This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 48%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
To mitigate CVE-2021-1730, I'm looking for the right way to enable download domains on Exchange 2016 with claims-based auth for owa/ecp.
refs:
Download domain = https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730
Claims-based auth = https://learn.microsoft.com/en-us/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2016
I do not want to allow login from https://**download.**mail.contoso.com/owa since that defies the purpose
Is the following all it takes?:
Set-OrganizationConfig -AdfsAudienceUris "https://mail.contoso.com/owa/","https://mail.contoso.com/ecp/","https://download.mail.contoso.com/owa/"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @Dylan
Yes, Microsoft suggests email users should NOT use Download Domains to login to OWA. For example, http://DownloadDomain/owa. If an email user uses a Download Domain to log into OWA, they will be using Exchange OWA cookies when trying to download images from their emails.
However, if you add the "https://download.mail.contoso.com/owa/" to -AdfsAudienceUris, it takes login redirected to the AD FS sign-in page. If you don't add it, it goes through normal login and authentication method. That's all doesn't matter, they just authenticate differently and they still be able to login that download address finally.