Morden authentication oauth Exchange 2019

Zeeshan Butt 21 Reputation points
2024-09-08T18:02:38.4133333+00:00

Dear Team,

I have completed all the necessary steps to configure modern authentication with an on-premises Exchange 2019(not online) server using ADFS 2019. While OWA and ECP are redirecting as expected, I'm encountering an issue with Outlook on Windows 11. When I try to sign in, it redirects me to the ADFS URL but does not accept my credentials. Instead, the login window continuously reloads, prompting me to sign in again on same page.

On my client machine i i am getting error event viewer.

Error

Error: 0xCAA20003 Authorization grant failed for this assertion.

Code: invalid_grant

Description: MSIS9615: The refresh token received in 'refresh_token' parameter has expired.

TokenEndpoint: https://adfs.mydomain.com/adfs/oauth2/token

Logged at OAuthTokenRequestBase.cpp, line: 452, method: OAuthTokenRequestBase::ProcessOAuthResponse.

Request: authority: https://adfs.mydomain.com/adfs, client: d3590ed6-52b3-4102-aeff-aad2292ab01c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c, resource: https://hcmail.mydomain.com/, correlation ID (request): 4c3316af-5fa2-4002-9b42-4418a2fe62f3

Warning

Error: 0xCAA90004 Getting token by refresh token failed.

Logged at RefreshTokenRequest.cpp, line: 150, method: RefreshTokenRequest::AcquireToken.

Request: authority: https://adfs.yourdomain.com/adfs, client: d3590ed6-52b3-4102-aeff-aad2292ab01c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c, resource: https://hcmail.yourdomain.com/, correlation ID (request): 4c3316af-5fa2-4002-9b42-4418a2fe62f3

I have done all registery setting as mention in micrsooft article even added expicit registery entry not to redirect to office365.

When i try to browse https://adfs.domain.com/adfs/oauth2/token  on browser i get error that

Error details: MSIS7065: There are no registered protocol handlers on path /adfs/oauth2/token to process the incoming request.

If any thing missing in adfs. please guide.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,615 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jake Zhang-MSFT 5,290 Reputation points Microsoft Vendor
    2024-09-09T07:50:56.24+00:00

    Hi @Zeeshan Butt ,

    Welcome to the Microsoft Q&A platform!

    It sounds like you have encountered a complex issue involving ADFS and OAuth, which can be tricky to troubleshoot. Here are some steps you can follow to investigate and resolve the issue:

    1. ADFS Configuration for OAuth

    Ensure that ADFS is configured to support OAuth token requests. The error "MSIS7065: There are no registered protocol handlers on path /adfs/oauth2/token" implies that ADFS might not be configured correctly to handle OAuth token endpoints.

    1. Ensure that the OAuth2 endpoints are enabled in ADFS. You can do this by running the following PowerShell command on the ADFS server: 
    
Get-AdfsEndpoint -AddressPath "/adfs/oauth2/token"

    The command should return details about the endpoint. If it does not, you may need to enable the endpoint.

    1. If the endpoint is not enabled, you can enable it using PowerShell: 
    
Set-AdfsEndpoint -TargetAddressPath "/adfs/oauth2/token" -Enabled $true

    2. Client Configuration

    The client application (Outlook) should be correctly configured to use modern authentication.

    1. Ensure you've set the appropriate registry keys on the client machine to force the use of modern authentication. This includes the following: 
    
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity] "EnableADAL"=dword:00000001 

"Version"=dword:00000001
    1. Make sure that Office has been activated properly and is recognizing the modern authentication settings.

    3. ADFS Relying Party Trust

    Ensure that the ADFS Relying Party Trust (RPT) for the Exchange server is configured correctly.

    1. Check the claims issuance rules for the RPT to ensure they are set correctly to issue the necessary claims for OAuth.
    2. Make sure the client ID and redirect URI configured in the RPT match those used by the Outlook client.

    4. Validate Certificates

    Modern authentication requires valid certificates for both ADFS and Exchange. Ensure that:

    1. Certificates are not expired.
    2. All certificates are trusted by the client machine.
    3. The ADFS and Exchange servers have valid SSL certificates.

    Troubleshooting Steps

    1. Review the ADFS logs for any errors or warnings that might provide more specific details about what is failing.
    2. Use tools like Fiddler or Wireshark to capture the network traffic between the client and the ADFS server to see if there are any obvious issues during the authentication process.
    3. Look for related events in the Event Viewer on both the client and the ADFS server. The specific error IDs and descriptions can often point you in the right direction.

    Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

    Best,

    Jake Zhang

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.