Exchange 2010 Federation OrgRelationsship 401 unauthorized
Hi, we set up successfully a FederationTrust. RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44 Id : FederationTrustConfiguration Type : Success Message : FederationTrust object in ActiveDirectory is valid. RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44 Id : FederationMetadata Type : Success Message : The federation trust contains the same certificates published by the security token service in its federation m etadata. RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44 Id : StsCertificate Type : Success Message : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object. RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44 Id : StsPreviousCertificate Type : Success Message : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object. RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44 Id : OrganizationCertificate Type : Success Message : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object. RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44 Id : OrganizationPreviousCertificate Type : Success Message : Valid certificate referenced by property OrgPrevPrivCertificate in the FederationTrust object. RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44 Id : TokenRequest Type : Success Message : Request for delegation token succeeded. RunspaceId : f7e5b393-93cd-4ed5-b07a-39c7d0baaa44 Id : TokenValidation Type : Success Message : Requested delegation token is valid. I created also a OrgRelationship with for out PartnerCompany. When i start a test-organizationrelationship cmdlet i get an error "401 Unauthorized" . The partner TMG doesnt block this requests. We see in the TMG Logs that the traffic is allowed. the error come directly from the PartnerExchange 2010 Server. The WebSites /Autodiscover and /EWS are set to {Basic, Ntlm, WindowsIntegrated, WSSecurity} and also Anonymous Auth is enabled. VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Active Directory session settings for 'Test-OrganizationRelationship' are: View Entire Forest: 'False', Default Scope: 'ttcon.local', Configuration Domain Controller: 'DC02.ourownintdomain.local', Preferred Global Catalog: 'DC01.ourownintdomain.local', Preferred Domain Controllers: '{ TTEL-DC01.ttcon.local }' VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Runspace context: Executing user: intdomain.local/Company/Department/Schmidtke, Jrg (Domainadmin), Executing user organization: , Current organization: , RBAC-enabled: Enabled. VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Beginning processing & VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Instantiating handler with index 0 for cmdlet extension agent "Admin Audit Log Agent". VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} } VERBOSE: [14:40:14.592 GMT] Test-OrganizationRelationship : Searching objects "jschmidtke@extdomain.de" of type "ADUser" under the root "$null". VERBOSE: [14:40:14.608 GMT] Test-OrganizationRelationship : Previous operation run on global catalog server 'DC01.intdomain.local'. VERBOSE: [14:40:14.608 GMT] Test-OrganizationRelationship : Searching objects "agens" of type "OrganizationRelationship" under the root "$null". VERBOSE: [14:40:14.608 GMT] Test-OrganizationRelationship : Previous operation run on domain controller 'DC02.intdomain.local'. VERBOSE: Test that organization relationships are properly configured. VERBOSE: [14:40:14.608 GMT] Test-OrganizationRelationship : Resolved current organization: . VERBOSE: [14:40:14.623 GMT] Test-OrganizationRelationship : Calling the Microsoft Exchange Autodiscover service for the remote federation information. VERBOSE: [14:40:14.858 GMT] Test-OrganizationRelationship : The Microsoft Exchange Autodiscover service failed to be called at 'https://mail.federatedpartner.de/EWS/Exchange.asmx' because the following error occurred: Exception: Microsoft.Exchange.SoapWebClient.GetFederationInformationException: Discovery for domain partnerdomain.com failed. ---> System.Net.WebException: The request failed with HTTP status 401: Unauthorized. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.<>c__DisplayClass4.<Invoke>b__3() at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NoHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler) at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler) at Microsoft.Exchange.SoapWebClient.AutoDiscover.DefaultBinding_Autodiscover.GetFederationInformation(GetFederationInformationR equest Request) at Microsoft.Exchange.SoapWebClient.GetFederationInformationClient.<>c__DisplayClass6.<Endpoint>b__5(DefaultBinding_Autodiscove r binding) at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.<>c__DisplayClassf.<InvokeAndFollowSecureRedirects>b__c(IWebProxy webProxy) at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeWithWebProxy(String url, InvokeWithWebProxyDelegate invokeWithWebProxy) at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeAndFollowSecureRedirects(InvokeDelegate invokeDelegate, Uri url) at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeForUrl(InvokeDelegate invokeDelegate, Uri url) --- End of inner exception stack trace --- WebException.Response = <cannot read response stream> Exception: System.Net.WebException: The request failed with HTTP status 401: Unauthorized. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.<>c__DisplayClass4.<Invoke>b__3() at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NoHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler) at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler) at Microsoft.Exchange.SoapWebClient.AutoDiscover.DefaultBinding_Autodiscover.GetFederationInformation(GetFederationInformationR equest Request) at Microsoft.Exchange.SoapWebClient.GetFederationInformationClient.<>c__DisplayClass6.<Endpoint>b__5(DefaultBinding_Autodiscove r binding) at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.<>c__DisplayClassf.<InvokeAndFollowSecureRedirects>b__c(IWebProxy webProxy) at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeWithWebProxy(String url, InvokeWithWebProxyDelegate invokeWithWebProxy) at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeAndFollowSecureRedirects(InvokeDelegate invokeDelegate, Uri url) at Microsoft.Exchange.SoapWebClient.AutodiscoverClient.InvokeForUrl(InvokeDelegate invokeDelegate, Uri url) What can be the problem? Thanks in advance! Kind regards Joerg
February 21st, 2012 9:51am

I created also a OrgRelationship with for out PartnerCompany. When i start a test-organizationrelationship cmdlet i get an error "401 Unauthorized" . The partner TMG doesnt block this requests. We see in the TMG Logs that the traffic is allowed. the error come directly from the PartnerExchange 2010 Server. The WebSites /Autodiscover and /EWS are set to {Basic, Ntlm, WindowsIntegrated, WSSecurity} and also Anonymous Auth is enabled. Hi Joery, You run the test-organizationrelationship cmdlet and get an error "401 Unauthorized", but what's the meaning of "the error come directly from the PartnerExchange 2010 Server."? You run the cmdlet on your parter's Exchange server? What's the cmdlet output on your server? Please make sure you and your partner created relationship as following Technet document first: Configure Federated Delegation http://technet.microsoft.com/en-us/library/ff601760.aspx Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.Frank Wang TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2012 12:35am

I created also a OrgRelationship with for out PartnerCompany. When i start a test-organizationrelationship cmdlet i get an error "401 Unauthorized" . The partner TMG doesnt block this requests. We see in the TMG Logs that the traffic is allowed. the error come directly from the PartnerExchange 2010 Server. The WebSites /Autodiscover and /EWS are set to {Basic, Ntlm, WindowsIntegrated, WSSecurity} and also Anonymous Auth is enabled. Hi Joery, You run the test-organizationrelationship cmdlet and get an error "401 Unauthorized", but what's the meaning of "the error come directly from the PartnerExchange 2010 Server."? You run the cmdlet on your parter's Exchange server? What's the cmdlet output on your server? Please make sure you and your partner created relationship as following Technet document first: Configure Federated Delegation http://technet.microsoft.com/en-us/library/ff601760.aspx Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.Frank Wang TechNet Community Support
February 23rd, 2012 12:35am

Hi Frank, sorry for the not clearly information. i ran the test-organizationrelationship cmdlet on my exchange server and the output/response is from the partner exchange-server. when the partner ran this cmlet, the get the same error on his exchange. we have created your org-relationships exactly like its described in the the article. Kind regards Joerg
Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2012 3:39am

Hi Frank, sorry for the not clearly information. i ran the test-organizationrelationship cmdlet on my exchange server and the output/response is from the partner exchange-server. when the partner ran this cmlet, the get the same error on his exchange. we have created your org-relationships exactly like its described in the the article. Kind regards Joerg
February 23rd, 2012 3:39am

Hello Joerg, As per the error log that you mentioned it seems like we are not able to browse the EWS 'https://mail1.agensgruppe.de/EWS/Exchange.asmx' When happens if you try to manually browse the URL, when i tried to browse i am getting 403 forbidden.. Also get us the Get-organizationrelationship | FL output from both the ends
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2012 2:56am

Hello Joerg, As per the error log that you mentioned it seems like we are not able to browse the EWS 'https://mail1.agensgruppe.de/EWS/Exchange.asmx' When happens if you try to manually browse the URL, when i tried to browse i am getting 403 forbidden.. Also get us the Get-organizationrelationship | FL output from both the ends
February 28th, 2012 2:56am

hi, the access to https://mail1.federatedpartner.de/EWS/Exchange.asmx is only allowed from out ip address on the tmg from our partner, also on our tmg is only the ip of the partner allowed to access our https://mail.extdomain.de/EWS/Exchange.asmx When i browse https://mail1.federatedpartner.de/EWS/Exchange.asmx in ie from my exchange cas, i get an authentication dialog and when i enter my credentials i get the xml successfully. when i enter no credentials i get a blank page. my get-organizationrelationship | fl output: RunspaceId : 5917db66-571f-4ac6-a0ec-da497c6451c6 DomainNames : {federatedpartner.com} FreeBusyAccessEnabled : True FreeBusyAccessLevel : LimitedDetails FreeBusyAccessScope : MailboxMoveEnabled : False DeliveryReportEnabled : False MailTipsAccessEnabled : False MailTipsAccessLevel : None MailTipsAccessScope : TargetApplicationUri : mail1.federatedpartner.de TargetSharingEpr : TargetOwaURL : https://mail.federatedpartner.de/owa TargetAutodiscoverEpr : https://mail1.federatedpartner.de/EWS/Exchange.asmx OrganizationContact : Enabled : True ArchiveAccessEnabled : False AdminDisplayName : ExchangeVersion : 0.10 (14.0.100.0) Name : Agens DistinguishedName : CN=federatedpartner,CN=Federation,CN=Company Name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=intdomain,DC=local Identity : Agens Guid : 73f16f45-748a-474b-92ab-849383791ca0 ObjectCategory : intdomain.local/Configuration/Schema/ms-Exch-Fed-Sharing-Relationship ObjectClass : {top, msExchFedSharingRelationship} WhenChanged : 21.02.2012 15:40:08 WhenCreated : 06.02.2012 22:18:20 WhenChangedUTC : 21.02.2012 14:40:08 WhenCreatedUTC : 06.02.2012 21:18:20 OrganizationId : OriginatingServer : DC02.intdomain.local IsValid : True federatedpartner get-organizationrelationship | fl output:RunspaceId : 834e7ef2-0f02-415d-bf33-f2ab00ffda20 DomainNames : {companyname.de} FreeBusyAccessEnabled : True FreeBusyAccessLevel : AvailabilityOnly FreeBusyAccessScope : MailboxMoveEnabled : False DeliveryReportEnabled : False MailTipsAccessEnabled : False MailTipsAccessLevel : None MailTipsAccessScope : TargetApplicationUri : mail.extdomain.de TargetSharingEpr : TargetOwaURL : https://mail.extdomain.de/owa TargetAutodiscoverEpr : https://mail.extdomain.de/EWS/Exchange.asmx OrganizationContact : Enabled : True ArchiveAccessEnabled : False AdminDisplayName : ExchangeVersion : 0.10 (14.0.100.0) Name : TopTech DistinguishedName : CN=CompanyName,CN=Federation,CN=Federatedpartner,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=federatedpartnerintdomain,DC=local Identity : CompanyName Guid : 684612e9-27b5-4549-bb5e-d420bf40d216 ObjectCategory : federatedpartnerintdomain.local/Configuration/Schema/ms-Exch-Fed-Sharing-Relationship ObjectClass : {top, msExchFedSharingRelationship} WhenChanged : 10.02.2012 16:21:01 WhenCreated : 01.02.2012 16:33:00 WhenChangedUTC : 10.02.2012 15:21:01 WhenCreatedUTC : 01.02.2012 15:33:00 OrganizationId : OriginatingServer : DC01.federatedpartnerindomain.local IsValid : True Kind regards Joerg
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2012 12:52pm

Hello Joerg, I only see the FL from you end and dont see the FL of the other. Other question is how is the organization relationship created ( Is it manully created or you used Autodiscover to create it). Beause if you look at the output you should see TargetAutodiscoverEpr will be filled with the Autodiscover URL not the EWS URL. Also the EWS URL will be populated in TargetSharingEpr. If you have manually created it, Remove the org relationship and do it using Autodiscover. Also run this command on both the ends and get us the output get-federationinformation -domainname "Name of the domain" -verbose
February 29th, 2012 6:22am

Hello Joerg, I only see the FL from you end and dont see the FL of the other. Other question is how is the organization relationship created ( Is it manully created or you used Autodiscover to create it). Beause if you look at the output you should see TargetAutodiscoverEpr will be filled with the Autodiscover URL not the EWS URL. Also the EWS URL will be populated in TargetSharingEpr. If you have manually created it, Remove the org relationship and do it using Autodiscover. Also run this command on both the ends and get us the output get-federationinformation -domainname "Name of the domain" -verbose
Free Windows Admin Tool Kit Click here and download it now
February 29th, 2012 6:22am

Hi, i get today the output from our partner, sorry for delay, i input it in the last thread of me. yes you are right we must create the OrgRelationsships manually on both sides. My get-federationinformation -domainname "Name of the domain" -verbose: [PS] C:\Windows\system32>get-federationinformation -domainname federatedparnter.com -verbose VERBOSE: [15:42:02.045 GMT] Get-FederationInformation : Active Directory session settings for 'Get-FederationInformation' are: View Entire Forest: 'False', Default Scope: 'ourintdomain.local', Configuration Domain Controller: 'DC01.ourintdomain.local', Preferred Global Catalog: 'dc02.ourintdomain.local', Preferred Domain Controllers: '{ dc02.ourintdomain.local }' VERBOSE: [15:42:02.045 GMT] Get-FederationInformation : Runspace context: Executing user: ourintdomain.local/CompanyName/Department/Schmidtke, Jrg (Domainadmin), Executing user organization: , Current organization: , RBAC-enabled: Enabled. VERBOSE: [15:42:02.045 GMT] Get-FederationInformation : Beginning processing & VERBOSE: [15:42:02.045 GMT] Get-FederationInformation : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} } VERBOSE: [15:42:02.045 GMT] Get-FederationInformation : Resolved current organization: . VERBOSE: [15:42:02.061 GMT] Get-FederationInformation : Using the following trusted host names: *.outlook.com. VERBOSE: [15:42:03.030 GMT] Get-FederationInformation : The discovery process returned the following results: Type=Failure;Url=https://autodiscover.federatedparnter.com/autodiscover/autodiscover.svc;Exception=Discovery for domain federatedparnter.com failed.;Details=(Type=Failure;Url=https://autodiscover.federatedparnter.com/autodiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;); Type=Failure;Url=https://federatedparnter.com/autodiscover/autodiscover.svc;Exception=Discovery for domain federatedparnter.com failed.;Details=(Type=Failure;Url=https://federatedparnter.com/autodiscover/autodiscover.svc;Exception=The underlying connection was closed: An unexpected error occurred on a send.;); Type=Failure;Url=http://autodiscover.federatedparnter.com/autodiscover/autodiscover.xml;Exception=Discovery for domain federatedparnter.com failed.;Details=(Type=Failure;Url=http://autodiscover.federatedparnter.com/autodiscover/autodiscover.xml;RedirectUrl=https://autodiscov er.federatedparnter.com/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.federatedparnter.com/autodiscover/autodisco ver.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;);); Type=Failure;Url=http://federatedparnter.com/autodiscover/autodiscover.xml;Exception=Discovery for domain federatedparnter.com failed.;Details=(Type=Failure;Url=http://federatedparnter.com/autodiscover/autodiscover.xml;Exception=Unexpected status code in response: MovedPermanently.;); . Federation information could not be received from the external organization. + CategoryInfo : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException + FullyQualifiedErrorId : ABBC82A4,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation VERBOSE: [15:42:03.061 GMT] Get-FederationInformation : Ending processing & Here The output of get-federatedinformation from my partner: [PS] C:\Windows\system32>get-federationinformation -domainname "ourexternaldomain.de" -verbose VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Active Directory session settings for 'Get-FederationInformation' are: View Entire Forest: 'False', Default Scope: 'partnerintdomain.local', Configuration Domain Controller: 'DC02.partnerintdomain.local', Preferred Global Catalog: 'DC02.partnerintdomain.local', Preferred Domain Controllers: '{ DC02.partnerintdomain.local }' VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Runspace context: Executing user: partnerintdomain.local/Department/Admin/UserAdmin, Executing user organization: , Current organization: ,RBAC-enabled: Enabled. VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Beginning processing & VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} } VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Resolved current organization: . VERBOSE: [15:38:03.106 GMT] Get-FederationInformation : Using the following trusted host names: *.outlook.com. VERBOSE: [15:38:04.012 GMT] Get-FederationInformation : The discovery process returned the following results: Type=Failure;Url=https://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain ourexternaldomain.de failed.;Details=(Type=Failure;Url=https://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;); Type=Failure;Url=https://ourexternaldomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain ourexternaldomain.de failed.;Details=(Type=Failure;Url=https://ourexternaldomain.de/autodiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;); Type=Failure;Url=http://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain ourexternaldomain.de failed.;Details=(Type=Failure;Url=http://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.xml;RedirectUrl=http s://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.ourexternaldomain.de/autodiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;);); Type=Failure;Url=http://ourexternaldomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain ourexternaldomain.de failed.;Details=(Type=Failure;Url=http://ourexternaldomain.de/autodiscover/autodiscover.xml;RedirectUrl=https://mail.ourexternaldomain.de/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://mail.ourexternaldomain.de/autodiscover/a utodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;);); . Federation information could not be received from the external organization. + CategoryInfo : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException + FullyQualifiedErrorId : A9A4DB75,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation VERBOSE: [15:38:04.012 GMT] Get-FederationInformation : Ending processing & Kind regards Joerg
February 29th, 2012 10:38am

Hello Joerg, I see from the output we are getting failed... Type=Failure;Url=http://autodiscover.federatedparnter.com/autodiscover/autodiscover.xml;Exception=Discovery for domain federatedparnter.com failed.;Details=(Type=Failure;Url=http://autodiscover.federatedparnter.com/autodiscover/autodiscover.xml;RedirectUrl=https://autodiscov er.federatedparnter.com/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.federatedparnter.com/autodiscover/autodisco ver.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;);); So we are getting a authentication error when browsing the URL. We have seen issue where in TMG if have not set a rule to allow all for Autodiscover and EWS. Also make sure is it not asking for authentication in the TMG. Update me if you find anything on the TMG lines..
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2012 9:07am

Hello Joerg, I see from the output we are getting failed... Type=Failure;Url=http://autodiscover.federatedparnter.com/autodiscover/autodiscover.xml;Exception=Discovery for domain federatedparnter.com failed.;Details=(Type=Failure;Url=http://autodiscover.federatedparnter.com/autodiscover/autodiscover.xml;RedirectUrl=https://autodiscov er.federatedparnter.com/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.federatedparnter.com/autodiscover/autodisco ver.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;);); So we are getting a authentication error when browsing the URL. We have seen issue where in TMG if have not set a rule to allow all for Autodiscover and EWS. Also make sure is it not asking for authentication in the TMG. Update me if you find anything on the TMG lines..
March 4th, 2012 9:07am

Hi, we analyzed an error on our federatedpartner tmg, that ist solved. also we made a litlle step forward, we changed our "TargetAutodiscoverEpr to: https://autodiscover.federatedpartnerdomain.de/autodiscover/autodiscover.svc" Now we get a "Failed to get delegation token" errror: [PS] C:\Windows\system32>Test-OrganizationRelationship -Identity agens -UserIdentity jschmidtke@ourextdomain.de -verbose VERBOSE: [09:42:52.151 GMT] Test-OrganizationRelationship : Active Directory session settings for 'Test-OrganizationRelationship' are: View Entire Forest: 'False', Default Scope: 'ourintdomain.local', Configuration Domain Controller: 'dc01.ourintdomain.local', Preferred Global Catalog: 'dc01.ourintdomain.local', Preferred Domain Controllers: '{ dc01.ourintdomain.local }' VERBOSE: [09:42:52.151 GMT] Test-OrganizationRelationship : Runspace context: Executing user: ourintdomain.local/OurCompanyName/Department/Schmidtke, Jrg (Domainadmin), Executing user organization: , Current organization: , RBAC-enabled: Enabled. VERBOSE: [09:42:52.151 GMT] Test-OrganizationRelationship : Beginning processing & VERBOSE: [09:42:52.151 GMT] Test-OrganizationRelationship : Instantiating handler with index 0 for cmdlet extension agent "Admin Audit Log Agent". VERBOSE: [09:42:52.151 GMT] Test-OrganizationRelationship : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} } VERBOSE: [09:42:52.166 GMT] Test-OrganizationRelationship : Searching objects "jschmidtke@ourextdomain.de" of type "ADUser" under the root "$null". VERBOSE: [09:42:52.307 GMT] Test-OrganizationRelationship : Previous operation run on global catalog server 'dc01.ourintdomain.local'. VERBOSE: [09:42:52.323 GMT] Test-OrganizationRelationship : Searching objects "FederatedPartnerCompany" of type "OrganizationRelationship" under the root "$null". VERBOSE: [09:42:52.369 GMT] Test-OrganizationRelationship : Previous operation run on domain controller 'dc01.ourintdomain.local'. VERBOSE: Test that organization relationships are properly configured. VERBOSE: [09:42:52.369 GMT] Test-OrganizationRelationship : Resolved current organization: . VERBOSE: [09:42:52.385 GMT] Test-OrganizationRelationship : Calling the Microsoft Exchange Autodiscover service for the remote federation information. VERBOSE: [09:42:52.729 GMT] Test-OrganizationRelationship : The Autodiscover call succeeded for the following URL: https://mail.federatedpartnerextdomain.de/autodiscover/autodiscover.svc. VERBOSE: [09:42:52.745 GMT] Test-OrganizationRelationship : Generating delegation token for user jschmidtke@ourextdomain.de for application mail.federatedpartnerextdomain.de. VERBOSE: [09:42:54.292 GMT] Test-OrganizationRelationship : Failed to get delegation token: <S:Fault xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:InvalidRequest< /S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang="en-US">Invalid Request</S:Text></S:Reason><S:Detail><psf:error xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:value>0x80048820</psf:value><psf:internalerror ><psf:code>0x8004788d</psf:code><psf:text>Target is missing or invalid. </psf:text></psf:internalerror></psf:error></S:Detail></S:Fault> Microsoft.Exchange.Net.WSTrust.SoapFaultException: Soap fault exception received. at Microsoft.Exchange.Net.WSTrust.SoapClient.Invoke(IEnumerable`1 headers, XmlElement bodyContent) at Microsoft.Exchange.Net.WSTrust.SecurityTokenService.IssueToken(DelegationTokenRequest request) at Microsoft.Exchange.Management.Sharing.TestOrganizationRelationship.GetDelegationToken(). RunspaceId : d3125974-0aad-487f-8cf6-879c899ddcd4 Identity : Id : FailureToGetDelegationToken Status : Error Description : Failed to get delegation token: Soap fault exception received.. IsValid : True VERBOSE: [09:42:54.307 GMT] Test-OrganizationRelationship : Admin Audit Log: Entered Handler:OnComplete. VERBOSE: [09:42:54.307 GMT] Test-OrganizationRelationship : Ending processing & Kind regards Joerg
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2012 6:08am

Hello Joerg, As per the error we are getting in the Delegation Token. I would suggest run the Test-federationtrust -verbose from both your domain and the partner domain. http://technet.microsoft.com/en-us/library/dd979787.aspx Thanks Venkat
March 7th, 2012 7:11am

Hello Joerg, As per the error we are getting in the Delegation Token. I would suggest run the Test-federationtrust -verbose from both your domain and the partner domain. http://technet.microsoft.com/en-us/library/dd979787.aspx Thanks Venkat
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2012 7:11am

hi here output from get-federationinformation from us to our partner: [PS] C:\Windows\system32>Get-FederationInformation -domainname federatedextpartnerdomain.de -verbose Creating a new session for implicit remoting of "Get-FederationInformation" command... VERBOSE: [12:28:21.095 GMT] Get-FederationInformation : Initializing Active Directory server settings for the remote Windows PowerShell session. VERBOSE: [12:28:21.095 GMT] Get-FederationInformation : Active Directory session settings for 'Get-FederationInformation' are: View Entire Forest: 'False', Default Scope: 'ourintdomain.local', Configuration Domain Controller: 'dc01ourintdomain.local', Preferred Global Catalog: 'dc02ourintdomain.local', Preferred Domain Controllers: '{ dc02ourintdomain.local }' VERBOSE: [12:28:21.111 GMT] Get-FederationInformation : Runspace context: Executing user: ttcon.local/OutCompanyName/Department/Schmidtke, Jrg (Domainadmin), Executing user organization: , Current organization: , RBAC-enabled: Enabled. VERBOSE: [12:28:21.111 GMT] Get-FederationInformation : Beginning processing & VERBOSE: [12:28:21.252 GMT] Get-FederationInformation : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} } VERBOSE: [12:28:21.252 GMT] Get-FederationInformation : Resolved current organization: . VERBOSE: [12:28:24.799 GMT] Get-FederationInformation : Using the following trusted host names: *.outlook.com. VERBOSE: [12:28:28.582 GMT] Get-FederationInformation : The discovery process returned the following results: Type=Failure;Url=https://autodiscover.federatedextpartnerdomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain federatedextpartnerdomain.de failed.;Details=(Type=Failure;Url=https://autodiscover.federatedextpartnerdomain.de/autodiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;); Type=Failure;Url=https://federatedextpartnerdomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain federatedextpartnerdomain.de failed.;Details=(Type=Failure;Url=https://federatedextpartnerdomain.de/autodiscover/autodiscover.svc;Exception=The underlying connection was closed: An unexpected error occurred on a send.;); Type=Failure;Url=http://autodiscover.federatedextpartnerdomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain federatedextpartnerdomain.de failed.;Details=(Type=Failure;Url=http://autodiscover.federatedextpartnerdomain.de/autodiscover/autodiscover.xml;RedirectUrl=https://autodiscov er.federatedextpartnerdomain.de/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.federatedextpartnerdomain.de/autodiscover/autodisco ver.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;);); Type=Failure;Url=http://federatedextpartnerdomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain federatedextpartnerdomain.de failed.;Details=(Type=Failure;Url=http://federatedextpartnerdomain.de/autodiscover/autodiscover.xml;Exception=Unexpected status code in response: MovedPermanently.;); . Federation information could not be received from the external organization. + CategoryInfo : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException + FullyQualifiedErrorId : A9E4445F,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation VERBOSE: [12:28:28.644 GMT] Get-FederationInformation : Ending processing & the partner output to us follows [PS] C:\Windows\system32>get-federationinformation -domainname ourextdomain.de -verbose VERBOSE: [13:24:52.524 GMT] Get-FederationInformation : Active Directory session settings for 'Get-FederationInformation' are: View Entire Forest: 'False', Default Scope: 'partnerintdomain.local', Configuration Domain Controller: 'DC01.partnerintdomain.local', Preferred Global Catalog: 'DC01.partnerintdomain.local', Preferred Domain Controllers: '{ DC01.partnerintdomain.local }' VERBOSE: [13:24:52.524 GMT] Get-FederationInformation : Runspace context: Executing user: partnerintdomain.local/Department/Admin/Admin, Executing user organization: , Current organization: , RBAC-enabled: Enabled. VERBOSE: [13:24:52.524 GMT] Get-FederationInformation : Beginning processing & VERBOSE: [13:24:52.602 GMT] Get-FederationInformation : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} } VERBOSE: [13:24:52.602 GMT] Get-FederationInformation : Resolved current organization: . VERBOSE: [13:24:52.602 GMT] Get-FederationInformation : Using the following trusted host names: *.outlook.com. VERBOSE: [13:24:53.492 GMT] Get-FederationInformation : The discovery process returned the following results: Type=Failure;Url=https://autodiscover.ourextdomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain ourextdomain.de failed.;Details=(Type=Failure;Url=https://autodiscover.ourextdomain.de/autodiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;); Type=Failure;Url=https://ourextdomain.de/autodiscover/autodiscover.svc;Exception=Discovery for domain ourextdomain.de failed.;Details=(Type=Failure;Url=https://ourextdomain.de/autodiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Webserver is denied. Contact the server administrator. ).;); Type=Failure;Url=http://autodiscover.ourextdomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain ourextdomain.de failed.;Details=(Type=Failure;Url=http://autodiscover.ourextdomain.de/autodiscover/autodiscover.xml;RedirectUrl=http s://autodiscover.ourextdomain.de/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.topt echnologies.de/autodiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;);); Type=Failure;Url=http://ourextdomain.de/autodiscover/autodiscover.xml;Exception=Discovery for domain ourextdomain.de failed.;Details=(Type=Failure;Url=http://ourextdomain.de/autodiscover/autodiscover.xml;RedirectUrl=https://mail.topt echnologies.de/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://mail.ourextdomain.de/autodiscover/a utodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;););. Federation information could not be received from the external organization. + CategoryInfo : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException + FullyQualifiedErrorId : A9A4DB75,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation VERBOSE: [13:24:53.492 GMT] Get-FederationInformation : Ending processing & Kind regards Joerg
March 7th, 2012 7:33am

Hello Joerg, As per my last post i have suggested to run Test-federationtest. Please update with the output. thanks venkat
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2012 10:12pm

Hello Joerg, As per my last post i have suggested to run Test-federationtest. Please update with the output. thanks venkat
March 8th, 2012 10:12pm

hi here ist my test-federationtrust output: [PS] C:\Windows\system32>Test-FederationTrust -UserIdentity jschmidtke@ourexternaldomain.de RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : FederationTrustConfiguration Type : Success Message : FederationTrust object in ActiveDirectory is valid. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : FederationMetadata Type : Success Message : The federation trust contains the same certificates published by the security token service in its federation m etadata. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : StsCertificate Type : Success Message : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : StsPreviousCertificate Type : Success Message : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : OrganizationCertificate Type : Success Message : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : TokenRequest Type : Success Message : Request for delegation token succeeded. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : TokenValidation Type : Success Message : Requested delegation token is valid. here the output from our partner: [PS] C:\Windows\system32>Test-FederationTrust -UserIdentity surname.name@partnerexternaldomain.com RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : FederationTrustConfiguration Type : Success Message : FederationTrust object in ActiveDirectory is valid. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : FederationMetadata Type : Success Message : The federation trust contains the same certificates published by the security token service in its federat ion metadata. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : StsCertificate Type : Success Message : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : StsPreviousCertificate Type : Success Message : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : OrganizationCertificate Type : Success Message : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : TokenRequest Type : Success Message : Request for delegation token succeeded. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : TokenValidation Type : Success Message : Requested delegation token is valid. Kind regards Joerg
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2012 3:43am

hi here ist my test-federationtrust output: [PS] C:\Windows\system32>Test-FederationTrust -UserIdentity jschmidtke@ourexternaldomain.de RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : FederationTrustConfiguration Type : Success Message : FederationTrust object in ActiveDirectory is valid. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : FederationMetadata Type : Success Message : The federation trust contains the same certificates published by the security token service in its federation m etadata. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : StsCertificate Type : Success Message : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : StsPreviousCertificate Type : Success Message : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : OrganizationCertificate Type : Success Message : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : TokenRequest Type : Success Message : Request for delegation token succeeded. RunspaceId : 952d1486-0972-4d2c-879e-1400ff9fd269 Id : TokenValidation Type : Success Message : Requested delegation token is valid. here the output from our partner: [PS] C:\Windows\system32>Test-FederationTrust -UserIdentity surname.name@partnerexternaldomain.com RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : FederationTrustConfiguration Type : Success Message : FederationTrust object in ActiveDirectory is valid. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : FederationMetadata Type : Success Message : The federation trust contains the same certificates published by the security token service in its federat ion metadata. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : StsCertificate Type : Success Message : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : StsPreviousCertificate Type : Success Message : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : OrganizationCertificate Type : Success Message : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : TokenRequest Type : Success Message : Request for delegation token succeeded. RunspaceId : 549c6c5c-cbe4-4b6b-8013-07f43b670294 Id : TokenValidation Type : Success Message : Requested delegation token is valid. Kind regards Joerg
March 9th, 2012 3:43am

Hello Joerg, If you are still facing the issue with federation, I would recommend creating a support ticket as this might require some additional tracing and troubleshooting.. Thanks Venkat
Free Windows Admin Tool Kit Click here and download it now
March 26th, 2012 1:37am

Hello Joerg, If you are still facing the issue with federation, I would recommend creating a support ticket as this might require some additional tracing and troubleshooting.. Thanks Venkat
March 26th, 2012 1:37am

Problem is solved! Solution is following: on our side the TargetApplicationUri must set to: exchangedelegation.partnerdomain.com set-OrganizationRelationship -identity agens -TargetOwaURL "https://mail.partnerdomain.com/owa" set-OrganizationRelationship -identity agens -TargetApplicationUri "exchangedelegation.partnerdomain.com" set-OrganizationRelationship -identity agens - TargetAutodiscoverEpr "https://mail.partnerdomain.com/Autodiscover/autodiscover.svc/WSSecurity" and the "Enable Free/Busy information access" must set to TRUE! on the partner side they must set the TargetApplicationUri must set to: FYDIBOHF25SPDLT.ourexternaldomain.de set-OrganizationRelationship -identity agens -TargetOwaURL "https://mail.ourexternaldomain.de/owa" set-OrganizationRelationship -identity agens -TargetApplicationUri "FYDIBOHF25SPDLT.ourexternaldomain.de" set-OrganizationRelationship -identity agens - TargetAutodiscoverEpr "https://mail.ourexternaldomain.de/Autodiscover/autodiscover.svc/WSSecurity" So now we can Access the Free/Busy Informations from the room mailboxes of our partner!Kind regards Joerg
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2012 5:03am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics