Exchange 2013 with AD FS login fails with "WrongAudienceUriOrBadSigningCert"
Written on June 22, 2015

If you’ve attempted to configure Exchange Server 2013’s OWA and EAC/ECP to authenticate using AD FS, you’ve probably had a pretty fun time of it. Microsoft’s guides are good…but there’s bits and pieces missing.

I’ve been dealing with an error for a while now that has been a little annoying. When attempting to log in, after AD FS authentication, the user is redirected to https://owa.contoso.com/owa/auth/errorfe.aspx?msg=WrongAudienceUriOrBadSigningCert and is presented with the typical sad face emoticon and a pretty useless error message.

After a bit of digging, I discovered that adding the AD FS token signing certificate to the Exchange Server(s)’s trusted root (not my) certificate store makes this work almost immediately.

I’m not sure why this is, but I’m positive it’s not right. Interested to hear from anyone else who runs across this. My environment is Exchange Server 2013 CU9 on Windows Server 2012 R2 Standard, and AD FS 3.0 (on Windows Server 2012 R2 Standard).

Comments/questions

There's no commenting functionality here. If you'd like to comment, please either mention me (@[email protected]) on Mastodon or email me. I don't have any logging or analytics running on this website, so if you found something useful or interesting it would mean a lot to hear from you.