Hi,

We are trying to set a test environment for Exchange 2013 with our product. We stumbled upon these links which helped us setting up SSO with Exchange (owa and ecp) :
http://owaauth.com/identity-federation-for-owa-2010-sp1sp2-part-2-of-4/

http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html

After some research and dev we made a working PoC with the following user experience :

GET https://mydomain/owa -> Redirect to https://identityprovider/sso?[authParams]

User authenticate here

POST https://mydomain/owa /w AUTH_TOKEN -> Get into OWA or ECP

However we go some problems :

If the user have no mailboxes enabled, the server throw an 500 error (Microsoft.Exchange.Data.Storage.UserHasNoMailboxException) and try to redirect user on the error page. This action then throw a 404 and the server try to get the 404 page and throw a 404 because it doesn't find it.

I do not know why it fails to load the errors page.

We got another error too :

When the user has a mailbox not configured (no time zone and language), the auth process works, the user land on the languageselection.aspx page, choose the correct setting and then the server throw a 500 internal error. To manage this we must set the time zone with ECP and mailbox delegation.

Any ideas why ?

If you have any question, go ahead.

• Edited by Grégory Haïk Friday, August 14, 2015 2:45 PM format

Hi,

Generally, if you have no mailbox enabled for an AD user, the user would not access OWA to open a mailbox. It is the expected behavior that OWA access fails for non-mailbox enabled user account.

Please enable a mailbox for this AD user, then access the mailbox from OWA to resolve the issue.

Regards,

Thanks for your response!

I'm ok with this behaviour of OWA, the problem is that the server cannot print the error page associated. When accessing the error page, the server throw a 404. When accessing the 404 page, it throws another 404 (cannot find the 404 page) and goes into a redirect loop until I stop the browser.

I think it's related to the WsFedModuleAuthentication, we used to federate OWA with our product. Here is a sanitized web.config of our OWA app (Exchang/V15/FrontEnd/HttpProxy/owa/web.config) :

<configuration>
  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
  </configSections>
  <location inheritInChildApplications="false">
    <system.web>
      <customErrors mode="Off"/>
    </system.web>

    <!--  Added by Us  -->
    <system.identityModel>
      <identityConfiguration>
        <securityTokenHandlers>
          <remove type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
          <remove type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
          <add type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
            <samlSecurityTokenRequirement mapToWindows="true"/>
          </add>
          <add type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
            <samlSecurityTokenRequirement mapToWindows="true"/>
          </add>
          <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
          <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
        </securityTokenHandlers>
        <applicationService>
          <claimTypeRequired>
            <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="false"/>
          </claimTypeRequired>
        </applicationService>
        <audienceUris>
          <add value="domain.com"/>
        </audienceUris>
        <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
          <trustedIssuers>
            <add thumbprint="fffffffffff" name="https://idp.com/"/>
          </trustedIssuers>
        </issuerNameRegistry>
      </identityConfiguration>
    </system.identityModel>
    <system.identityModel.services>
      <federationConfiguration>
        <cookieHandler requireSsl="true" path="/"/>
        <wsFederation passiveRedirectEnabled="true" issuer="https://idp.com/sso" realm="https://domain.com/owa/" reply="https://domain.com/owa/" requireHttps="true"/>
      </federationConfiguration>
    </system.identityModel.services>
    <!--  /Added by Us  -->

    <system.webServer>
      <serverRuntime uploadReadAheadSize="0"/>

      <!--  Added by Us  -->
      <modules runAllManagedModulesForAllRequests="true">
        <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition=""/>
        <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition=""/>
        <!--  /Added by Us  -->

        <remove name="ServiceModel"/>
        <remove name="ServiceModel-4.0"/>
        <remove name="Session"/>
        <remove name="Profile"/>
        <add name="HostHeaderValidationModule" type="Microsoft.Exchange.HttpUtilities.HostHeaderValidationModule, Microsoft.Exchange.HttpUtilities, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
        <add name="HttpProxy" type="Microsoft.Exchange.HttpProxy.FbaModule,Microsoft.Exchange.FrontEndHttpProxy,Version=15.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35" preCondition=""/>
        <add name="cafe_exppw"/>
      </modules>
      <security>
        <requestFiltering>
          <requestLimits maxAllowedContentLength="35000000"/>
        </requestFiltering>
      </security>
      <httpProtocol>
        <customHeaders>
          <add name="X-FEServer" value="EXCHANGE"/>
        </customHeaders>
      </httpProtocol>
    </system.webServer>
    <system.web>
      <machineKey decryptionKey="AAAAAA" validationKey="BBBBBBB"/>
      <compilation defaultLanguage="c#" debug="false">
        <assemblies>

          <!--  Added by Us  -->
          <add assembly="System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
          <!--  Added by Us  -->

          <add assembly="Microsoft.Exchange.Clients.Strings, Version=15.0.0.0, Culture=neutral, publicKeyToken=31bf3856ad364e35"/>
          <add assembly="Microsoft.Exchange.Data.Directory, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
          <add assembly="Microsoft.Exchange.Clients.Common, Version=15.0.0.0,Culture=neutral, publicKeyToken=31bf3856ad364e35"/>
          <add assembly="Microsoft.Exchange.Clients.Security, Version=15.0.0.0, Culture=neutral, publicKeyToken=31bf3856ad364e35"/>
          <add assembly="Microsoft.Exchange.FrontEndHttpProxy, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
          <add assembly="Microsoft.Exchange.HttpProxy.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
          <add assembly="Microsoft.Exchange.Security, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
        </assemblies>
      </compilation>
      <httpRuntime maxUrlLength="500" maxRequestLength="35000" requestValidationMode="2.0" requestValidationType="Microsoft.Exchange.Security.Authentication.AdfsRequestValidator"/>
      <pages validateRequest="false"/>
    </system.web>
  </location>
  <appSettings>
    <add key="HttpProxy.ProtocolType" value="Owa"/>
    <add key="OAuthHttpModule.Profiles" value="S2SAppActAs|Callback|V1AppActAs|V1Callback"/>
    <add key="OAuthHttpModule.V1AppScopes" value="user_impersonation"/>
    <add key="OAuthHttpModule.WebAppAuthEnabled" value="15.00.1030.000"/>
<!--
 <add key="LogonSettings.SignOutKind" value="LegacyLogOff" /> 
-->
</appSettings>
<system.serviceModel>
  <bindings>
    <netTcpBinding>
      <binding name="SecureBinding" maxConnections="100000">
        <security mode="Transport">
          <transport protectionLevel="EncryptAndSign"/>
        </security>
      </binding>
    </netTcpBinding>
  </bindings>
  <client>
    <endpoint address="net.tcp://localhost:1009/Microsoft.Exchange.Security.Authentication.FederatedAuthService" binding="netTcpBinding" bindingConfiguration="SecureBinding" contract="Microsoft.Exchange.Security.Authentication.FederatedAuthService.IAuthService" name="Microsoft.Exchange.Security.Authentication.FederatedAuthService"/>
  </client>
</system.serviceModel>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
  <linkedConfiguration href="file://C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\SharedWebConfig.config"/>
</assemblyBinding>
</configuration>

Do you see anything broken in this file ? I can provide the ClientAccess/Owa web config file too if needed.

The other problem which is related i think is the online configuration of a new mailbox, I don't really now if this is a common use case. If a mailbox is created for an user and the user then use OWA to access it, he'll be prompted which language and time zone selection. After validating, the server throw an error 500 without any logs in eventViewer.