Hybrid Modern Authentication with VMware Boxer – Part 5 – Troubleshooting

Authentication issue

User cannot authenticate on Office 365

Users’ needs to be synced to Office 365 using Azure AD connect.

Authentication method needs to be either:

  • Password Hash Sync
  • Password Passthrough
  • IDP: WS1 Access, Okta, ADFS, etc.

Users authenticate successfully but cannot access email

The oAuth token does not have the right audience. To troubleshoot this, you can access the HttpProxy logs on the exchange server, or within the log central location where the logs are collected. The folder for ActiveSync is EAS and the folder for EWS is Ews.

If the following error can be seen in the Exchange logs, then there is a mismatch between the URL used to access and the FQDN configured, see part 3:

Microsoft.Exchange.Security.OAuth.InvalidOAuthTokenException:
The hostname component of the audience claim value ''https://seg.domain.com'' is invalid

You can also check the virtual directory configuration for each service.

For ActiveSync

Get-ActiveSyncVirtualDirectory | FL server,*url*,*oauth*

Server                              : EXCHANGESERVERNAME
MobileClientCertificateAuthorityURL :
InternalUrl                         : https://mail.domain.internal/Microsoft-Server-ActiveSync
ExternalUrl                         : https://activesync.domain.com/Microsoft-Server-ActiveSync

For EWS

Get-WebServicesVirtualDirectory | FL server,*url*,*oauth*

Server               : EXCHANGESERVERNAME
InternalNLBBypassUrl :
InternalUrl          : https://mail.domain.internal/EWS/Exchange.asmx
ExternalUrl          : https://ews.domain.com/EWS/Exchange.asmx
OAuthAuthentication  : True

Notification issue

Most of the notification issues are detailed in the documentation

Troubleshooting ENS

There however some issue which are more common for Hybrid Modern Authentication.

ENS subscription is successful, but no notification received.

The first thing to validate is that TLS1.2 is enabled on each and every exchange server. This needs to be done at the OS level as well as the .NET framework. ENS does not support TLS 1.0 or 1.1.

The registry keys to check are:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

More info: Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It

ENS subscription is unsuccessful

If you are using ENS cloud, you need to add the KVP PolicyENSResourceURL as described in part 3.

If you are using ENS on-premises, you need to modify the resource in the config file as described in part 3.

Written by

Website | + posts

vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP