Share via

Problem - Exchange 2019 CU15 & Modern Auth through on-prem ADFS

Romain 0 Reputation points
2025-08-05T05:27:36.2966667+00:00

Hi,

I am trying to configure Modern Auth with my up-to-date Exchange 2019 CU15 DAG.  Please note that I want to authenticate through my on-prem ADFS and not Office 365.  Outlook version is Microsoft® Outlook® for Microsoft 365 MSO (Version 2506 Build 16.0.18925.20076) 64-bit. 

I followed this tutorial: https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/enable-modern-auth-in-exchange-server-on-premises#how-will-modern-authentication-work-and-is-this-feature-applicable-to-me  However, I am unable to get Outlook client to work with it.

More info:  On client side, I added the few registry keys in the tutorial + others I found during my research: 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\office\16.0\outlook\autodiscover  DWORD: ExcludeExplicitO365Endpoit

HKEY_CURRENT_USER\Software\Microsoft\Exchange\  DWORD: AlwaysUseMSOAuthForAutoDiscover 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\  DWORD: EnableADAL 

 

When I launch Outlook, the ADFS authentication window appears as expected.  I enter my credentials, but then it spins indefinitely.  If I add my account to a new profile, the same thing happens, except that I end up with error 62ubh (An error occurred).

 Looking at the ADFS side, authentication works fine. There is no error log about it.  If I run Fiddler on my computer, I can see that ADFS is sending me a valid token. 

My Outlook calls https://adfs.myfakedomain.com/adfs/oauth2/authorize then https://adfs.myfakedomain.com/adfs/oauth2/token, but once the token is received, a new URL is called and ends with 404 error:  https://adfs.myfakedomain.com/common/sso/progress?stage=Closing 

I can't debug any further and understand what's happening.  I don't know if it's the return URL sent by ADFS that's incorrect, or if it's my Outlook that doesn't understand the response from my ADFS and wants to close the SSO session.  I don't understand why it doesn't move on to step 7 of the process (schema on the howto from Microsoft).   

Based on my understanding, Outlook should now contact my Exchanges with the newly received tokens, right? 

I would therefore appreciate your help in clarifying this for me.

Exchange | Exchange Server | Other
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vergil-V 3,675 Reputation points Microsoft External Staff Moderator
    2025-08-05T08:50:41.2966667+00:00

    Hi Romain 
    Thank you for reaching out to Microsoft Learn Q&A!  Based on your description, I understand you're encountering a 404 error when the URL …/common/sso/progress?stage=Closing is called, along with an error code 62ubh after ADFS authentication in Outlook. 

    As a forum moderator, I want to acknowledge that we do not have access to a dedicated testing environment to replicate user-specific scenarios. However, driven by our mission to support users within the scope of our capabilities, I’d like to share some troubleshooting steps that may help you investigate further or provide more context around the issue: 

    +Verify Registry Keys 
    Please double-check that the three relevant registry keys are set to a value of 1, which ensures the feature is enabled. 

    +Review ADFS Relying Party Trust (RPT) 
    Ensure that the Relying Party Trust (RPT) includes the correct endpoints, valid claims rules (such as UPN and email), and a valid token-signing certificate. You can use the Get-AdfsRelyingPartyTrust command to review these settings. For more details, please refer to Get-AdfsRelyingPartyTrust (ADFS) | Microsoft Learn. 

    +Use Event Viewer 
    Check logs in Event Viewer to gather more information and identify any underlying issues. 

    +Restart Services 
    Restarting IIS and ADFS services is a general troubleshooting step that may help resolve temporary issues. 

    As mentioned, due to platform limitations, I’m unable to provide an exact solution without additional context. Your feedback is incredibly valuable and helps us improve the support we offer. If you have any updates or further questions, please don’t hesitate to reach out. 

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".         

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

  2. Jo 0 Reputation points
    2025-08-26T14:31:10.8466667+00:00

    We are facing the same issue with following our infra

    • ADFS 2019
    • Outlook client version : Microsoft® Outlook® for Microsoft 365 MSO (Version 2502 Build 16.0.18526.20416) 32 bits on Windows 11 Pro 23H2
    • Exchange 2019 CU15 1 DAG, 8 servers sur Windows 2022

    We see also the 404 on ADFS on /common/sso/progress?stage=Closing. This endpoint should be for https://login.microsoftonline.com and not ADFS, so explaining the 404, but not why this is sent on wrong FQDN.

    We got a the same error "62ubh"  on Outlook client, but afterwards we see know this is crashing and the process that appears calling /common/sso/progress?stage=Closing on ADFS is "microsoft.aad.brokerplugin"

    => so if anybody got through the same issue and got it resolved, we would be glad to get the root cause and fix to apply

    0 comments
  3. Jerry 0 Reputation points
    2025-08-27T10:52:30.6733333+00:00

    I have same issue with you, and i solved it. Please check your ADFS certificate's CRL distribute point. It may cause TLS handshake failed, when Outlook tries to get token from ADFS (https://adfs.myfakedomain.com/adfs/oauth2/token).

  4. Dexpi 0 Reputation points
    2025-08-31T12:01:58.75+00:00

    Hello, I applied the fixes proposed by Jo and Jerry, but the issue persists.

    Environment: Exchange Server 2019 / Exchange 2016 Coexistence with an ADFS farm and WAP. The service communications certificate is a GoDaddy wildcard.

    • OCSP/CRL/AIA endpoints are reachable from clients, Exchange, and ADFS. certutil -urlfetch -verify succeeds; revocation checks pass.
    • GoDaddy intermediate and CRLs have been imported into the Local Machine stores (CA/Root) on Exchange and ADFS; revocation caches cleared.
    • Also I've installed the latest Outlook version
    • I have added EnableAdal 1 and the regedit keys : New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains" -Force (Get-Item HKLM:).OpenSubKey("SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains", $true).CreateSubKey("https://your-ADFS-domain/") (Get-Item HKLM:).OpenSubKey("SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains", $true).CreateSubKey("https://your-ADFS-domain")

    Could you advise next diagnostic steps?

  5. Jo 0 Reputation points
    2025-09-01T05:26:55.3966667+00:00

    Even though we managed to make it work on PC, we're still struggling with Outlook for MAC

    The setting "defaults write com.microsoft.Outlook ADFSAuthorizedURLs -array host1" doesn't seam to work for us as we are deploying Outlook profile with MDM (JAMF) and we have not found the correct setting to enable Modern Auth for Outlook for MAC. Any help would be appreciated!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.