ADFS / WAP and Exchange 2010 OWA

Hi 2gether

I fighting around with publishing Exchange 2010 OWA trought Server 2012 ADFS and Web Application Proxy.

I have an WAP Server joined to my domain and placed in an OPT Zone. I want to use the ADFS Preauthentification for publishing OWA in my DNS SplitScope Scenario.

After i fill in my Usercreds to login to OWA, nothing really happens.
URLI see that the WAP Server is requesting an kerberos ticket, but the ADFS Server is not able to send the kerberos ticket back. I read the how-to and step by step guide a thousand time...added the SPN, activated constrained delegation..but it does not work at all.

The Logs on the WAP Server are telling me:

WAP Server EventLog EVENT ID 12027, Username and Password wrong (0x8007052e). But i am quiet sure the credentials are right...because EAS and the other published rules work.

On the other side the ADFS Serverlog tells me:
ADFS Log
364:

Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:

Microsoft.IdentityServer.Web.InvalidScopeException: 06a7aa66-3aad-e311-80c1-005056983900

   at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request)

   at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)

   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)

   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Open in new window



Did anyone had this problem before? The strange thing is...i tested the whole thing before with the same components and it worked in the lab.

thx for any help
ITSGMBHAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ITSGMBHAuthor Commented:
solved by myself...

i had to add the WAP Server computer account to the
Windows Authorization Access Group

after the reboot everything rocked!!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.