Back
Featured image of post ADFS Authentication with Exchange troubleshooting

ADFS Authentication with Exchange troubleshooting

A while ago, I posted an article about the configuration of Exchange to use ADFS Authentication. Here an update what to do if you see the following error: https://owa.contoso.com/owa/auth/errorfe.aspx?msg=WrongAudienceUriOrBadSigningCert" rel=“nofollow”>https://owa.contoso.com/owa/auth/errorfe.aspx?msg=WrongAudienceUriOrBadSigningCert???

Check that you that you have the correct certificate:

Get-ADFSCertificate Token-Signing | Select-Object Thumbprint

You might need to import the Certificate above: adding the AD FS token signing certificate to the Exchange Server(s)’s trusted root (not my) certificate store makes this work almost immediately.

If you still see the error, you might need to tweak the URLs a bit. I was told the following could solve issues with ADFS 4 and the latest Exchange 2013 CUs and/or Exchange 2016:

$uris = @('https://OWAHOST/owa/', 'https://OWAHOST/ecp/', 'https://OWAHOST/owa', 'https://OWAHOST/ecp')

Set-OrganizationConfig -AdfsIssuer 'https://ADFSHOST/adfs/ls/' -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint 'THUMB'

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

# Exchange older then 2016
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

# Exchange 2016
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

This is different to the official Microsoft documentation! However, some found this by tracing the traffic.

I also published a new Gist for the stuff above.