Sounds like:
https://blog.markdepalma.com/?p=490
https://learn.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help#step-5-register-all-hostname-authorities-for-your-internal-and-external-on-premises-exchange-http-endpoints-with-azure-active-directory
resource not found in tenant
I enabled modern authentication between on-prem and cloud yesterday, now my on-premise users are being asked for credentials and seeing the following error. I see this error logged in my AAD sign in page to.
Error Code: CAA2000B
Server message AADSTS500011: The resource principal named https://onpremserver.public-domain.co.uk was not found in the tenant named public-domain.co.uk. this can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Can any one help please?
Exchange | Exchange Server | Management
7 answers
Sort by: Most helpful
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2020-11-10T15:01:48.5+00:00 -
Martin Bufton 16 Reputation points
2020-11-10T15:41:20.103+00:00 Thanks for the steer. Apart from the fact I have Contoso in my list I think have the Service Principals set correctly:
Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 | select -ExpandProperty ServicePrincipalNames
https://autodiscover.public-domain.co.uk/
https://webmail.public-domain.co.uk/
https://autodiscover.contoso.com/
https://mail.contoso.com/
https://ps.compliance.protection.outlook.com
https://autodiscover-s.office365.us/
https://outlook.office365.us/
https://outlook-sdf.office.com/
https://outlook-sdf.office365.com/
https://outlook.office365.com:443/
https://outlook.office.com/
https://outlook.office365.com/
https://outlook.com/
https://outlook-dod.office365.us/
https://ps.protection.outlook.com/
https://webmail.apps.mil/
https://outlook-tdf.office.com/
00000002-0000-0ff1-ce00-000000000000/outlook.office365.com
00000002-0000-0ff1-ce00-000000000000/mail.office365.com
00000002-0000-0ff1-ce00-000000000000/outlook.com
00000002-0000-0ff1-ce00-000000000000/*.outlook.com
00000002-0000-0ff1-ce00-000000000000So I'm still stumped
-
Joyce Shen - MSFT 16,701 Reputation points
2020-11-11T05:43:06.74+00:00 Hi @Martin Bufton ,
According to my search, like what Andy shared above, if you missed any value in the SPN the error will occur. I would suggest you run the below commands to check it again.
Get-MapiVirtualDirectory | FL server,*url* Get-WebServicesVirtualDirectory | FL server,*url* Get-ClientAccessServer | fl Name, AutodiscoverServiceInternalUri Get-OABVirtualDirectory | FL server,*url* Get-AutodiscoverVirtualDirectory | FL server,*url* Get-OutlookAnywhere | FL server,*url*
Detailed information for your reference as well: Add on-premises web service URLs as SPNs in Azure AD
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Martin Bufton 16 Reputation points
2020-11-11T09:38:00.237+00:00 Thanks for your reply it has help me find one thing that stands out as incorrect. So i will change that and give Modern auth another go.
Get-ClientAccessServer | fl Name, AutodiscoverServiceInternalUri shows a public URI rather than internal
[PS] C:\Windows\system32> Get-MapiVirtualDirectory | FL server,url
Server : onpremSvr1
InternalUrl : https://webmail.public-domain.co.uk/mapi
ExternalUrl : https://webmail.public-domain.co.uk/mapiServer : onpremSvr2
InternalUrl : https://webmail.public-domain.co.uk/mapi
ExternalUrl : https://webmail.public-domain.co.uk/mapi[PS] C:\Windows\system32> Get-WebServicesVirtualDirectory | FL server,url
Server : onpremSvr1
InternalNLBBypassUrl :
InternalUrl : https://webmail.public-domain.co.uk/EWS/Exchange.asmx
ExternalUrl : https://webmail.public-domain.co.uk/ews/exchange.asmxServer : onpremSvr2
InternalNLBBypassUrl :
InternalUrl : https://webmail.public-domain.co.uk/EWS/Exchange.asmx
ExternalUrl : https://webmail.public-domain.co.uk/EWS/Exchange.asmx[PS] C:\Windows\system32> Get-ClientAccessServer | fl Name, AutodiscoverServiceInternalUri
Name : onpremSvr1
AutoDiscoverServiceInternalUri : https://onpremSvr1.public-domain.co.uk/Autodiscover/Autodiscover.xmlName : onpremSvr2
AutoDiscoverServiceInternalUri : https://onpremSvr2.company.local/Autodiscover/Autodiscover.xml[PS] C:\Windows\system32> Get-OABVirtualDirectory | FL server,url
Server : onpremSvr1
InternalUrl : https://webmail.public-domain.co.uk/OAB
ExternalUrl : https://webmail.public-domain.co.uk/OABServer : onpremSvr2
InternalUrl : https://webmail.public-domain.co.uk/OAB
ExternalUrl : https://webmail.public-domain.co.uk/OAB[PS] C:\Windows\system32> Get-AutodiscoverVirtualDirectory | FL server,url
Server : onpremSvr1
InternalUrl :
ExternalUrl :Server : onpremSvr2
InternalUrl :
ExternalUrl :[PS] C:\Windows\system32> Get-OutlookAnywhere | FL server,url
Server : onpremSvr1
XropUrl :Server : onpremSvr2
XropUrl : -
Martin Bufton 16 Reputation points
2020-11-11T10:17:40.147+00:00 Now the error reads:
Server message AADSTS500011: The resource principal named https://onpremSvr1.company.local/Autodiscover/Autodiscover.xml was not found in the tenant named public-domain.co.uk. this can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.