Hybrid Modern Authentication with VMware Boxer – Part 5 – Troubleshooting
- Part 1: Introduction
- Part 2: Prerequisites
- Part 3: Configuration
- Part 4: Special use cases and FAQ
- Part 5: Troubleshooting
User cannot authenticate on Office 365
Users’ needs to be synced to Office 365 using Azure AD connect.
Authentication method needs to be either:
- Password Hash Sync
- Password Passthrough
- IDP: WS1 Access, Okta, ADFS, etc.
Users authenticate successfully but cannot access email
The oAuth token does not have the right audience. To troubleshoot this, you can access the
HttpProxy logs on the exchange server, or within the log central location where the logs are collected. The folder for ActiveSync is
EAS and the folder for EWS is
If the following error can be seen in the Exchange logs, then there is a mismatch between the URL used to access and the FQDN configured, see part 3:
Microsoft.Exchange.Security.OAuth.InvalidOAuthTokenException: The hostname component of the audience claim value ''https://seg.domain.com'' is invalid
You can also check the virtual directory configuration for each service.
Get-ActiveSyncVirtualDirectory | FL server,*url*,*oauth* Server : EXCHANGESERVERNAME MobileClientCertificateAuthorityURL : InternalUrl : https://mail.domain.internal/Microsoft-Server-ActiveSync ExternalUrl : https://activesync.domain.com/Microsoft-Server-ActiveSync
Get-WebServicesVirtualDirectory | FL server,*url*,*oauth* Server : EXCHANGESERVERNAME InternalNLBBypassUrl : InternalUrl : https://mail.domain.internal/EWS/Exchange.asmx ExternalUrl : https://ews.domain.com/EWS/Exchange.asmx OAuthAuthentication : True
Most of the notification issues are detailed in the documentation
There however some issue which are more common for Hybrid Modern Authentication.
ENS subscription is successful, but no notification received.
The first thing to validate is that TLS1.2 is enabled on each and every exchange server. This needs to be done at the OS level as well as the .NET framework. ENS does not support TLS 1.0 or 1.1.
The registry keys to check are:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001
More info: Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
ENS subscription is unsuccessful
If you are using ENS cloud, you need to add the KVP
PolicyENSResourceURL as described in part 3.
If you are using ENS on-premises, you need to modify the resource in the config file as described in part 3.
vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.