我们正在尝试使用我们的产品为Exchange 2013 15.0(Build 1104.5)设置测试环境。我们偶然发现这些链接帮助我们设置了Exchange(owa和ecp)的SSO:
http://owaauth.com/identity-federation-for-owa-2010-sp1sp2-part-2-of-4/
http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html
经过一些研究和开发,我们制作了具有以下用户体验的PoC:
GET https://mydomain/owa - >重定向到/ identityprovider / sso?[authParams]
在这里,我们在平台上对用户进行身份验证,然后使用SAML1.1断言发出请求。
POST https://mydomain/owa - >进入OWA或ECP
这里的一切都很完美,用户可以发送邮件,查看日历等...... OWA按预期工作。
但是我们遇到了一些问题:
有一种奇怪的错误行为。如果用户未启用邮箱,则我们的Exchange服务器会抛出HTTP 500 Microsoft.Exchange.Data.Storage.UserHasNoMailboxException错误。然后,用户被重定向到GET /owa/auth/errorfe.aspx?httpError=500,其中包含用于打印错误的所有数据。我可以在EventViewer上找到错误。
BUT
服务器似乎找不到 /owa/auth/errorFE.aspx ,因此它会抛出404转换为302重定向到.... /owa/auth/errorfe.aspx?httpError=404。然后循环。
以下是显示此方案的 c:/ inetpub / log / LogFiles / W3SCV1 日志:
2015-08-18 14:05:32 192.168.122.169 POST /owa/ &CorrelationID=<empty>;&ClientId=RZHCSKVBKKYBNFDWXLYQ&cafeReqId=7a87be7e-8604-4166-9700-2c09f396962d; 443 domain\user 192.168.122.1 Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:38.0)+Gecko/20100101+Firefox/38.0 https://identityprovider/sso?wa=wsignin1.0&wtrealm=https://mail.domain.fr/owa/&wctx=rm=0&id=passive&ru=/owa/?bO=1&wct=2015-08-18T14:05:11Z&wreply=https://mail.domain.fr/owa/ 302 0 0 265
2015-08-18 14:05:36 192.168.122.169 GET /owa/ bO=1&CorrelationID=<empty>;&ClientId=RZHCSKVBKKYBNFDWXLYQ&cafeReqId=ce366ef2-c53b-4c69-a9d5-a6571898ee0a; 443 domain\user 192.168.122.1 Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:38.0)+Gecko/20100101+Firefox/38.0 https://identityprovider/sso?wa=wsignin1.0&wtrealm=https://mail.domain.fr/owa/&wctx=rm=0&id=passive&ru=/owa/?bO=1&wct=2015-08-18T14:05:11Z&wreply=https://mail.domain.fr/owa/ 302 0 0 3765
2015-08-18 14:05:36 192.168.122.169 GET /owa/auth/errorfe.aspx httpCode=500&msg=3529056431&msgParam=domain\user&owaError=Microsoft.Exchange.Data.Storage.UserHasNoMailboxException&owaVer=15.0.1104.5&be=EXCHANGE&ts=130843803365507555&CorrelationID=<empty>;&ClientId=RZHCSKVBKKYBNFDWXLYQ&cafeReqId=691c4002-39f0-407b-ad93-5477e8fa49d4; 443 domain\user 192.168.122.1 Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:38.0)+Gecko/20100101+Firefox/38.0 https://identityprovider/sso?wa=wsignin1.0&wtrealm=https://mail.domain.fr/owa/&wctx=rm=0&id=passive&ru=/owa/?bO=1&wct=2015-08-18T14:05:11Z&wreply=https://mail.domain.fr/owa/ 302 0 0 124
2015-08-18 14:05:36 192.168.122.169 GET /owa/auth/errorFE.aspx httpCode=404&CorrelationID=<empty>;&ClientId=RZHCSKVBKKYBNFDWXLYQ&cafeReqId=51dd01dd-3008-41ac-b07b-a24acf147c3c; 443 domain\user 192.168.122.1 Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:38.0)+Gecko/20100101+Firefox/38.0 https://identityprovider/sso?wa=wsignin1.0&wtrealm=https://mail.domain.fr/owa/&wctx=rm=0&id=passive&ru=/owa/?bO=1&wct=2015-08-18T14:05:11Z&wreply=https://mail.domain.fr/owa/ 302 0 0 29
2015-08-18 14:05:36 192.168.122.169 GET /owa/auth/errorFE.aspx httpCode=404&CorrelationID=<empty>;&ClientId=RZHCSKVBKKYBNFDWXLYQ&cafeReqId=d9531fd2-2bc9-455c-8d05-5c646c863821; 443 domain\user 192.168.122.1 Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:38.0)+Gecko/20100101+Firefox/38.0 https://identityprovider/sso?wa=wsignin1.0&wtrealm=https://mail.domain.fr/owa/&wctx=rm=0&id=passive&ru=/owa/?bO=1&wct=2015-08-18T14:05:11Z&wreply=https://mail.domain.fr/owa/ 302 0 0 31
我怀疑这种行为与SSO配置有关,其中包括被动重定向到我们的平台进行身份验证,但我并不确定。这是定义owa联合设置的 Exchange / v15 / FrontEnd / HttpProxy / owa / web.config 。
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</configSections>
<location inheritInChildApplications="false">
<system.web>
<customErrors mode="Off"/>
</system.web>
<!-- Added by Us -->
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<remove type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<remove type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<add type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<samlSecurityTokenRequirement mapToWindows="true"/>
</add>
<add type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<samlSecurityTokenRequirement mapToWindows="true"/>
</add>
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
</securityTokenHandlers>
<applicationService>
<claimTypeRequired>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="false"/>
</claimTypeRequired>
</applicationService>
<audienceUris>
<add value="domain.com"/>
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="fffffffffff" name="https://idp.com/"/>
</trustedIssuers>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" path="/"/>
<wsFederation passiveRedirectEnabled="true" issuer="https://idp.com/sso" realm="https://domain.com/owa/" reply="https://domain.com/owa/" requireHttps="true"/>
</federationConfiguration>
</system.identityModel.services>
<!-- /Added by Us -->
<system.webServer>
<serverRuntime uploadReadAheadSize="0"/>
<!-- Added by Us -->
<modules runAllManagedModulesForAllRequests="true">
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition=""/>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition=""/>
<!-- /Added by Us -->
<remove name="ServiceModel"/>
<remove name="ServiceModel-4.0"/>
<remove name="Session"/>
<remove name="Profile"/>
<add name="HostHeaderValidationModule" type="Microsoft.Exchange.HttpUtilities.HostHeaderValidationModule, Microsoft.Exchange.HttpUtilities, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add name="HttpProxy" type="Microsoft.Exchange.HttpProxy.FbaModule,Microsoft.Exchange.FrontEndHttpProxy,Version=15.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35" preCondition=""/>
<add name="cafe_exppw"/>
</modules>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="35000000"/>
</requestFiltering>
</security>
<httpProtocol>
<customHeaders>
<add name="X-FEServer" value="EXCHANGE"/>
</customHeaders>
</httpProtocol>
</system.webServer>
<system.web>
<machineKey decryptionKey="AAAAAA" validationKey="BBBBBBB"/>
<compilation defaultLanguage="c#" debug="false">
<assemblies>
<!-- Added by Us -->
<add assembly="System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<!-- Added by Us -->
<add assembly="Microsoft.Exchange.Clients.Strings, Version=15.0.0.0, Culture=neutral, publicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.Data.Directory, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.Clients.Common, Version=15.0.0.0,Culture=neutral, publicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.Clients.Security, Version=15.0.0.0, Culture=neutral, publicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.FrontEndHttpProxy, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.HttpProxy.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.Exchange.Security, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</assemblies>
</compilation>
<httpRuntime maxUrlLength="500" maxRequestLength="35000" requestValidationMode="2.0" requestValidationType="Microsoft.Exchange.Security.Authentication.AdfsRequestValidator"/>
<pages validateRequest="false"/>
</system.web>
</location>
<appSettings>
<add key="HttpProxy.ProtocolType" value="Owa"/>
<add key="OAuthHttpModule.Profiles" value="S2SAppActAs|Callback|V1AppActAs|V1Callback"/>
<add key="OAuthHttpModule.V1AppScopes" value="user_impersonation"/>
<add key="OAuthHttpModule.WebAppAuthEnabled" value="15.00.1030.000"/>
<!--
<add key="LogonSettings.SignOutKind" value="LegacyLogOff" />
-->
</appSettings>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="SecureBinding" maxConnections="100000">
<security mode="Transport">
<transport protectionLevel="EncryptAndSign"/>
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost:1009/Microsoft.Exchange.Security.Authentication.FederatedAuthService" binding="netTcpBinding" bindingConfiguration="SecureBinding" contract="Microsoft.Exchange.Security.Authentication.FederatedAuthService.IAuthService" name="Microsoft.Exchange.Security.Authentication.FederatedAuthService"/>
</client>
</system.serviceModel>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<linkedConfiguration href="file://C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\SharedWebConfig.config"/>
</assemblyBinding>
</configuration>
最后一位:
当用户未配置邮箱(没有时区和语言)时,用户登陆 languageselection.aspx ,选择正确的设置,然后服务器抛出500内部错误未重定向。我无法在EventViewer上发现有关此错误的任何错误。 有什么想法吗?
如果您有任何疑问,请继续。是配置文件,IIS或Exchange上的设置。任何与你有关的问题。