{"id":434,"date":"2017-01-18T22:44:12","date_gmt":"2017-01-19T03:44:12","guid":{"rendered":"https:\/\/www.ccrossan.com\/blog\/?p=434"},"modified":"2019-07-18T08:38:51","modified_gmt":"2019-07-18T12:38:51","slug":"adfs-4-0-server-2016-outlook-web-app-2013","status":"publish","type":"post","link":"https:\/\/crossan007.dev\/blog\/microsoft-exchange\/adfs-4-0-server-2016-outlook-web-app-2013\/","title":{"rendered":"ADFS 4.0 on Server 2016 <-> Outlook Web App 2013"},"content":{"rendered":"\n
Tweet<\/a><\/div>\n

I recently enabled SAML authentication on Outlook Web App 2013, following the TechNet Documentation here: https:\/\/technet.microsoft.com\/en-us\/library\/dn635116(v=exchg.150).aspx<\/a><\/p>\n

It seemed to work fine; however, I would occasionally (about 1\/8 attempts) receive an error message saying: \u201cWrongAudienceUriOrBadSigningCert\u201d<\/p>\n

I had already added my ADFS token signing certificate to the Exchange server’s trusted root store as\u00a0 suggested here:\u00a0 https:\/\/flamingkeys.com\/exchange-2013-with-ad-fs-login-fails-with-wrongaudienceuriorbadsigningcert\/<\/a><\/p>\n

The truly troubling thing was, that the issue could not be reproduced reliably.\u00a0 It affected both internal and external devices (both the primary ADFS and the ADFS Web Application Proxy servers)<\/p>\n

I watched a fiddler trace as I attempted to access OWA, and the only difference between successful and failed attempts was a\u00a0 “\/” at the end of the URL.<\/p>\n

This can be observed in the POST body of the 302 to owa:<\/p>\n

\"\"<\/p>\n

\n\n&amp;amp;lt;saml:AudienceRestrictionCondition&amp;amp;gt;\n&amp;amp;lt;saml:Audience&amp;amp;gt;https:\/\/mail.corp.org\/owa\/&amp;amp;lt;\/saml:Audience&amp;amp;gt;\n&amp;amp;lt;\/saml:AudienceRestrictionCondition&amp;amp;gt;\n\n<\/pre>\n
\n&amp;amp;lt;saml:AudienceRestrictionCondition&amp;amp;gt;\n&amp;amp;lt;saml:Audience&amp;amp;gt;https:\/\/mail.corp.org\/owa&amp;amp;lt;\/saml:Audience&amp;amp;gt;\n&amp;amp;lt;\/saml:AudienceRestrictionCondition&amp;amp;gt;\n<\/pre>\n
This is the token issued to me by my ADFS4 Server!\u00a0 It would seem that the tokens issued by the IdP do not contain a consistent Audience tag.<\/p>\n
The TechNet documentation states very clearly that<\/p>\n
The inclusion of the trailing slash \/<\/strong> in the URL examples shown below is intentional. It’s important to ensure that both the AD FS relying party trusts and Exchange Audience URI\u2019s are identical<\/strong>. This means the AD FS relying party trusts and Exchange Audience URI’s should both have<\/strong> or both emit<\/strong> the trailing slashes in their URLs. The examples in this section contain the trailing \/<\/strong>\u2019s after any url ending with “owa” ( \/owa\/) or “ecp” (\/ecp\/).<\/p><\/blockquote>\n
Ignoring this advise, I added all 4 urls<\/em> to my Exchange farm configuration<\/p>\n
\n\n$uris = @("https:\/\/mail.corp.org\/owa\/","https:\/\/mail.corp.org\/ecp\/","https:\/\/mail.corp.org\/owa","https:\/\/mail.corp.org\/ecp")\n\nSet-OrganizationConfig -AdfsIssuer "https:\/\/adfs.corp.org\/adfs\/ls\/" -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint "&amp;amp;lt;thhumb&amp;amp;gt;"\n\n<\/pre>\n
Having 4 audience URIs resulted in a 100% success rate while attempting to open OWA from a successful ADFS authentication.<\/p>\n
I hope this helps someone, as I couldn’t seem to find this issue anywhere else online.<\/p>\n","protected":false},"excerpt":{"rendered":"
I recently enabled SAML authentication on Outlook Web App 2013, following the TechNet Documentation here: https:\/\/technet.microsoft.com\/en-us\/library\/dn635116(v=exchg.150).aspx It seemed to work fine; however, I would occasionally (about 1\/8 attempts) receive an error message saying: \u201cWrongAudienceUriOrBadSigningCert\u201d I had already added my ADFS token signing certificate to the Exchange server’s trusted root store as\u00a0 suggested here:\u00a0 https:\/\/flamingkeys.com\/exchange-2013-with-ad-fs-login-fails-with-wrongaudienceuriorbadsigningcert\/ The … Continue reading ADFS 4.0 on Server 2016 <-> Outlook Web App 2013<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[28],"tags":[191,30,194,192,193],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n