This content is older than 1 year. It might be outdated.

A while ago, I posted an article about the configuration of Exchange to use ADFS Authentication. Here an update what to do if you see the following error: https://owa.contoso.com/owa/auth/errorfe.aspx?msg=WrongAudienceUriOrBadSigningCert???

Check that you that you have the correct certificate:

1
Get-ADFSCertificate Token-Signing | Select-Object Thumbprint

You might need to import the Certificate above: adding the AD FS token signing certificate to the Exchange Server(s)’s trusted root (not my) certificate store makes this work almost immediately.

If you still see the error, you might need to tweak the URLs a bit. I was told the following could solve issues with ADFS 4 and the latest Exchange 2013 CUs and/or Exchange 2016:

1
2
3
4
$uris = @('https://OWAHOST/owa/', 'https://OWAHOST/ecp/', 'https://OWAHOST/owa', 'https://OWAHOST/ecp')
Set-OrganizationConfig -AdfsIssuer 'https://ADFSHOST/adfs/ls/' -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint 'THUMB'
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

This is different to the official Microsoft documentation! However, some found this by tracing the traffic.

I also published a new Gist for the stuff above.