Publishing Exchange 2016 OWA through Azure AD App Proxy

Occasional Contributor

Dear community,

 

We are starting some tests for publishing on-premises Exchange 2016 Outlook Web Access through Azure AD Application Proxy and everything seems to be working fine from the Azure AD Application Proxy side.

The problem we are facing is that, after authenticating to Azure AD and getting redirected to our internal webmail host, it cannot load the mailbox, with the error message "Microsoft.Mapi.MapiExceptionLogonFailed".

 

From the Exchange server IIS logs I see the following:

 

2022-06-27 11:32:46 DagClusterIP POST /owa/plt1.ashx off=0&PLT=now,0&msg=FormErr&cid=AAC579AD49DD4DBE93E70478D1C95D5C&reqid=ce0540af-761e-47ef-b80a-1b6e97954ac6&fe=ExchangeServer&be=ExchangeServer&cbe=&tg=&MDB=&pal=0&ClientId=AAC579AD49DD4DBE93E70478D1C95D5C&Err=Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException&CorrelationID=<empty>;&ClientRequestId=637919263671163930&encoding=;&cafeReqId=7b082a38-4508-4577-a847-51b43111f819; 443 email address removed for privacy reasons AppProxyServer Mozilla/5.0+(Linux;+Android+11;+Redmi+Note+9S)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/103.0.5060.53+Mobile+Safari/537.36+EdgA/103.0.1264.37 https://webmail.domain.com/owa/auth/errorfe.aspx?httpCode=500&msg=198161982&owaError=Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException&owaVer=15.1.2375.28&be=ExchangeServer&ts=133008031660381969&ClientRequestId=637919263659757254&fe=ExchangeServer&reqid=ce0540af-761e-47ef-b80a-1b6e97954ac6&creqid=&cid=&inex=Microsoft.Mapi.MapiExceptionLogonFailed&rt=Form15&et=DefaultPage&pal=0&dag=DagClusterName&forest=resourceforest.domain.com&te=0&refurl=https%3a%2f%2fExchangeServer.resourceforest.domain.com%3a444%2fowa 302 0 0 46
2022-06-27 11:32:46 DagClusterIP GET /owa/auth/errorfe.aspx httpCode=500&msg=198161982&owaError=Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException&owaVer=15.1.2375.28&be=ExchangeServer&ts=133008031671320001&ClientRequestId=637919263671163930&fe=ExchangeServer&reqid=7b082a38-4508-4577-a847-51b43111f819&creqid=&cid=&inex=Microsoft.Mapi.MapiExceptionLogonFailed&ClientId=AAC579AD49DD4DBE93E70478D1C95D5C&CorrelationID=<empty>;&cafeReqId=c5668d5e-3338-4ec5-b9bb-4685bfa918a7;&encoding=; 443 - AppProxyServer Mozilla/5.0+(Linux;+Android+11;+Redmi+Note+9S)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/103.0.5060.53+Mobile+Safari/537.36+EdgA/103.0.1264.37 https://webmail.domain.com/owa/auth/errorfe.aspx?httpCode=500&msg=198161982&owaError=Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException&owaVer=15.1.2375.28&be=ExchangeServer&ts=133008031660381969&ClientRequestId=637919263659757254&fe=ExchangeServer&reqid=ce0540af-761e-47ef-b80a-1b6e97954ac6&creqid=&cid=&inex=Microsoft.Mapi.MapiExceptionLogonFailed&rt=Form15&et=DefaultPage&pal=0&dag=DagClusterName&forest=resourceforest.domain.com&te=0&refurl=https%3a%2f%2fExchangeServer.resourceforest.domain.com%3a444%2fowa 500 0 0 0

 

 
Our scenario is the following:
  • Account and resource forest (linked mailboxes)
  • Azure AD Application Proxy agent is installed in a Windows Server 2022 machine joined to the resource forest
  • For Azure AD Application Proxy to be able to accept our credentials, I had to enable the linked mailbox AD account in the resource forest
  • Exchange Server 2016 is running the latest CU on Windows Server 2012 R2
  • OWA authentication works by using FBA (with username in the format of DOMAIN\samAccountName) but I've also enabled Windows Authentication, as per official documentation

Accessing the webmail URL internally works (without going through the Azure AD Application Proxy, of course).

 

For the setup I have followed the following post:

https://hedbergtech.se/securing-using-sso-for-outlook-web-app-exchange-control-panel-with-the-azure-...

 

I have also made this change as it seems recommended:

https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-premises-...

 

Do you have any ideas on how to make this work? Is this scenario supported or should we have a single forest for this to work?

 

Thank you!

Bruno

0 Replies