I am trying to get Enterprise Vault to work with EXchange 2013 OWA Office Apps but the application give an error that it fails to initialize and according to Veritas this is due to a problem with Exchange OAuth but I am unable to figure out what/how to fix.
The thumprints for the certificate match the results from get-authconfig but test-oauthconnectivity fails. Below is output.
[PS] C:\Windows\system32>Get-AuthConfig
RunspaceId : ed2c6285-9393-438c-b162-f05437a6a17c
CurrentCertificateThumbprint : E6C514B643B05142E7CF02D0F999DB6B435F18CC
PreviousCertificateThumbprint :
NextCertificateThumbprint :
NextCertificateEffectiveDate :
ServiceName : 00000002-0000-0ff1-ce00-000000000000
Realm :
Name : Auth Configuration
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)
DistinguishedName : CN=Auth Configuration,CN=P,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=p,DC=local
Identity : Auth Configuration
Guid : cc886f3f-26d0-4118-966f-36f5814a305c
ObjectCategory : p.local/Configuration/Schema/ms-Exch-Auth-Auth-Config
ObjectClass : {top, container, msExchContainer, msExchAuthAuthConfig}
WhenChanged : 7/13/2016 4:14:57 PM
WhenCreated : 3/4/2016 3:39:40 PM
WhenChangedUTC : 7/13/2016 11:14:57 PM
WhenCreatedUTC : 3/4/2016 11:39:40 PM
OrganizationId :
Id : Auth Configuration
OriginatingServer : 90DC2.p.local
IsValid : True
ObjectState : Unchanged
[PS] C:\Windows\system32>Get-ExchangeCertificate -Thumbprint E6C514B643B05142E7CF02D0F999DB6B435F18CC | fl
AccessRules :
CertificateDomains : {}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 2/6/2021 3:55:33 PM
NotBefore : 3/4/2016 3:55:33 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 364B76E2A1FC2EA14AA6F2F7850EA0A8
Services : SMTP
Status : Valid
Subject : CN=Microsoft Exchange Server Auth Certificate
Thumbprint : E6C514B643B05142E7CF02D0F999DB6B435F18CC
[PS] C:\Windows\system32>Test-OAuthConnectivity -Service EWS -TargetUri
https://mail.p.com/ews/ -Mailbox "cm" -Verbose | fl
RunspaceId : ed2c6285-9393-438c-b162-f05437a6a17c
Task : Checking EWS API Call Under Oauth
Detail : The configuration was last successfully loaded at 1/1/0001 12:00:00 AM UTC. This was 1060067476 minutes
ago.
The token cache is being cleared because "use cached token" was set to false.
Exchange Outbound Oauth Log:
Client request ID: 65782ffb-5444-4517-8dac-dc34effde9a1
Information:[OAuthCredentials:Authenticate] entering
Information:[OAuthCredentials:Authenticate] challenge from
'https://mail.p.com/ews/Exchange.asmx' received: Bearer
client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="",Basic
realm="mail.p.com",Negotiate,NTLM
Information:[OAuthCredentials:GetToken] client-id: '00000002-0000-0ff1-ce00-000000000000', realm: '',
trusted_issuer: ''
Information:[OAuthCredentials:GetToken] start building a token for the user domain 'p.com'
Information:[OAuthTokenBuilder:GetAppToken] start building the apptoken
Error:[OAuthTokenBuilder:GetAppToken] unable to continue building token, given that both trusted_issuer
and realm from the challenge are empty
Error:The challenge value returned from 'mail.p.com' is not valid.
Exchange Response Details:
HTTP response message:
Exception:
System.Net.WebException: The request was aborted: The request was canceled. --->
Microsoft.Exchange.Security.OAuth.OAuthTokenRequestFailedException: The challenge value returned from
'mail.p.com' is not valid.
at Microsoft.Exchange.Security.OAuth.OAuthTokenBuilder.GetAppToken(String applicationId, String
destinationHost, String realmFromChallenge, IssuerMetadata[] trustedIssuersFromChallenge, String
userDomain)
at Microsoft.Exchange.Security.OAuth.OAuthTokenBuilder.GetAppWithUserToken(String applicationId,
String destinationHost, String realmFromChallenge, IssuerMetadata[] trustedIssuersFromChallenge, String
userDomain, ClaimProvider claimProvider)
at Microsoft.Exchange.Security.OAuth.OAuthCredentials.GetToken(WebRequest webRequest,
HttpAuthenticationChallenge challengeObject)
at Microsoft.Exchange.Security.OAuth.OAuthCredentials.Authenticate(String challengeString, WebRequest
webRequest, Boolean preAuthenticate)
at Microsoft.Exchange.Security.OAuth.OAuthCredentials.OAuthAuthenticationModule.Authenticate(String
challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials
credentials)
at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials
authInfo)
at System.Net.HttpWebRequest.CheckResubmitForAuth()
at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
at System.Net.HttpWebRequest.DoSubmitRequestProcessing(Exception& exception)
at System.Net.HttpWebRequest.ProcessResponse()
at System.Net.HttpWebRequest.SetResponse(CoreResponseData coreResponseData)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Monitoring.TestOAuthConnectivityHelper.SendExchangeOAuthRequest(ADUser user,
String orgDomain, Uri targetUri, String& diagnosticMessage, Boolean appOnly, Boolean useCachedToken,
Boolean reloadConfig)
ResultType : Error
Identity : Microsoft.Exchange.Security.OAuth.ValidationResultNodeId
IsValid : True
ObjectState : New
The trace from IE when trying to open the app shows the below and their KB does list this as an oauth error on the exchange side.
EVOMA (ERROR) 16:02:54.215: logAndReportFailure: EWSFindAssociatedItem.onEwsRequestComplete ID[ERROR_EWS_ERRORRESULTSTATUS] Err[Failed to send a request to the Exchange Server] [Result status:failed]
EVOMA (ERROR) 16:02:54.219: initializationFailed(): Failed to send a request to the Exchange Server