VMware Workspace ONE Community
TobiasPaschek12
Contributor
Contributor
‎02-10-2017 12:18 AM

Identity Manager 2.8 and Office 365 only partially working

Hi Community,

I have a strange Problem with vidm and Office 365. SSO is working fine in both directions (from login.microsoftonline.com or outlook.office365.com .. and also from the Identity Manger to Office365), that is the good Part. But when I try to access Exchange Online via Active Sync or with an installed Outlook I am not able to connect. Getting an Error 503, which is related to Autodiscover. Also when I try to connect with the Microsoft Remote Connectivity Analyzer and to an Autodiscover Test it fails on the "Attempting to send an Autodiscover POST request to potential Autodiscover URLs" Test with the following Meesage:

A Web exception occurred because an HTTP 503 - ServiceUnavailable response was received from Unknown.
HTTP Response Headers:
Retry-After: 30
request-id: 73087e70-1008-410a-b6d9-7c1749751e5c
X-CalculatedBETarget: am4pr0701mb2083.eurprd07.prod.outlook.com
X-AutoDiscovery-Error: LiveIdBasicAuth:FederatedStsUnreachable:<X-forwarded-for:40.69.150.142><CBA:CBAInPROD with cert><FEDERATED><UserType:Federated>Federated STS 'https://portal.vmcloud.at/SAAS/auth/wsfed/active/logon' is unreachable. User "tobias@mydomain.com" &ExceptionDetails=Federated STS 'https://myvidmFQN/SAAS/auth/wsfed/active/logon' has malformed RST response for user "tobias@mydomain.com". Exception System.Xml.XmlException: Root element is missing.%0d%0a at System.Xml.XmlTextReaderImpl.Throw(Exception e)%0d%0a at System.Xml.XmlTextReaderImpl.ParseDocumentContent()%0d%0a at System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace)%0d%0a at System.Xml.XmlDocument.Load(XmlReader reader)%0d%0a at Microsoft.Exchange.Compliance.Xml.SafeXmlDocument.LoadXml(String xml)%0d%0a at Microsoft.Exchange.Security.Authentication.FederatedAuthService.FederatedSTS.ProcessResponse(IAsyncResult asyncResult) XML response &;
X-DiagInfo: AM4PR0701MB2083
X-BEServer: AM4PR0701MB2083
Cache-Control: private
Set-Cookie: X-BackEndCookie2=; expires=Tue, 10-Feb-1987 08:15:01 GMT; path=/Autodiscover; secure; HttpOnly,X-BackEndCookie=; expires=Tue, 10-Feb-1987 08:15:01 GMT; path=/Autodiscover; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: BN6PR2001CA0027
Date: Fri, 10 Feb 2017 08:15:00 GMT
Content-Length: 0

Elapsed Time: 1850 ms.

Has anyone an idea?

RGS Tobias

0 Kudos
3 Replies
pbjork
VMware Employee
VMware Employee
‎02-11-2017 07:44 AM

For on-prem and version 2.8 and earlier the connector must be publicly available for Active Sync to work..

0 Kudos
TobiasPaschek12
Contributor
Contributor
‎02-11-2017 11:22 PM

‌Hi Peter, as described via Twitter he is publicly availiable true NSX and Hardware Firewall via Port 443

https://portal.vmcloud.at

rgs Toby

0 Kudos
vraassina
Contributor
Contributor
‎04-03-2017 11:58 PM

Hi,

Not sure if this is still relevant for you.

I ended up with similar case with our DEMO environment with 2.81 vIDM and Office365 tenant.

Symptoms we're the same, Office365 connectivity tests (Microsoft Remote Connectivity Analyzer) returned errors much like in your case.

Our solution actually was two parts

1. Turning on Modern authentication in the O365 tenant, more info here(https://social.technet.microsoft.com/wiki/contents/articles/32711.exchange-online-how-to-enable-your...​Essentially enabling for Exchange Online, run single Powershell script against your Office365 tenant.

(This changes the behaviour of "all clients" you use to connect to O365.. so make sure to test, before doing anything in your production Smiley Happy)

2. Also (not sure if this ultimately was related to the case), but...Our vIDM is domain joined (AD directory via vIDM connector, not ACC), but we had been testing Airwatch integration with ACC (directory from Airwatch).

We had left the option: "User password authentication throught Airwatch option" enabled, but we're not using this or had it enabled in the policies.

Horizon.log showed some errors, with O365 connectivity trying or at least looking for the user auth through the "ACC" adapter.

So Check number 1, in your O365.. be aware of number 2 in the vIDM side.

We have now working setup with federated O365 domain after changing to modern auth.. Airwatch Boxer, Gmail etc. still work to Office365 with Basic auth, but Autodiscovery is ok and working as expected.

User perspective: Outlook (fat client) now prompts for the vIDM login "web view" - with "correct" SP initiated login process.

Regards,

Ville R.

0 Kudos