Hi, just moved to cloudflare dns and all is working except an issue with O365 web mail.

we have mail.domain. com pointing to mail.office365. com using CNAME and this has worked without issue until we changed.

Now when you sign in we get the following:

Sorry, but we’re having trouble with signing you in.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘00000002-0000-0ff1-ce00-000000000000’.

Request Id: e9de7fb4-04bc-4017-8e9e-1899362e7e00
Correlation Id: a564720c-9715-4c6e-b044-579534282677
Timestamp: 2020-11-24T12:10:49Z
Message: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘00000002-0000-0ff1-ce00-000000000000’.

However if we go directly to mail.office365. com it works.

In the dns entries we have
CNAME | mail | mail.office365. com | auto | proxied

Has anyone come across anything similar? There was only one result for AADSTS50011 and that didnt get a reply. Hoping I can come across a bit more luck.

Thanks in advance (had to put space dot com as new user can only post 2 links)

Try setting that CNAME to DNS-Only.

Hi did this but with no success, I actually contacted O365 support and they suggested as a work around using page rules to forward the subdomain which works but don’t know if I want to use this long term.

More details
When I change to DNS Only I get certificate error followed by the same login error after.

Your connection isn’t private

Attackers might be trying to steal your information from mail.mydomain.com (for example, passwords, messages or credit cards).

NET::ERR_CERT_COMMON_NAME_INVALID

Request Id: 88f73a04-2d79-4d25-8722-a62a90ab8700
Correlation Id: 5f81e9f8-540e-41a5-a4f0-0033fc1b5fc9
Timestamp: 2020-11-24T16:24:08Z
Message: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘00000002-0000-0ff1-ce00-000000000000’.

This may have worked previously, but only because you never accessed mail.example.com over HTTPS. Microsoft just redirect all unknown host headers to a working URL, so it probably looked like it was working. Since moving to Cloudflare you were either using an domain name with “Always Use HTTPS”, or you enabled HSTS on your domain which has essentially the same effect.

You need to create a Page Rule for https://mail.example.com/* and forward the requests to https://outlook.office365.com/owa/example.com/. Putting example.com on the end will give your users whatever corporate branding you have configured on the logon page.

I have being doing this for many years, and so my users go to URLs like https://onedrive.example.com rather than https://example-my.sharepoint.com, which is easier to remember and reinforces the branding, which helps with our anti-phishing messaging which is similar to “If the logon does not have our branding and logo STOP!”

Hi Michael, thanks for your reply this is exactly what I am trying to achieve but it just ends up going to https://outlook.office365. com/mail/inbox

I have cname record | mail | outlook.office365.com | Proxied

with the following page rule:
mail.mydomain.com/*

Forwarding URL (Status Code: 301 - Permanent Redirect, Url: https://outlook.office365.com/owa/mydomain.com/.)

When it is set to I get SSL warning then followed by AADST50011 again

What you are trying to so is give users a short, easy to remember way. to get to OWA. Once users get the initial redirect from your page rule you are out of the Cloudflare network, and it is up to Microsoft what the actual URL you end up on is.

With an hostname and the page rule above, do users actually get to their mailbox?

Yes they are able to get to their inbox and sign in as normal, but the url changes.

However I have now setup some branding so they know they using the correct sign in pages.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.