locked
ADFS 2016 Bug - WrongAudienceUriOrBadSigningCert RRS feed

  • Question

  • Seems like I've found a bug in ADFS 2016 upgraded from 2012. 

    TL;TR - ADFS sends Audience URIs with or without / on his own will, resulting in WrongAudienceUriOrBadSigningCert

    Our environment in short:

    1) ADFS 2012 R2

    2) ADFS 2016

    3) WAP 2016

    4) Active Directory 2012 R2 (domain and forest)

    5) Exchange 2013 CU8

    We started getting WrongAudienceUriOrBadSigningCert using OWA from time to time since we've commissioned ADFS 2016 to our environment. It happened both to users signing in externaly using web application proxy and to users signing in internally directly to ADFS. After a long and nervous troubleshooting, I think, I finally have an answer.

    While i was tracing SAML with fiddler, I saw a difference in Audience URI between a sucessful sign in and an error. 

    <saml:Audience>https://mail.mycompany.com/owa</saml:Audience> - This is how a succesful sign in looks like.

    <saml:Audience>https://mail.mycompany.com/owa/</saml:Audience> - This is the error one. 

    See the difference? It is this small / in the end of URI. Let's check our ADFS settings - Relying Party Trust - Outlook Web App- Properties - Identifier. Single line here - https://mail.mycompany.com/owa. 

    So why does this happen? Why does ADFS 2016 (2012 is turned of for the testing period) adds / by his will at the end of an Audience URI and does so only from time to time? 

    Wednesday, January 25, 2017 9:10 AM

Answers

  • You are welcome!

    Let's hope Microsoft takes notice. Didn't find any other way to submit a bug report to them =)

    BTW, here is a workaround to make your OWA work with ADFS 2016.

    $uris=@("https://mail.corp.org/owa/","https://mail.corp.org/ecp/","https://mail.corp.org/owa","https://mail.corp.org/ecp")
    Set-OrganizationConfig  -AdfsAudienceUris $uris

    P.S. Remember to restart IIS on every Exchange server in your environment, otherwise would not work.

    Friday, February 3, 2017 6:18 AM

All replies

  • Same problem here with the exact symptoms as above after upgrading to ADFS 2016.

    Audience>https://mail.mybusiness.org/owa/&lt when it fails with WrongAudienceUriOrBadSigningCert

    Audience>https://mail.mybusiness.org/owa&lt when it works

    Thank you Andrey for finding this, I lost a lot of time verifying my installation and certificate issues for nothing :)

    Thursday, February 2, 2017 10:41 AM
  • You are welcome!

    Let's hope Microsoft takes notice. Didn't find any other way to submit a bug report to them =)

    BTW, here is a workaround to make your OWA work with ADFS 2016.

    $uris=@("https://mail.corp.org/owa/","https://mail.corp.org/ecp/","https://mail.corp.org/owa","https://mail.corp.org/ecp")
    Set-OrganizationConfig  -AdfsAudienceUris $uris

    P.S. Remember to restart IIS on every Exchange server in your environment, otherwise would not work.

    Friday, February 3, 2017 6:18 AM
  • Hello Andrew.

    its not solving for me.

    added all 4 URI in orgconfig 2 with "/" other 2 without /

    ADFS : 2012 R2

    WAP : 2012 R2

    Exchange : 2013 CU19

    Still wasting time since last 48 hour reconfiguring Adfs, WAP nothing coming up green

    "WrongAudienceUriOrBadSigningCert"

    Thursday, July 5, 2018 6:17 PM
  • Please create a new post as already "Answered" posts do not attract attention.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, July 5, 2018 8:38 PM
  • Please loot to this link

    https://flamingkeys.com/exchange-2013-with-ad-fs-login-fails-with-wrongaudienceuriorbadsigningcert/

    maybe you need import token sign certificate to trusted root store on Exchange servers.

    Wednesday, July 25, 2018 6:01 PM