custom event details:

    ECP Access----------------

    Server Error in '/ecp' Application.

    Runtime Error

    Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

    Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".
    <!-- Web.Config Configuration File -->
    
    <configuration>
        <system.web>
            <customErrors mode="Off"/>
        </system.web>
    </configuration>

    -----------------------------

    OWA ACCESS

    https://mail.sky.lab/owa/auth/errorFE.aspx?httpCode=500

    2018年5月27日 17:33
  • 您好,

    从Event日志上看,我发现“Encryption certificate is absent”, 所以怀疑是ADFS证书出错导致的。

    ADFS需要两种类型的证书,一种是SSL的证书,另一种是授权的证书。而且需要将证书导入到所有Exchange、ADFS及反向代理的Trust Root Certification Authorities中。
    在Exchange中,可以运行以下命令检查证书。
    Get-OrganizationConfig | Select ADFS*

    在ADFS中,运行以下回复查看证书:
    Get-ADFSCertificate -CertificateType “Token-signing”

    详情请参考:http://msexchangeguru.com/2017/01/16/secure-owa-ecp-with-mfa/
    注:本文包含的部分链接为非微软第三方网站链接,所以微软公司不会对其合法性、可靠性和潜在危险做任何暗示或者保证,您可以自行确定是否最终访问。如有其相关问题,请直接联系相关网站

    此致,
    敬礼

    Allen Wang


    如果以上回复对您有所帮助,建议您将其“标记为答复”. 如果您对我们的论坛支持有任何的建议,可以通过此邮箱联系我们:tnsf@microsoft.com.

    点击了解更多,或者访问我们的专用论坛,与我们的技术专家一起分享探索 Microsoft Teams.

    2018年5月28日 7:08
  • 您好,

    请问该问题是否有解决呢?
    如果已被解决的话,能否将有帮助的回复标记为解答?

    此致,
    敬礼

    Allen Wang


    如果以上回复对您有所帮助,建议您将其“标记为答复”. 如果您对我们的论坛支持有任何的建议,可以通过此邮箱联系我们:tnsf@microsoft.com.

    点击了解更多,或者访问我们的专用论坛,与我们的技术专家一起分享探索 Microsoft Teams.

    2018年6月1日 1:41