Skip to content

ADFS Authentication with Exchange troubleshooting

A while ago, I posted an article about the configuration of Exchange to use ADFS Authentication. Here an update what to do if you see the following error:

Check that you that you have the correct certificate:

Get-ADFSCertificate Token-Signing | Select-Object Thumbprint

You might need to import the Certificate above: adding the AD FS token signing certificate to the Exchange Server(s)’s trusted root (not my) certificate store makes this work almost immediately.

If you still see the error, you might need to tweak the URLs a bit. I was told the following could solve issues with ADFS 4 and the latest Exchange 2013 CUs and/or Exchange 2016:

$uris = @('https://OWAHOST/owa/', 'https://OWAHOST/ecp/', 'https://OWAHOST/owa', 'https://OWAHOST/ecp')

Set-OrganizationConfig -AdfsIssuer 'https://ADFSHOST/adfs/ls/' -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint 'THUMB'

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

# Exchange older then 2016
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

# Exchange 2016
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

This is different to the official Microsoft documentation! However, some found this by tracing the traffic.

I also published a new Gist for the stuff above.

This content is older than 2 years. It might be outdated.
Published inHowTo


  1. Vel Vel

    What needs to be done in wap server for this to work? Thanks

    • Normally you have to do nothing on your WAP Server instances.
      The WAP is just an Reverse Proxy and the Logic is handled on the regular ADFS Farm (or Server).
      When your WAP instances work with regular authentication, they will work for this as well.

  2. Vel Vel

    Thank you.
    Very helpful and easy to setup with your scripts 🙂

  3. Peter Baumann Peter Baumann

    Very good informations, thank you for that!

    We plan to switch over to SAML SSO with the OWA 2016 at the customer site.
    Since they using the “Light version” and “Public- Private-Computer” Options we need to add these options to the SAML-IdP at the logon screen.

    Do you know what kind of SAML Attributes/Claims is MS using to have it recognized at logon time?


Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2018 by Joerg Hochwald. All rights reserved. ● Site is powered by Author