Graph AuthenticationError trying to GET the Exchange Server On-Premises
In order to perform some hybrid testing, I performed the installation of Exchange Server 2019 (preview) on the Windows Server 2016 Server Core. Running the Hybrid Configuration Wizard, I was informed that the OAuth 2.0 protocol could not be configured. As long as OAuth is required for the Graph API, I manually enabled OAuth following this article.But even after the OAuth was enabled, the tests that I performed from Graph Explorer using GET method to a mailbox in Exchange On-Premises returned the following AuthenticationError error:
“Code”: “AuthenticationError”,
“message”: “Error authenticating with resource”
Troubleshooting:
I checked some IIS and REST logs in Exchange On-Premises and confirmed that the requests weren’t even reached the Exchange. After some researching, I realized that there were missing configurations in the environment, probably because the Hybrid Configuration Wizard was unable to perform the OAuth configuration, the EvoSts Authentication Provider wasn’t created in the Exchange:
This is a requirement for the Graph API in hybrid scenario, in fact Azure AD relies on this Authentication Provider to be able to issue tokens on behalf of Exchange On-Premises.
Resolution:
The first step was finding the tenant’s initial domain. To obtain this information, use the following command from the Exchange Online Shell:
Get-AcceptedDomain | fl Domainname,InitialDomain
With the initial domain in hand, run the following command, replacing your initial domain:
New-AuthServer -Name EvoSts -Type AzureAD –AuthMetadataUrl https://login.windows.net/<initial domain>/federationmetadata/2007-06/federationmetadata.xml
Then you can verify with Get-AuthServer command and validate that the new Authentication Provider has been successfully added:
It’s also necessary to add the namespaces used by Exchange in the AAD secutiry token service. Run these commands for ALL names used, including Autodiscover:
$x = get-MSOLServicePrincipal - -AppPrincipalId 00000002-0000-0ff1-ce00-00000000000
$x.ServicePrincipalnames.Add("https://<exchange namespace>/")
Set-MSOLServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames
Once those changes were made, it was possible through Graph Explorer executed HTTP methods in Exchange On-Premises.
Hi,
I was facing this issue. After following this error code changed to 401 saying unknown error.
{
“error”: {
“code”: “UnknownError”,
“message”: “”,
“innerError”: {
“request-id”: “3dc4ef95-8767-4c12-821a-7096d050ed5a”,
“date”: “2019-02-21T09:59:51”
}
}
}
Any hint for this ? How to debug ?
How can i check if graph calls (/messages) are reaching on prem exchange server in IIS logs ?
Try to find any call from the graph on IIS logs. If the graph can reach on-Prem, you should find an autodiscover request like this in the IIS logs: GET /autodiscover/autodiscover.json Email=user%domain.com&Protocol=REST (you can filter by “autodiscover.json” to make the search easier)
Then, if the autodiscover response was successful the graph should call the HTTP method using the URL provided by the autodiscover, you can search on IIS logs something like this: GET /api/V2.0/Users(‘user@domain.com’)/Messages (you can filter by /api to make the search easier)
If you didn’t find nothing on IIS frontend logs it means that the call doesn’t reaching on-Prem.
I have a mailbox in on prem exchange server (which is in hybrid mode) abc@onprem.com and i am trying to access this via graph api (/messages).
This works perfectly if i do this in graph explorer, but fails when i do via implementation.
Required application permission is given in Azure app registration portal.
Implementation uses grant_type as client_credentials with certificate and this works perfectly for cloud users.
Response of API
{ ‘error’: {
‘innerError’: {
‘date’: ‘2019-02-28T14:17:45’,
‘request-id’: ‘6a85f8c3-4e13-4cf0-84b2-ddc934241afd’
},
‘message’: ”,
‘code’: ‘UnknownError’
}}
Form you previous comment i found that calls are reaching on prem exchange server through IIS Logs
For call came from graph explorer
2019-02-28 15:02:31 172.31.10.98GET /api/V2.0/Users(‘abc@onprem.com’)/Messages/$count &CorrelationID=;&cafeReqId=bc8e8aef-de46-4c72-bcf4-b4f567bc45dd; 443 S-1-5-21-1392771109-4043059535-3934338706-1147 20.190.145.177Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_3)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/71.0.3578.80+Safari/537.36 – 200 0 0 287
For call from implemented app
2019-02-28 15:00:05 172.31.10.98GET /api/V2.0/Users(‘abc@onprem.com’)/Messages/$count &CorrelationID=;&cafeReqId=c504b658-b9df-43b5-9dbb-8e83050c3d2f; 443 – 20.190.128.103- – 401 0 0 102
How to debug why Authentication is failing for on prem mailboxes and reason for this ? Is there any logs which i can refer ?
Also what would be reason for this authentication failure , could it be because that token is provided by azure AD which is authenticated against onprem ?
Should id do Set-MSOLServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 for app id registered in in Azure as well ?
Also curious about which app “00000002-0000-0ff1-ce00-000000000000” belong to ?
Added some more headers for logging and found that below is the error.
2019-03-04 04:05:13 172.31.10.98 GET /api/V2.0/Users(‘abc@onprem.com’)/Messages &CorrelationID=;&cafeReqId=2823c302-3c84-4847-b586-accced4b6dd5; 443 – 20.190.145.177 PostmanRuntime/7.6.0 – 401 0 0 332 Bearer+eyJ0 blah blah…..blah blah…..hSd mail.onprem.com – – – Bearer+client_id=”00000002-0000-0ff1-ce00-000000000000″,+token_types=”app_asserted_user_v1+service_asserted_app_v1″,+authorization_uri=”https://login.windows.net/common/oauth2/authorize”,+error=”invalid_token” 2000001;reason=”This+token+profile+’V1S2SAppOnly’+is+not+applicable+for+the+current+protocol.”;error_category=”invalid_token”
We are using self signed certificate on exchange server , can this lead to this issue ? If so wondering how everything is working from graph explorer ?
Hi Denis,
thank you very much for this interesting blog post.
Currently I´m facing an issue using ms graph on with the corporate´s on prem exchange server. Let me describe in detail:
We are using a non-hybrid environment on exchange server (2016 with latest CU). An application (registered at Azure AD with granted application permissions, retrieved access token are all valid with the granted permissions etc.) needs to retrieve calendar data from exchange using the client credential flow and is currently facing an authentication error (the same error as in the blog, and also while trying to use the graph explorer). After some research I´ve come to your blog which is dealing with a similar issue just on a hybrid environment. It seems that the requests from the application to ms graph aren´t even forwarded to on-prem exchange due to a missing authentication provider.
My question is:
– Is it even possible to connect to non-hybrid on-prem exchange via ms graph without an authentication provider?
– Or is the hybrid environment necessary?
Thank you very much in advance for any hints on that issue.
Hi Stefan,
– Is it even possible to connect to non-hybrid on-prem exchange via ms graph without an authentication provider?
As far as I know, you need hybrid to leverage Graph API. The reason is that Graph rely on OAuth and you must set the EvoSTS as authentication provider. Further, Microsoft states that hybrid is necessary to use on-prem REST API. Thus I’d say that you can’t run away from hybrid in this case.