Exchange 2016 ECP not working

Question

Exchange 2016 ECP not working

Phalle, Mahesh 1

Hi Team, Exchange 2016 ECP not working. Could anyone help me? We have ADFS. Once entered the ECP URL, it redirects and once MFA is successful, it gives error as attached

User's image

2 answers

Your answer

Answer 1

Hin-V 8,605 Microsoft External Staff Moderator

Hi @Phalle, Mahesh

Thank you for posting your question in Microsoft Q&A.

As your description, looks like you are encountering the "WrongAudienceUriOrBadSigningCert" issue in Exchange Server 2016 when using ADFS. This could be caused either a mismatch in the configured audience URIs between ADFS and Exchange, or an issue with the ADFS token-signing certificate (such as it being untrusted, expired, or not properly imported on the Exchange server).

You could try to follow these steps to troubleshoot it:

1.Recheck and import the ADFS Token-Signing Certificate:

On your ADFS server, run this to get the current token-signing certificate thumbprint:

Get-AdfsCertificate -CertificateType Token-Signing | Select-Object Thumbprint

Export this certificate (public key only) from the ADFS server's certificate store (via MMC or PowerShell: Export-Certificate).

On each Exchange 2016 server, import the exported certificate into the Computer account > Trusted Root Certification Authorities store (use MMC snap-in or PowerShell: Import-Certificate).

Restart the Microsoft Exchange Service Host service on the Exchange servers:

Restart-Service MSExchangeServiceHost

Test ECP access again then check if the issue still persists.

2.Check and Update Exchange Organization Configuration

You could use this command to view your current ADFS settings:

Get-OrganizationConfig | FL *ADFS*

Ensure AdfsAudienceUris includes all variations for OWA and ECP, AdfsIssuer points to your ADFS endpoint, and AdfsSignCertificateThumbprint matches the thumbprint from step 1.

If mismatched, update it to include multiple URIs for consistency:

Set-OrganizationConfig -AdfsIssuer https://<FederationServiceName>/adfs/ls/ -AdfsAudienceUris "<OotwURL>","<EACURL>" -AdfsSignCertificateThumbprint "<Thumbprint>"

You can refer to: Use AD FS claims-based authentication with Outlook on the web | Microsoft Learn

I hope this helps.

Please understand that our initial reply may not always immediately resolve the issue. However, with your help and more detailed information, we can work together to find a solution.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Phalle, Mahesh 1 Reputation point

2025-10-21T06:13:48.0433333+00:00

Thank you.

Get-OrganizationConfig | FL *A --> This looks ok. It has all the URL's listed.

Also, I have copied the cert to Trusted store which is available at ADFS Server

Get-AdfsCertificate -CertificateType Token-Signing | Select-Object Thumbprint

Same error- /owa/auth/errorfe.aspx?msg=WrongAudienceUriOrBadSigningCert
Hin-V 8,605 Reputation points Microsoft External Staff Moderator

2025-10-21T14:36:46.4633333+00:00
Hi @Phalle, Mahesh
Thank you for your responding.

Since you have confirmed that the URIs in Get-OrganizationConfig cmdlet look correct and the certificate has been imported, but did not mention whether the thumbprint was checked or updated, that’s likely the missing piece, especially if a certificate rollover occurred recently. ADFS typically auto-rolls over certificates annually, promoting the secondary certificate to primary and generating a new secondary. If the thumbprint in the configuration wasn’t updated to reflect this change, it could be causing the issue.

If possible, could you try following these steps:

Verify your current thumbprints:

On the ADFS Server

To list all token-signing certificates and identify the current primary certificate:

Get-AdfsCertificate -CertificateType Token-Signing | Select Thumbprint, IsPrimary

Look for the certificate where IsPrimary is $true. This is the active certificate after a rollover.

You may also see a secondary certificate (IsPrimary is $false), which is still valid during the rollover period.

On the Exchange Server

Check the thumbprints currently configured in Exchange:

Get-OrganizationConfig | Select -ExpandProperty AdfsSignCertificateThumbprint

If the output only shows the old thumbprint or doesn’t match the primary from ADFS, that’s likely the issue.

Update the Thumbprint in Exchange

To add the new primary thumbprint (recommended post-rollover to avoid breaking existing sessions):

Set-OrganizationConfig -AdfsSignCertificateThumbprint @{Add="<NewPrimaryThumbprintFromADFS>"}

Replace <NewPrimaryThumbprintFromADFS> with the actual thumbprint (no spaces, case-insensitive).

To also add the secondary certificate (optional but helpful for future rollovers):

Set-OrganizationConfig -AdfsSignCertificateThumbprint @{Add="<SecondaryThumbprintFromADFS>"}

If you prefer to replace all existing thumbprints with just the new primary (only if the old cert is expired or no longer needed):

Set-OrganizationConfig -AdfsSignCertificateThumbprint "<NewPrimaryThumbprintFromADFS>

Restart IIS on All Exchange Servers

After updating the configuration, restart IIS to apply the changes:

iisreset /noforce

You can refer more via: Exchange 2016 ECP and OWA unavailable after ADFS token certificate rollover - Collaboration - Spice…

Note: Microsoft is providing this information as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.

Any update would be appreciated.
Hin-V 8,605 Reputation points Microsoft External Staff Moderator

2025-10-22T07:52:40.4233333+00:00

Hi @Phalle, Mahesh

I wanted to check if the solution I shared earlier worked for you.

If you need any clarification or further help, feel free to reach out.
Looking forward to hearing from you.
Phalle, Mahesh 1 Reputation point

2025-10-22T08:05:48.74+00:00

I am running Get-OrgConfig and it cannot find this property in Exchange Server 2016

unning
Phalle, Mahesh 1 Reputation point

2025-10-22T08:14:32.22+00:00

Actually, Thumbprint wasn't added before under OrgConfig so I have added that now and IIS Reset was done. I am still getting same issue. Do you know if this certificate needs to be on all exchange servers?
Hin-V 8,605 Reputation points Microsoft External Staff Moderator

2025-10-22T13:40:04.9633333+00:00

Hi @Phalle, Mahesh
Yes, the certificate must be imported into the Trusted Root Certification Authorities store (under the Computer account) on all Exchange 2016 servers in your environment. This is crucial in multi-server setups (for example, with DAGs or load-balanced frontends) because authentication requests can be handled by any server, if even one lacks the cert, it could fail validation and trigger the "WrongAudienceUriOrBadSigningCert" issue when traffic routes there.
Hin-V 8,605 Reputation points Microsoft External Staff Moderator

2025-10-23T10:06:11.0233333+00:00

Hi @Phalle, Mahesh

Have you had a chance to check the replies provided?

Any update would be appreciated.

In case you require further assistance regarding this topic, feel free to reach out.

We more than happy to assist.
Phalle, Mahesh 1 Reputation point

2025-10-29T08:52:51.6+00:00

I have verified that certificate is placed under 'Trusted Root Certification Authorities'
Hin-V 8,605 Reputation points Microsoft External Staff Moderator

2025-10-30T14:52:10.7+00:00

Hi @Phalle, Mahesh
Sorry for my delayed respond.

We understand that you're still encountering the "WrongAudienceUriOrBadSigningCert" issue.

To investigate this further, we recommend reaching out to Tech community forum where you can engage with experts who may have direct experience with this specific customization. Some features can behave differently or be restricted depending on your environment and configuration, and these forums are a great place to get deeper technical insights.

We apologize for redirecting you to the relevant development team support. As moderators in this community, we have limited access to backend information, and reaching out to the appropriate support channels will help you receive faster and more effective assistance.

Appreciate your patience and understanding.

Hope you will achieve your goal soon.

Answer 2

Phalle, Mahesh 1

Hey, thanks for waiting. That certificate is already available on all the live servers. rest three are Non-Prod exchange servers. If I run below command, I can see that adfs redirection is set up on all three live servers ECP Virtual directory. my question is what will be the impact in hybrid deployment if set this value to false? or if not, what else we can check in ADFS? User's image

Hin-V 8,605 Reputation points Microsoft External Staff Moderator

2025-10-24T14:56:52.0266667+00:00
Hi @Phalle, Mahesh

Regarding your question:

1.What will be the impact in hybrid deployment if set this value to false?

Setting AdfsAuthentication to $false on the ECP (and ideally OWA) virtual directories disables ADFS as the authentication provider for those interfaces. As a result, access to ECP and OWA will no longer redirect users to ADFS for claims-based authentication (including MFA). Instead, it will fall back to legacy authentication methods such as Forms, Basic, or Windows Integrated Authentication, depending on what is configured via Set-EcpVirtualDirectory or Set-OwaVirtualDirectory. This change might lead to several impacts:

Security and Authentication Downgrade:

Users lose SSO and MFA via ADFS and must log in separately. Might fall back to basic authentication, increasing vulnerability to brute-force attacks.

If Hybrid Modern Authentication (HMA) is enabled, disabling ADFS could break modern auth flows.

Hybrid Functionality:

Core hybrid features (such as calendar sharing, mailbox moves) remain unaffected as they rely on organization-level OAuth. However, admin tasks in ECP involving hybrid management may face authentication issues if ADFS is the identity provider.

User and Client Experience:

Outlook clients may revert to basic auth, losing MFA/SSO. Mobile apps (for example, Outlook for iOS/Android) could be affected if they rely on modern auth.

2.If not, what else we can check in ADFS?

If keeping AdfsAuthentication as True, you could focus on ADFS-side validation, as the issue often ties to token mismatches post-MFA. Run these on your ADFS server(s):

Relying Party Trusts Configuration:

Open AD FS Management console > Relying Party Trusts > Select the Exchange trusts

Ensure URIs match exactly with Exchange's AdfsAudienceUris (from Get-OrganizationConfig | Select -ExpandProperty AdfsAudienceUris), including case, slashes. Mismatches could cause "WrongAudienceUri" issue. Edit to align if needed. Then, confirm SAML/WS-Trust endpoints point correctly.

Certificate and Rollover Checks:

Re-check primary/secondary certs:

Get-AdfsCertificate -CertificateType Token-Signing | Select Thumbprint, IsPrimary

If rollover occurred, ensure both thumbprints are in Exchange OrgConfig:

Set-OrganizationConfig -AdfsSignCertificateThumbprint @{Add="<Thumbprint>"}

Remove expired/old certs from Exchange trusted stores to avoid conflicts.

Farm and Sync Issues:

If ADFS farm (primary/secondary), verify sync:

Get-AdfsSyncProperties

If the primary node changed, update thumbprints and restart the ADFS service.

Enable IdP-initiated sign-on page if needed:

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

After primary switch, update thumbprints and restart ADFS service.

Event Logs and Diagnostics:

Check ADFS Admin logs (Event Viewer > Applications and Services > AD FS > Admin) for issues during login (for example, audience URI mismatches or cert failures).

Enable ADFS tracing:

wevtutil sl "AD FS Tracing/Debug" /e:true

Reproduce the issue and review the logs.

Use Fiddler or browser dev tools to inspect SAML tokens and validate audience URIs.

After changes, run iisreset /noforce on Exchange servers and test. If HMA is enabled, check OAuth config:

Get-AuthConfig

Renew if expired.

I hope this helps.
Hin-V 8,605 Reputation points Microsoft External Staff Moderator

2025-10-27T09:19:21.0366667+00:00

Hi @Phalle, Mahesh
Any updates from your side? If you have further questions, feel free to reach out.

Share via

Exchange 2016 ECP not working

2 answers

Your answer