AD FS for ECP or OWA fails with error wrongaudienceuriorbadsigningcert

This is quite a curious problem. At first i did not encounter it at all. however after upgrading my AD FS server to server 2016 it occured from time to time.  Not always.

I would suddenly get the “wrongaudienceuriorbadsigningcert” when trying to open my Exchange Control Panel or Outlook Web App.
Of course first I checked if my Signing cert was still trusted on my exchange server and this was all correct.

Turns out, since AD FS 2016 it suddenly sometimes expects an extra /  and sometimes it doesn’t at the end of the URL.
At step 7 of the guide from microsoft : https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx#e2013
They explain you should use the url’s https://mail.contoso.com/owa/ and https://mail.contoso.com/ecp/

To solve the problem I had to do the following:

$uris = @("https://mail.contoso.com/owa/","https://mail.contoso.com/ecp/","https://mail.contoso.com/owa","https://mail.contoso.com/ecp")
Set-OrganizationConfig -AdfsAudienceUris $uris

Basically like this it will accept both URL’s and the problem is solved.

I only encountered it with AD FS 2016, and I’m not entirely sure why… but i do know this solved it for me at least.

1 thought on “AD FS for ECP or OWA fails with error wrongaudienceuriorbadsigningcert”

  1. Thanks for this – as soon as we upgraded to ADFS 2016 this problem showed itself periodically. Never would have thought to check the URI’s

Leave a Reply

Your email address will not be published. Required fields are marked *