Overview:
We're trying to configure SSO for OWA on Exchange 2019 server (on-premise), using ADFS. When going to https://mail.domain.com/owa we're experiencing multiple redirects between ADFS and OWA before we get an error in ADFS, followed by an error in the Windows Event logs that says:
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
https://mail.domain.com/owa/
Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '0' seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.ProcessCommonCookiesInLastAuthenticationStage(ProtocolContext context)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Steps to reproduce:
Install Exchange Server 2019
Install ADFS and configure SSO exactly following the steps outlined on the following article (click here)
Navigate to https://mail.domain.com/owa.
Troubleshooting so far:
Confirmed that ECP and OWA External URLs match the audiences set in Powershell.
Confirmed that the user I'm attempting to sign in as is able to authenticate using FBA.
Confirmed that OWA is working as expected.
Servers + configuration:
Exchange Server 2019 15.02.0221.017 configured with a self-signed certificate
ADFS 4.0 configured with a self-signed certificate
Question(s):
Where can I go to get the OWA logs detailing why OWA is redirecting back to ADFS?
Is there anything in the above-linked article that's incorrect?
After a bit more testing we found that if we used IE11, the problem went away. The problem only existed for Chrome or Edge Chromium.
We decided to update to Exchange 2019 CU10, and there were no further issues.
Related
While system proxy is set with Jmeter, CRM Dynamics 365 app is prompting for credentials repeatedly until it gives "HTTP 401.1 - Unauthorized: Access is denied" error at last. Without the proxy, users can access the CRM application at ease over browsers. Following steps are already taken, but no luck yet.
Jmeter root certificate is installed
Domain admin credentials are used for login
For authentication, NTLM service provider is set at IIS
Any help is appreciated!
In recorder advanced tab , switch Http request implementation to Java and try again.
If it doesn’t work, investigate wether it’s ntlm or keeberos.
Alternatively you can start authenticating without proxy setuo and once done, you switch browser to use jmeter proxy.
You can record test cases over BlazeMeter then import them into JMeter. That is worked for me.
I've been away from coding for a few years so excuse the simple nature of this question. I've downloaded the Houndify web sdk and followed instructions to get it running on my local web server (localhost). When running it I get the authentication error "signed token rejected". I've updated the config.json and index.html with my client ID and Key. Any ideas?
E W
Can you check:
if you have activated your account by clicking the link in the email
test the request from the API console from the Client dashboard page
I have had the same error and realized that my account was not activated.
I have installed the ADFS 2.0 on windows server 8, When I am going to fetch the page (FormsSignIn.aspx) which is under adfs/ls dierctory I am getting below error
There was a problem accessing the site. Try to browse to the site again.
I have checked the logs in event viewer and got the below message
Microsoft.IdentityServer.Protocols.Saml.HttpSamlMessageException: MSIS7015: This request does not contain the expected protocol message or incorrect protocol parameters were found according to the HTTP SAML protocol bindings.
at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)
at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)
I have checked all the possible way but not able to reslove this problem.
Please assist.
If you are wanting to utilize Forms authentication in ADFS, you do not access this page directly, rather you configure the ADFS web.config for forms authn and you claims enable your application / service provider (SP). The methods for claims enabling an application can vary depending on the version of Windows Identity Foundation (WIF) used.
I'm in the process of setting up IFD for CRM, and can't get past the internal login part of the claims based setup. I can browse both the adfs and crm metadata. When I try to browse to the internal crm url (https://internalcrm3.XXX.com:447/crm2013) I get prompted for credentials to adfs ("Enter username and password for htts://adfs3.xxx.com"). The url has changed to the adfs url (https://adfs3.xxx.com/adfs/ls/wia?....) at this point upon the login failure. There are no errors in the adfs event long, not sure where to check for this failure. The crm site worked prior to me setting up claims based authentication. I'm using windows 2012r2, I'm running crm on port 447.
Fiddler shows a 200 from internalcrm3, and a 200 for adfs3 (it shows adfs3 is on 443, but I haven't set up anything in IIS for this, as it's the 2012r2 version of adfs)
If I browse https://adfs3..com/adfs/ls/idpinitiatedsignon, I am prompted and can login wit the same credentials I'm trying above.
I have a windows 2008 R2 Server, my apps use framework 4.5
<compilation targetFramework="4.5.1">
but suddenly one of my apps stopped authenticating against my authentication app in the same server. others do, others just dont the page the page redirect well to the auth site and auth ok, but on the way back to my app the page show the error"connection reset" each time I Try, I see a warning in the event viewer
Exception type: HttpException
Exception message: Cannot redirect after HTTP headers have been sent.
If I try this app in another server or local in my computer it authenticates just fine.
So I think is a matter of WIF versions installed on the server, but I'm Not sure.
Exist any way to know What Wif Versions are installed?
Thanks
Solved,
It was due to miss information on the third app webconfig, was the certificate information was invalid, so it tried to find a certificate that didnt exist on the server.