我已经在 Microsoft Windows Server 2016 Standard 上安装并配置了 AD FS 服务。
通过 Azure AD Connect,我们能够将我们的域配置为 Microsoft 365 租户上的联合域。除此之外,Azure AD Connect 还自动为Microsoft Office 365 Identity Platform Worldwide
我们TestUser在域中创建了一个 UPN [email protected]。此用户已同步到 MS365 租户,我们为其分配了 Exchange Online 许可证。
当我们开始测试时,我们能够成功https://outlook.office.com通过 PC 上的 Microsoft Edge进行访问TestUser,这验证了 SSO 正在正常运行。
但是,当我们从 Outlook 2019(通过安装包含Microsoft Office 2019 Standard)打开TestUser时,UPN 会自动插入到简化帐户创建向导中。当我们继续在对话框中时,会弹出一个 Modern Auth 窗口,其中包含我们的 AD FS 登录页面。这里要求输入 TestUser 的密码,因此 SSO 不可用。
在 AD FS 事件查看器中,我们收到以下错误消息:
The Federation Service could not authorize token issuance for caller 'DOMAIN\TestUser
'. The caller is not authorized to request a token for the relying party 'urn:federation:MicrosoftOnline'. See event 501 with the same Instance ID for caller identity.
Additional Data
Instance ID: 9c026fe6-4068-4a47-9e89-e4248dd5ca85
Relying party: urn:federation:MicrosoftOnline
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity DOMAIN\TestUser for relying party trust urn:federation:MicrosoftOnline.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)
User Action
Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.
我们检查了Issuance Authorization Rules依赖方信任。它仅包含一条规则:Permit Access to All Users
非常感谢任何有关如何使 SSO 能够在 Outlook 桌面应用程序中运行的建议!