Search code examples
exchange-serveradfs

Trouble configuring ADFS + OWA on Exchange Server 2019

Overview:

We're trying to configure SSO for OWA on Exchange 2019 server (on-premise), using ADFS. When going to https://mail.domain.com/owa we're experiencing multiple redirects between ADFS and OWA before we get an error in ADFS, followed by an error in the Windows Event logs that says:

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
wsfed 

Relying Party: 
https://mail.domain.com/owa/ 

Exception details: 
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '0' seconds. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.ProcessCommonCookiesInLastAuthenticationStage(ProtocolContext context)
   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response)
   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Steps to reproduce:

  1. Install Exchange Server 2019
  2. Install ADFS and configure SSO exactly following the steps outlined on the following article (click here)
  3. Navigate to https://mail.domain.com/owa.

Troubleshooting so far:

  • Confirmed that ECP and OWA External URLs match the audiences set in Powershell.
  • Confirmed that the user I'm attempting to sign in as is able to authenticate using FBA.
  • Confirmed that OWA is working as expected.

Servers + configuration:

  • Exchange Server 2019 15.02.0221.017 configured with a self-signed certificate
  • ADFS 4.0 configured with a self-signed certificate

Question(s):

  1. Where can I go to get the OWA logs detailing why OWA is redirecting back to ADFS?
  2. Is there anything in the above-linked article that's incorrect?
Solution

  • After a bit more testing we found that if we used IE11, the problem went away. The problem only existed for Chrome or Edge Chromium.

    We decided to update to Exchange 2019 CU10, and there were no further issues.