This is quite a curious problem. At first i did not encounter it at all. however after upgrading my AD FS server to server 2016 it occured from time to time. Not always.
I would suddenly get the “wrongaudienceuriorbadsigningcert” when trying to open my Exchange Control Panel or Outlook Web App.
Of course first I checked if my Signing cert was still trusted on my exchange server and this was all correct.
Turns out, since AD FS 2016 it suddenly sometimes expects an extra / and sometimes it doesn’t at the end of the URL.
At step 7 of the guide from microsoft : https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx#e2013
They explain you should use the url’s https://mail.contoso.com/owa/ and https://mail.contoso.com/ecp/
To solve the problem I had to do the following:
$uris = @("https://mail.contoso.com/owa/","https://mail.contoso.com/ecp/","https://mail.contoso.com/owa","https://mail.contoso.com/ecp") Set-OrganizationConfig -AdfsAudienceUris $uris
Basically like this it will accept both URL’s and the problem is solved.
I only encountered it with AD FS 2016, and I’m not entirely sure why… but i do know this solved it for me at least.