Jun 27 2022 04:49 AM - edited Jun 27 2022 01:07 PM
Dear community,
We are starting some tests for publishing on-premises Exchange 2016 Outlook Web Access through Azure AD Application Proxy and everything seems to be working fine from the Azure AD Application Proxy side.
The problem we are facing is that, after authenticating to Azure AD and getting redirected to our internal webmail host, it cannot load the mailbox, with the error message "Microsoft.Mapi.MapiExceptionLogonFailed".
From the Exchange server IIS logs I see the following:
2022-06-27 11:32:46 DagClusterIP POST /owa/plt1.ashx off=0&PLT=now,0&msg=FormErr&cid=AAC579AD49DD4DBE93E70478D1C95D5C&reqid=ce0540af-761e-47ef-b80a-1b6e97954ac6&fe=ExchangeServer&be=ExchangeServer&cbe=&tg=&MDB=&pal=0&ClientId=AAC579AD49DD4DBE93E70478D1C95D5C&Err=Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException&CorrelationID=<empty>;&ClientRequestId=637919263671163930&encoding=;&cafeReqId=7b082a38-4508-4577-a847-51b43111f819; 443 email address removed for privacy reasons AppProxyServer Mozilla/5.0+(Linux;+Android+11;+Redmi+Note+9S)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/103.0.5060.53+Mobile+Safari/537.36+EdgA/103.0.1264.37 https://webmail.domain.com/owa/auth/errorfe.aspx?httpCode=500&msg=198161982&owaError=Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException&owaVer=15.1.2375.28&be=ExchangeServer&ts=133008031660381969&ClientRequestId=637919263659757254&fe=ExchangeServer&reqid=ce0540af-761e-47ef-b80a-1b6e97954ac6&creqid=&cid=&inex=Microsoft.Mapi.MapiExceptionLogonFailed&rt=Form15&et=DefaultPage&pal=0&dag=DagClusterName&forest=resourceforest.domain.com&te=0&refurl=https%3a%2f%2fExchangeServer.resourceforest.domain.com%3a444%2fowa 302 0 0 46
2022-06-27 11:32:46 DagClusterIP GET /owa/auth/errorfe.aspx httpCode=500&msg=198161982&owaError=Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException&owaVer=15.1.2375.28&be=ExchangeServer&ts=133008031671320001&ClientRequestId=637919263671163930&fe=ExchangeServer&reqid=7b082a38-4508-4577-a847-51b43111f819&creqid=&cid=&inex=Microsoft.Mapi.MapiExceptionLogonFailed&ClientId=AAC579AD49DD4DBE93E70478D1C95D5C&CorrelationID=<empty>;&cafeReqId=c5668d5e-3338-4ec5-b9bb-4685bfa918a7;&encoding=; 443 - AppProxyServer Mozilla/5.0+(Linux;+Android+11;+Redmi+Note+9S)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/103.0.5060.53+Mobile+Safari/537.36+EdgA/103.0.1264.37 https://webmail.domain.com/owa/auth/errorfe.aspx?httpCode=500&msg=198161982&owaError=Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException&owaVer=15.1.2375.28&be=ExchangeServer&ts=133008031660381969&ClientRequestId=637919263659757254&fe=ExchangeServer&reqid=ce0540af-761e-47ef-b80a-1b6e97954ac6&creqid=&cid=&inex=Microsoft.Mapi.MapiExceptionLogonFailed&rt=Form15&et=DefaultPage&pal=0&dag=DagClusterName&forest=resourceforest.domain.com&te=0&refurl=https%3a%2f%2fExchangeServer.resourceforest.domain.com%3a444%2fowa 500 0 0 0
Accessing the webmail URL internally works (without going through the Azure AD Application Proxy, of course).
For the setup I have followed the following post:
I have also made this change as it seems recommended:
Do you have any ideas on how to make this work? Is this scenario supported or should we have a single forest for this to work?
Thank you!
Bruno
Mar 01 2023 09:13 AM
@skorzen Did you get this resolved ?
Mar 01 2023 10:05 AM
May 31 2023 01:34 AM - edited May 31 2023 01:34 AM
I would recommend looking at this blog post from Mike Parker: https://mikeparker365.wordpress.com/2018/09/17/how-to-secure-exchange-2016-with-azure-ad-part-1-auth.... He explains how to implement Hybrid Modern Authentication and how to publish OWA through an Application Proxy. Maybe it will provide a himt as to the cause of your issue.