Skip to content

ADFS Authentication with Exchange troubleshooting

A while ago, I posted an article about the configuration of Exchange to use ADFS Authentication. Here an update what to do if you see the following error:

Check that you that you have the correct certificate:

Get-ADFSCertificate Token-Signing | Select-Object Thumbprint

You might need to import the Certificate above: adding the AD FS token signing certificate to the Exchange Server(s)ā€™s trusted root (not my) certificate store makes this work almost immediately.

If you still see the error, you might need to tweak the URLs a bit. I was told the following could solve issues with ADFS 4 and the latest Exchange 2013 CUs and/or Exchange 2016:

$uris = @('https://OWAHOST/owa/', 'https://OWAHOST/ecp/', 'https://OWAHOST/owa', 'https://OWAHOST/ecp')

Set-OrganizationConfig -AdfsIssuer 'https://ADFSHOST/adfs/ls/' -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint 'THUMB'

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

# Exchange older then 2016
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

# Exchange 2016
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

This is different to the official Microsoft documentation! However, some found this by tracing the traffic.

I also published a new Gist for the stuff above.

This content is older than 2 years. It might be outdated.
Published inHowTo


  1. Vel Vel

    What needs to be done in wap server for this to work? Thanks

    • Joerg Hochwald Joerg Hochwald

      Normally you have to do nothing on your WAP Server instances.
      The WAP is just an Reverse Proxy and the Logic is handled on the regular ADFS Farm (or Server).
      When your WAP instances work with regular authentication, they will work for this as well.

  2. Vel Vel

    Thank you.
    Very helpful and easy to setup with your scripts šŸ™‚

    • Joerg Hochwald Joerg Hochwald

      Glad this helped

  3. Peter Baumann Peter Baumann

    Very good informations, thank you for that!

    We plan to switch over to SAML SSO with the OWA 2016 at the customer site.
    Since they using the “Light version” and “Public- Private-Computer” Options we need to add these options to the SAML-IdP at the logon screen.

    Do you know what kind of SAML Attributes/Claims is MS using to have it recognized at logon time?


    • Joerg Hochwald Joerg Hochwald

      Sorry Peter, I don’t have the matching attributes šŸ™
      Most of them are not well documented yet. You should ask in one of the Microsoft forums or raise an issue on the Docs page (aka GitHub) for it.

  4. vecon20 vecon20

    I am also seeing this same error “WrongAudienceUriOrBadSigningCert” when the ADFS servers time is not synced up correctly with the Exchange and DC servers

    • Joerg Hochwald Joerg Hochwald


      time is always critical when certificates are used!
      Within a domain, all servers should be on the same page, means: The clocks needs to be synced correctly.

  5. Gaurav Sood Gaurav Sood

    The steps seem to be similar to Exchange 2013. Getting the following error here:

    ID00006: The input string parameter is either null or empty
    Parameter name: value

    This occurs just after setting the AD FS authentication to true. The default authentication mechanism works after I enable FormsAuthentication and disable the ADFS Authentication.

    Anything I can do to resolve this?

  6. vecon20 vecon20

    Do you know if ADFS 2016 support OWA and sharepoint 2010?

Comments are closed.