"401 Access denied" error when you run the Test-OAuthConnectivity cmdlet

PROBLEM

When you run the Test-OAuthConnectivity cmdlet to test OAuth authentication for a user, the operation fails, and you receive a message that resembles the following:
401 Access denied

CAUSE

This issue can occur if one of the following conditions is true:
  • The service principal name (SPN) that's required for OAuth authentication is missing.
  • You're testing an account that's not synchronized between the on-premises environment and Microsoft Exchange Online. 

SOLUTION

To fix this issue, take one of the following actions, as appropriate for your situation.

Scenario: The SPN is missing

  1. Open the Exchange Management Shell.
  2. Run the following command:
    Get-IntraOrganizationConfiguration  
    Notice the values that are returned for OnPremisesDiscoveryEndPoint and OnPremisesWebServiceEndPoint.
  3. Run the following command:
    Get-MsolServicePrincipal -ServicePrincipalName "00000002-0000-0ff1-ce00-000000000000").ServicePrincipalNames 
    Check whether the domain names that are listed for the endpoints are returned.
  4. If the domains names aren't returned, use the Set-MsolServicePrincipal cmdlet to add them.

    For example, the following command adds the Mail.contoso.com domain.
    Set-MsolServicePrincipal -ServicePrincipalName "00000002-0000-0ff1-ce00-000000000000").Mail.contoso.com 

Scenario: You're using an account that isn't synchronized between the on-premises environment and Exchange Online

When you run the Test-OAuthConnectivity cmdlet, make sure that you use an account that's synchronized between the on-premises environment and Exchange Online. For example, you'll encounter this issue if you use an on-premises administrator account.

In the following example, "Fred" is a user account that's synchronized between the on-premises environment and Exchange Online.
Test-OAuthConnectivity -Service EWS -TargetUri https://cas.contoso.com/ews/ -Mailbox "Fred” 

MORE INFORMATION

Still need help? Go to Microsoft Community or the Exchange TechNet Forums.
속성

문서 ID: 3090197 - 마지막 검토: 2016. 10. 28. - 수정: 1

피드백