Thanks for your response!
I'm ok with this behaviour of OWA, the problem is that the server cannot print the error page associated. When accessing the error page, the server throw a 404. When accessing the 404 page, it throws another 404 (cannot find the 404 page) and goes into a redirect
loop until I stop the browser.
I think it's related to the WsFedModuleAuthentication, we used to federate OWA with our product. Here is a sanitized web.config of our OWA app (Exchang/V15/FrontEnd/HttpProxy/owa/web.config) :
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</configSections>
<location inheritInChildApplications="false">
<system.web>
<customErrors mode="Off"/>
</system.web>
<!-- Added by Us -->
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<remove type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<remove type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<add type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<samlSecurityTokenRequirement mapToWindows="true"/>
</add>
<add type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<samlSecurityTokenRequirement mapToWindows="true"/>
</add>
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
</securityTokenHandlers>
<applicationService>
<claimTypeRequired>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="false"/>
</claimTypeRequired>
</applicationService>
<audienceUris>
<add value="domain.com"/>
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="fffffffffff" name="https://idp.com/"/>
</trustedIssuers>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" path="/"/>
<wsFederation passiveRedirectEnabled="true" issuer="https://idp.com/sso" realm="https://domain.com/owa/" reply="https://domain.com/owa/" requireHttps="true"/>
</federationConfiguration>
</system.identityModel.services>
<!-- /Added by Us -->
<system.webServer>
<serverRuntime uploadReadAheadSize="0"/>
<!-- Added by Us -->
<modules runAllManagedModulesForAllRequests="true">
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition=""/>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition=""/>
<!-- /Added by Us -->
<remove name="ServiceModel"/>
<remove name="ServiceModel-4.0"/>
<remove name="Session"/>
<remove name="Profile"/>
<add name="HostHeaderValidationModule" type="Microsoft.Exchange.HttpUtilities.HostHeaderValidationModule, Microsoft.Exchange.HttpUtilities, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add name="HttpProxy" type="Microsoft.Exchange.HttpProxy.FbaModule,Microsoft.Exchange.FrontEndHttpProxy,Version=15.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35" preCondition=""/>
<add name="cafe_exppw"/>
</modules>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="35000000"/>
</requestFiltering>
</security>
<httpProtocol>
<customHeaders>
<add name="X-FEServer" value="EXCHANGE"/>
</customHeaders>
</httpProtocol>
</system.webServer>
<system.web>
<machineKey decryptionKey="AAAAAA" validationKey="BBBBBBB"/>
<compilation defaultLanguage="c#" debug="false">
<assemblies>
<!-- Added by Us -->
<add assembly="System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<!-- Added by Us -->
<add assembly="Microsoft.Exchange.Clients.Strings, Version=15.0.0.0, Culture=neutral, publicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.Data.Directory, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.Clients.Common, Version=15.0.0.0,Culture=neutral, publicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.Clients.Security, Version=15.0.0.0, Culture=neutral, publicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.FrontEndHttpProxy, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.HttpProxy.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.Security, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</assemblies>
</compilation>
<httpRuntime maxUrlLength="500" maxRequestLength="35000" requestValidationMode="2.0" requestValidationType="Microsoft.Exchange.Security.Authentication.AdfsRequestValidator"/>
<pages validateRequest="false"/>
</system.web>
</location>
<appSettings>
<add key="HttpProxy.ProtocolType" value="Owa"/>
<add key="OAuthHttpModule.Profiles" value="S2SAppActAs|Callback|V1AppActAs|V1Callback"/>
<add key="OAuthHttpModule.V1AppScopes" value="user_impersonation"/>
<add key="OAuthHttpModule.WebAppAuthEnabled" value="15.00.1030.000"/>
<!--
<add key="LogonSettings.SignOutKind" value="LegacyLogOff" />
-->
</appSettings>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="SecureBinding" maxConnections="100000">
<security mode="Transport">
<transport protectionLevel="EncryptAndSign"/>
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost:1009/Microsoft.Exchange.Security.Authentication.FederatedAuthService" binding="netTcpBinding" bindingConfiguration="SecureBinding" contract="Microsoft.Exchange.Security.Authentication.FederatedAuthService.IAuthService" name="Microsoft.Exchange.Security.Authentication.FederatedAuthService"/>
</client>
</system.serviceModel>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<linkedConfiguration href="file://C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\SharedWebConfig.config"/>
</assemblyBinding>
</configuration>
Do you see anything broken in this file ? I can provide the ClientAccess/Owa web config file too if needed.
The other problem which is related i think is the online configuration of a new mailbox, I don't really now if this is a common use case. If a mailbox is created for an user and the user then use OWA to access it, he'll be prompted which language and time zone
selection. After validating, the server throw an error 500 without any logs in eventViewer.