resource not found in tenant

Martin Bufton 16 Reputation points
2020-11-10T14:41:01.477+00:00

I enabled modern authentication between on-prem and cloud yesterday, now my on-premise users are being asked for credentials and seeing the following error. I see this error logged in my AAD sign in page to.

Error Code: CAA2000B

Server message AADSTS500011: The resource principal named https://onpremserver.public-domain.co.uk was not found in the tenant named public-domain.co.uk. this can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

Can any one help please?

Exchange | Exchange Server | Management
{count} votes

7 answers

Sort by: Most helpful
  1. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2020-11-10T15:01:48.5+00:00
    0 comments No comments

  2. Martin Bufton 16 Reputation points
    2020-11-10T15:41:20.103+00:00

    Thanks for the steer. Apart from the fact I have Contoso in my list I think have the Service Principals set correctly:

    Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 | select -ExpandProperty ServicePrincipalNames
    https://autodiscover.public-domain.co.uk/
    https://webmail.public-domain.co.uk/
    https://autodiscover.contoso.com/
    https://mail.contoso.com/
    https://ps.compliance.protection.outlook.com
    https://autodiscover-s.office365.us/
    https://outlook.office365.us/
    https://outlook-sdf.office.com/
    https://outlook-sdf.office365.com/
    https://outlook.office365.com:443/
    https://outlook.office.com/
    https://outlook.office365.com/
    https://outlook.com/
    https://outlook-dod.office365.us/
    https://ps.protection.outlook.com/
    https://webmail.apps.mil/
    https://outlook-tdf.office.com/
    00000002-0000-0ff1-ce00-000000000000/outlook.office365.com
    00000002-0000-0ff1-ce00-000000000000/mail.office365.com
    00000002-0000-0ff1-ce00-000000000000/outlook.com
    00000002-0000-0ff1-ce00-000000000000/*.outlook.com
    00000002-0000-0ff1-ce00-000000000000

    So I'm still stumped

    0 comments No comments

  3. Joyce Shen - MSFT 16,701 Reputation points
    2020-11-11T05:43:06.74+00:00

    Hi @Martin Bufton ,

    According to my search, like what Andy shared above, if you missed any value in the SPN the error will occur. I would suggest you run the below commands to check it again.

    Get-MapiVirtualDirectory | FL server,*url*  
    Get-WebServicesVirtualDirectory | FL server,*url*  
    Get-ClientAccessServer | fl Name, AutodiscoverServiceInternalUri  
    Get-OABVirtualDirectory | FL server,*url*  
    Get-AutodiscoverVirtualDirectory | FL server,*url*  
    Get-OutlookAnywhere | FL server,*url*  
    

    Detailed information for your reference as well: Add on-premises web service URLs as SPNs in Azure AD


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
     

    0 comments No comments

  4. Martin Bufton 16 Reputation points
    2020-11-11T09:38:00.237+00:00

    Thanks for your reply it has help me find one thing that stands out as incorrect. So i will change that and give Modern auth another go.

    Get-ClientAccessServer | fl Name, AutodiscoverServiceInternalUri shows a public URI rather than internal

    [PS] C:\Windows\system32> Get-MapiVirtualDirectory | FL server,url
    Server : onpremSvr1
    InternalUrl : https://webmail.public-domain.co.uk/mapi
    ExternalUrl : https://webmail.public-domain.co.uk/mapi

    Server : onpremSvr2
    InternalUrl : https://webmail.public-domain.co.uk/mapi
    ExternalUrl : https://webmail.public-domain.co.uk/mapi

    [PS] C:\Windows\system32> Get-WebServicesVirtualDirectory | FL server,url
    Server : onpremSvr1
    InternalNLBBypassUrl :
    InternalUrl : https://webmail.public-domain.co.uk/EWS/Exchange.asmx
    ExternalUrl : https://webmail.public-domain.co.uk/ews/exchange.asmx

    Server : onpremSvr2
    InternalNLBBypassUrl :
    InternalUrl : https://webmail.public-domain.co.uk/EWS/Exchange.asmx
    ExternalUrl : https://webmail.public-domain.co.uk/EWS/Exchange.asmx

    [PS] C:\Windows\system32> Get-ClientAccessServer | fl Name, AutodiscoverServiceInternalUri
    Name : onpremSvr1
    AutoDiscoverServiceInternalUri : https://onpremSvr1.public-domain.co.uk/Autodiscover/Autodiscover.xml

    Name : onpremSvr2
    AutoDiscoverServiceInternalUri : https://onpremSvr2.company.local/Autodiscover/Autodiscover.xml

    [PS] C:\Windows\system32> Get-OABVirtualDirectory | FL server,url
    Server : onpremSvr1
    InternalUrl : https://webmail.public-domain.co.uk/OAB
    ExternalUrl : https://webmail.public-domain.co.uk/OAB

    Server : onpremSvr2
    InternalUrl : https://webmail.public-domain.co.uk/OAB
    ExternalUrl : https://webmail.public-domain.co.uk/OAB

    [PS] C:\Windows\system32> Get-AutodiscoverVirtualDirectory | FL server,url
    Server : onpremSvr1
    InternalUrl :
    ExternalUrl :

    Server : onpremSvr2
    InternalUrl :
    ExternalUrl :

    [PS] C:\Windows\system32> Get-OutlookAnywhere | FL server,url
    Server : onpremSvr1
    XropUrl :

    Server : onpremSvr2
    XropUrl :

    0 comments No comments

  5. Martin Bufton 16 Reputation points
    2020-11-11T10:17:40.147+00:00

    Now the error reads:

    Server message AADSTS500011: The resource principal named https://onpremSvr1.company.local/Autodiscover/Autodiscover.xml was not found in the tenant named public-domain.co.uk. this can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.