Solved

Lync 2013 to Exchange 2013 Oauth problem

Posted on 2014-12-29
12
744 Views
Last Modified: 2016-02-19
Hi,

I am having a problem getting OAuth to work from Exchange 2013 to Lync 2013.

I think the problem is to do with that the OAuth is configured for domanname.local but when exchange is trying to build a token for the user, the user domain is domainname.co.uk.

I cannot figure this out

any ideas?

thanks

jack


when I run:
Test-OAuthConnectivity -Service EWS -TargetUri https://exchserver2.domainname.local/ews/ -Mailbox "Jack"

[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>Test-OAuthConnectivity -Service EWS -TargetUri https://exchs
erver2.domainname.local/ews/ -Mailbox "Jack" |fl


RunspaceId  : 5e1096a3-c27c-49c4-b7eb-3c81d95db91c
Task        : Checking EWS API Call Under Oauth
Detail      : The configuration was last successfully loaded at 01/01/0001 00:00:00 UTC. This was 1059257506 minutes
              ago.
              The token cache is being cleared because "use cached token" was set to false.
              Exchange Outbound Oauth Log:
              Client request ID: 9cdbfe81-9240-4c3a-80d7-793a9dfa8c1b
              Information:[OAuthCredentials:Authenticate] entering
              Information:[OAuthCredentials:Authenticate] challenge from
              'https://exchserver2.domainname.local/ews/Exchange.asmx' received: Bearer
              client_id="00000002-0000-0ff1-ce00-000000000000",
              trusted_issuers="00000004-0000-0ff1-ce00-000000000000@domainname.local",Negotiate,NTLM
              Information:[OAuthCredentials:GetToken] client-id: '00000002-0000-0ff1-ce00-000000000000', realm: '',
              trusted_issuer: '00000004-0000-0ff1-ce00-000000000000@domainname.local'
              Information:[OAuthCredentials:GetToken] start building a token for the user domain 'domainname.co.uk'
              Information:[OAuthTokenBuilder:GetAppToken] start building the apptoken
              Information:[OAuthTokenBuilder:GetAppToken] checking enabled auth servers
              Error:[OAuthTokenBuilder:GetAppToken] unable to continue building token; no locally configured issuer
              was in the trusted_issuer list, realm from challenge was also empty. trust_issuers was
              00000004-0000-0ff1-ce00-000000000000@domainname.local
              Error:The trusted issuers contained the following entries
              '00000004-0000-0ff1-ce00-000000000000@domainname.local'. None of them are configured locally.

              Exchange Response Details:
              HTTP response message:
              Exception:
              System.Net.WebException: The request was aborted: The request was canceled. --->
              Microsoft.Exchange.Security.OAuth.OAuthTokenRequestFailedException: The trusted issuers contained the
              following entries '00000004-0000-0ff1-ce00-000000000000@domainname.local'. None of them are
              configured locally.
                 at Microsoft.Exchange.Security.OAuth.OAuthTokenBuilder.GetAppToken(String applicationId, String
              destinationHost, String realmFromChallenge, IssuerMetadata[] trustedIssuersFromChallenge, String
              userDomain)
                 at Microsoft.Exchange.Security.OAuth.OAuthTokenBuilder.GetAppWithUserToken(String applicationId,
              String destinationHost, String realmFromChallenge, IssuerMetadata[] trustedIssuersFromChallenge, String
              userDomain, ClaimProvider claimProvider)
                 at Microsoft.Exchange.Security.OAuth.OAuthCredentials.GetToken(WebRequest webRequest,
              HttpAuthenticationChallenge challengeObject)
                 at Microsoft.Exchange.Security.OAuth.OAuthCredentials.Authenticate(String challengeString, WebRequest
              webRequest, Boolean preAuthenticate)
                 at Microsoft.Exchange.Security.OAuth.OAuthCredentials.OAuthAuthenticationModule.Authenticate(String
              challenge, WebRequest request, ICredentials credentials)
                 at System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials
              credentials)
                 at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials
              authInfo)
                 at System.Net.HttpWebRequest.CheckResubmitForAuth()
                 at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
                 at System.Net.HttpWebRequest.DoSubmitRequestProcessing(Exception& exception)
                 at System.Net.HttpWebRequest.ProcessResponse()
                 at System.Net.HttpWebRequest.SetResponse(CoreResponseData coreResponseData)
                 --- End of inner exception stack trace ---
                 at System.Net.HttpWebRequest.GetResponse()
                 at Microsoft.Exchange.Monitoring.TestOAuthConnectivityHelper.SendExchangeOAuthRequest(ADUser user,
              String orgDomain, Uri targetUri, String& diagnosticMessage, Boolean appOnly, Boolean useCachedToken,
              Boolean reloadConfig)

ResultType  : Error
Identity    : Microsoft.Exchange.Security.OAuth.ValidationResultNodeId
IsValid     : True
ObjectState : New

Open in new window




It appears to work fine from Lync 2013 to Exchange 2013.

When I run: Test-CsExStorageConnectivity -sipuri jack@domainname.co.uk -Binding Nettcp -Verbose in Lync 2013 I get a successful outcome:

PS C:\Users\administrator.domainname> Test-CsExStorageConnectivity -sipuri ja
ck@domainname.co.uk -Binding Nettcp -Verbose
VERBOSE: Successfully opened a connection to storage service at localhost using
 binding: Nettcp.
VERBOSE: Create message.
VERBOSE: Execute Exchange Storage Command.
VERBOSE: Processing web storage response for ExCreateItem Success.,
result=Success, activityId=c2ae4446-bb4c-4a1e-a9e2-384f6b2bfcd2, reason=.
VERBOSE: Activity tracing:
2014/12/29 11:42:59.813 Autodiscover, send GetUserSettings request,
SMTP=Jack@domainname.co.uk, Autodiscover
Uri=https://autodiscover.domainname.co.uk/autodiscover/autodiscover.svc, Web
 Proxy=<NULL>
2014/12/29 11:42:59.813 Autodiscover.EWSMA trace,
type=AutodiscoverRequestHttpHeaders, message=<Trace
Tag="AutodiscoverRequestHttpHeaders" Tid="9" Time="2014-12-29 11:42:59Z">
POST /autodiscover/autodiscover.svc HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/15.00.0516.004


</Trace>

2014/12/29 11:42:59.826 Autodiscover.EWSMA trace, type=AutodiscoverRequest,
message=<Trace Tag="AutodiscoverRequest" Tid="9" Time="2014-12-29 11:42:59Z"
Version="15.00.0516.004">
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope
xmlns:a="http://schemas.microsoft.com/exchange/2010/Autodiscover"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Header>
      <a:RequestedServerVersion>Exchange2013</a:RequestedServerVersion>

<wsa:Action>http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscove
r/GetUserSettings</wsa:Action>

<wsa:To>https://autodiscover.domainname.co.uk/autodiscover/autodiscover.svc<
/wsa:To>
    </soap:Header>
    <soap:Body>
      <a:GetUserSettingsRequestMessage
xmlns:a="http://schemas.microsoft.com/exchange/2010/Autodiscover">
        <a:Request>
          <a:Users>
            <a:User>
              <a:Mailbox>Jack@domainname.co.uk</a:Mailbox>
            </a:User>
          </a:Users>
          <a:RequestedSettings>
            <a:Setting>InternalEwsUrl</a:Setting>
            <a:Setting>ExternalEwsUrl</a:Setting>
            <a:Setting>ExternalEwsVersion</a:Setting>
          </a:RequestedSettings>
        </a:Request>
      </a:GetUserSettingsRequestMessage>
    </soap:Body>
  </soap:Envelope>
</Trace>

2014/12/29 11:42:59.876 Autodiscover.EWSMA trace,
type=AutodiscoverResponseHttpHeaders, message=<Trace
Tag="AutodiscoverResponseHttpHeaders" Tid="9" Time="2014-12-29 11:42:59Z">
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Set-Cookie: ClientId=ADPZOZUUIDKUHDTEIYW; expires=Tue, 29-Dec-2015 11:42:59
GMT; path=/;
HttpOnly,X-BackEndCookie=actas1(sid:S-1-5-21-3691024758-535552880-811174816-113
5|smtp:Jack@domainname.co.uk|upn:jack@domainname.local)=u56Lnp2ejJqBx8jIn
sqbxpvSz8rHx9LLzp7O0sbOzcnSzcqcmZqem8aempmcgYHNz87K0s/O0s3Hq87OxcvNxcrG;
expires=Wed, 28-Jan-2015 11:42:59 GMT; path=/autodiscover; secure; HttpOnly
Server: Microsoft-IIS/8.5
request-id: 7a3bd9ca-a36f-4cec-9cb6-ae1198864b2d
X-CalculatedBETarget: exchserver2.domainname.local
X-DiagInfo: EXCHSERVER2
X-BEServer: EXCHSERVER2
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET,ARR/2.5
X-FEServer: EXCHSERVER2
Date: Mon, 29 Dec 2014 11:42:59 GMT


</Trace>

2014/12/29 11:42:59.876 Autodiscover.EWSMA trace, type=AutodiscoverResponse,
message=<Trace Tag="AutodiscoverResponse" Tid="9" Time="2014-12-29 11:42:59Z"
Version="15.00.0516.004">
  <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing">
    <s:Header>
      <a:Action
s:mustUnderstand="1">http://schemas.microsoft.com/exchange/2010/Autodiscover/Au
todiscover/GetUserSettingsResponse</a:Action>
      <h:ServerVersionInfo
xmlns:h="http://schemas.microsoft.com/exchange/2010/Autodiscover"
xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
        <h:MajorVersion>15</h:MajorVersion>
        <h:MinorVersion>0</h:MinorVersion>
        <h:MajorBuildNumber>1044</h:MajorBuildNumber>
        <h:MinorBuildNumber>21</h:MinorBuildNumber>
        <h:Version>Exchange2013_SP1</h:Version>
      </h:ServerVersionInfo>
    </s:Header>
    <s:Body>
      <GetUserSettingsResponseMessage
xmlns="http://schemas.microsoft.com/exchange/2010/Autodiscover">
        <Response xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
          <ErrorCode>NoError</ErrorCode>
          <ErrorMessage />
          <UserResponses>
            <UserResponse>
              <ErrorCode>NoError</ErrorCode>
              <ErrorMessage>No error.</ErrorMessage>
              <RedirectTarget i:nil="true" />
              <UserSettingErrors />
              <UserSettings>
                <UserSetting i:type="StringSetting">
                  <Name>InternalEwsUrl</Name>

<Value>https://exchserver2.domainname.local/EWS/Exchange.asmx</Value>
                </UserSetting>
                <UserSetting i:type="StringSetting">
                  <Name>ExternalEwsUrl</Name>

<Value>https://exchserver2.domainname.co.uk/EWS/Exchange.asmx</Value>
                </UserSetting>
                <UserSetting i:type="StringSetting">
                  <Name>ExternalEwsVersion</Name>
                  <Value>15.00.1044.000</Value>
                </UserSetting>
              </UserSettings>
            </UserResponse>
          </UserResponses>
        </Response>
      </GetUserSettingsResponseMessage>
    </s:Body>
  </s:Envelope>
</Trace>

2014/12/29 11:42:59.876 Autodiscover, received GetUserSettings response,
duration Ms=62, response=NoError
2014/12/29 11:42:59.881 Lookup user details,
sipUri=sip:jack@domainname.co.uk, smtpAddress=Jack@domainname.co.uk,
sid=S-1-5-21-3691024758-535552880-811174816-1135, upn=jack@domainname.local,
 tenantId=00000000-0000-0000-0000-000000000000
VERBOSE: Items choice type: CreateItemResponseMessage.
VERBOSE: Response message, class: Success, code: NoError.
VERBOSE: Item: Microsoft.Rtc.Internal.Storage.Exchange.Ews.MessageType, Id:
AAMkADAwNWZkZWI0LWM5NGYtNDUxNy05Nzk3LWZhZjRiY2Y4MTU4NwBGAAAAAADLP1MgTEXdQ7zQSlb
qPl++BwBauhRZTfLbTYZ+hBWtK784ANcdmUYqAACSqIurRqgYSZwMhT/IBw89AACkpYlXAAA=,
change key: CQAAABYAAACSqIurRqgYSZwMhT/IBw89AACk3mHr, subject: , body: .
VERBOSE: Is command successful: True.
Test passed.
PS C:\Users\administrator.domainname>

Open in new window

0
Comment
Question by:jackbenson
  • 7
  • 4
12 Comments
 
LVL 27

Expert Comment

by:davorin
ID: 40525688
I would start with checking if both certificates are trusted on other server.
0
 
LVL 1

Author Comment

by:jackbenson
ID: 40525763
so ask a stupid question - how can I do that - I have been searching online for ages and could not find how to check that?
0
 
LVL 1

Author Comment

by:jackbenson
ID: 40526906
davorin,

I really would appreciate it if you could give me some more details as to how to check this.

I have wasted so many days trying to figure this out

thanks

jack
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 40527385
to check the certs just use IE from each server.
So from the Lync server browse to all the URLS needs i.e. autodiscover and EWS

https://exchserver2.domainname.co.uk/EWS/Exchange.asmx
https://autodiscover.domainname.co.uk/autodiscover/autodiscover.svc

then from the exchange server browse back to the Lync server - just use the CSCP url as that cert should have all the name in for Lync

if you get a red cross fro IE then its not trusted and then go to more details from IE and it should say why its no trusted
0
 
LVL 1

Author Comment

by:jackbenson
ID: 40527618
yes - these are all fine. I thought you were referring to the trusted issuers that is mentioned in this part of the error message:

 Error:[OAuthTokenBuilder:GetAppToken] unable to continue building token; no locally configured issuer
 was in the trusted_issuer list, realm from challenge was also empty. trust_issuers was
 00000004-0000-0ff1-ce00-000000000000@domainname.local
 Error:The trusted issuers contained the following entries
 '00000004-0000-0ff1-ce00-000000000000@domainname.local'. None of them are configured locally.

Open in new window


all certificates are issued by my local CA

I use APP with the public certificates as my reverse proxy for people connecting from outside the network.

in Lync, the OAuthTokenIssuer certificate created through the Lync deployment wizard is issued to domainname.local (my primary sip domain) and the Subject Alternative names include domainname.co.uk

I then exported this certificate to the Exchange Server and use the Set-AuthConfig to use this certificate for OAuth.

from what I read this was what I was supposed to do.

is this correct?

I have tried so many things I don't know what do to next.

should the OAuth certificate in exchange be the one exported from Lync?

in Lync, should the OAuthTokenIssuer certificate include the servername or lyncserver.domainname.local or just be the domainname.local like it is at the moment?

thank-you

jack
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 40528944
Can you. You just confirm you have done these steps

http://technet.microsoft.com/en-gb/library/jj205253.aspx

I will be back in the office Monday do. I can double check my environment there where this is all set up and working
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 1

Author Comment

by:jackbenson
ID: 40529025
thanks for your reply.

I have only 1 Lync FE Server

thanks for your help

PS C:\Users\administrator.domainname> Get-CsCertificate -Type OAuthTokenIssuer

Issuer             : CN=domainname-CA, DC=domainname, DC=local
NotAfter           : 31/12/2016 10:02:22
NotBefore          : 01/01/2015 10:02:22
SerialNumber       : 3E0000010BBA52FBA562209ACA00000000010B
Subject            : CN=domainname.local, OU=London, O=Guide Clothing
                     Limited, L=London, S=London, C=GB
AlternativeNames   : {domainname.co.uk, domainname.local}
Thumbprint         : 8248116CC834129B43E6CDF160BA0E9AF69E55A3
EffectiveDate      : 01/01/2015 10:12:38
PreviousThumbprint :
UpdateTime         :
Use                : OAuthTokenIssuer
SourceScope        : Global

Open in new window

0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 40535254
just looked through the OAAuth Cert is not installed anywhere but the lync front ends, the attributes match your cert
just to check it is 2048Bit?
0
 
LVL 1

Author Comment

by:jackbenson
ID: 40535274
thanks - its definitely 2048bit

on exchange - did you use your local CA to make the certificate for OAuth?

what is the Subject name of the certificate used ExchServerName.DomainName.Local? or just DomainName.Local

thanks

jack

this is the result when I run Get-AuthConfig on the exchange Server - does it match yours:

[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>get-AuthConfig
Creating a new session for implicit remoting of "Get-AuthConfig" command...


RunspaceId                    : 5438c877-b51b-48b1-b600-acacd955e95f
CurrentCertificateThumbprint  : 8248116cc834129b43e6cdf160ba0e9af69e55a3
PreviousCertificateThumbprint :
NextCertificateThumbprint     :
NextCertificateEffectiveDate  :
ServiceName                   : 00000002-0000-0ff1-ce00-000000000000
Realm                         : domainname.local
Name                          : Auth Configuration
AdminDisplayName              :
ExchangeVersion               : 0.20 (15.0.0.0)
DistinguishedName             : CN=Auth Configuration,CN=domainname,CN=Microsoft
                                Exchange,CN=Services,CN=Configuration,DC=domainname,DC=local
Identity                      : Auth Configuration
Guid                          : b3e3768e-e0e0-40c3-91da-e3dda5886fb8
ObjectCategory                : domainname.local/Configuration/Schema/ms-Exch-Auth-Auth-Config
ObjectClass                   : {top, container, msExchContainer, msExchAuthAuthConfig}
WhenChanged                   : 01/01/2015 20:31:14
WhenCreated                   : 02/03/2014 13:44:51
WhenChangedUTC                : 01/01/2015 20:31:14
WhenCreatedUTC                : 02/03/2014 13:44:51
OrganizationId                :
Id                            : Auth Configuration
OriginatingServer             : DomServer2.domainname.local
IsValid                       : True
ObjectState                   : Unchanged

Open in new window

0
 
LVL 1

Accepted Solution

by:
jackbenson earned 0 total points
ID: 41457369
When I migrated to Skype  for Business 2015 this fixed itself
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 41458314
sorry i missed the reply.
Mine is issued from local CA

I can't do that command as that Exchange 2016 only.

glad the Skype4B upgrade has fixed
0
 
LVL 1

Author Closing Comment

by:jackbenson
ID: 41471737
the problem resolved itself after an upgrade from Lync Server 2013 to Skype for Business Server 2015
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now