Share via

OWA ADFS connection

adfsloss 0 Reputation points
2024-05-20T11:10:11.0033333+00:00

Hello, I have a problem related to OWA. I receive a SAML request from the keycloak, which is my IDP for ADFS. ADFS later sends a WS-Federation request to OWA. The page is redirected to the endpoint /owa/auth/errorfe.aspx?msg=WrongAudienceUriOrBadSigningCert. In the logs it shows me the following information: ID1044: An encrypted security token was received at the relying party which could not be decrypted. Configure the relying party with a suitable decryption certificate. Current relying party decryption certificate info: No Certificate Configured.

In the ADFS settings, in the certificates tab, I have certificates attached as Token-Decrypting and as Token-Signing. When receiving messages from Adfs, OWA displays in the logs the certificate with which this request was signed, cn=test.

In relying party trusts, as OWA I have encryption and signature certificate cn=test.

After using the command Get-ADFSCertificate all fields show the certificate cn=test.

Where could there be an error that OWA cannot load the certificate to decrypt the adfs message? Any commands that will help display the OWA certificate configuration?

Microsoft Security | Active Directory Federation Services
Outlook | Windows | Classic Outlook for Windows | For business
Exchange | Exchange Server | Management
Exchange | Exchange Server | Management

The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amit Singh 5,326 Reputation points
    2024-05-22T04:36:35.8433333+00:00

    It seems like there might be a mismatch or misconfiguration in the certificate settings between ADFS and OWA. Here's a suggested solution:

    • Verify that the certificate configured in ADFS for Token-Decrypting and Token-Signing is the same as the one configured in OWA for encryption and signature. Also Ensure that the certificate being used for decryption in OWA is valid and trusted.
    • In ADFS, ensure that the relying party trust for OWA is correctly configured with the appropriate encryption and signing certificates.
    • Double-check the settings to confirm that the correct certificate is selected for decryption in the relying party trust configuration.
    • Validate the certificates being used by both ADFS and OWA to ensure they are not expired, revoked, or otherwise invalid.
    • Ensure that the certificate chain is complete and all intermediate certificates are properly installed
    • Confirm that the thumbprint of the certificate configured in OWA matches the thumbprint of the certificate used by ADFS for token decryption.
    • Continue reviewing logs and error messages in both ADFS and OWA for any additional clues or errors that might help diagnose the issue further.
    • Enable verbose logging if necessary to capture more detailed information about the SAML requests and responses.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.