Exchange Online
A Microsoft email and calendaring hosted service.
6,180 questions
am facing the same issue!!
any suggestion please?
Using ADFS & Azure MFA for Exchange 2019 OWA/ECP On-Premise
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 89%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
djtheri
1
Reputation point
Hi,
So, I have a working ADFS 2019 Server, fronted by a WAP 2019 Server, that is currently working to serve requests for an on-premise Exchange 2019 Server for OWA/ECP.
I'm trying to add Azure MFA to my ADFS authentication for OWA mainly, using Azure Active Directory Free which is included with my Office365 subscription.
My domain is federated & when I authenticate to Office365 with a user I have assigned to use MFA, they are properly asked & able to authenticate using Azure MFA, but the same doesn't happen for my OWA/ECP connections & I get this error after entering in my email only:
• Activity ID: 3f40b225-b4f0-41c4-5500-0080020000c1
• Relying party: Mail - OWA
• Error details: Exception calling SAS.
• Node name: 67599f4b-8fec-4830-8baa-b6baffd154d5
• Error time: Wed, 22 Sep 2021 20:21:13 GMT
• Cookie: enabled
• User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Edg/93.0.961.52
This is the associated error on my ADFS server:
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
https://xxx.com/owa/
Exception details:
System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& outgoingClaims)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims)
at Microsoft.IdentityServer.Web.Authentication.Azure.AzurePrimaryAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
Lastly, these are the steps I followed to configure my ADFS server for Azure MFA.
Thinking it's something in the claim issuance I need to adjust, but I'm not exactly sure what?
Exchange Online
Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
774 questions
Microsoft Security | Active Directory Federation Services
1,306 questions
Exchange | Exchange Server | Development
587 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,147 questions
2 answers
Sort by: Most helpful
-
mohamed hussien rabea 21 Reputation points2021-10-09T09:08:58.477+00:00 -
djtheri 1 Reputation point
2021-10-09T14:56:20.267+00:00 Let me know if you find an answer. Upvote the question so it gets more attention!
Sign in to comment -
-
Siva-kumar-selvaraj 15,721 Reputation points2021-09-28T19:29:48.783+00:00 Hello @djtheri ,
Thanks for reaching out and apologies for delayed response.
Looking at above error message it seems to be related with "Azure MFA Certificates" which used by AD FS for authenticating so if Azure MFA certificate expired then you may get
(401) Unauthorized.I would recommend you to check the validity period of Azure MFA certificate on each AD FS server to determine the expiration date. If you find expired then create new certificate or nearing expiry date then renew it per this guidance.
Hope this helps
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.-
djtheri 1 Reputation point
2021-09-29T09:39:29.91+00:00 I'm not so sure that's right. As I mentioned I am able to use Azure MFA for O365 authentications without a problem and I'd think this error would come up there too.
-
Siva-kumar-selvaraj 15,721 Reputation points
2021-09-30T20:53:11.203+00:00 Thanks for the update.
Wondering how did you configured MFA for O365 federated user in working scenario from Azure AD or on ADFS ? because Azure MFA adapter for AD FS enables users to do MFA on AD FS when respective "Replying Party" or users is part of MFA condition. Lets say if you had configured MFA for user directly in Azure AD or through Conditional access then user always performed MFA directly in cloud rather than through ADFS MFA adaptor for federated users so guessing that could be reason why MFA works for cloud scenario and fail for on-premises application (Exchange) in your setup.
To verify this one, run following cmdlet from ADFS server and share with me
Get-MsolDomainFederationSettings -DomainName "contoso.com"In addition to that could you please confirm current active "Office365 subscription" ? because ADFS MFA setup require Azure AD premium license which included in Microsoft 365 Business Premium, EMS, Microsoft 365 E3 and E5 licenses.
-
djtheri 1 Reputation point
2021-10-01T10:49:17.56+00:00 I configured this on my ADFS. The steps I took to configure this, were in this document:
I tried to run your command, first running Connect-MsolService, but it keeps returning nothing. I did get an error before connecting, but now nothing.
On your last question, we have Azure Active Directory Free, which was included with our Microsoft 365 licensing. It's working for O365, so I don't think this is licensing. From what I see, I should have full access according to this:
https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing
Sign in to comment -