Exchange 2010 OWA ADFS (HTTP Error 302 when deleting emails)

Hi all,

I am currently trying to setup Exchange 2010 Outlook Web Access (OWA) to use ADFS for single sign-on.

I followed through the instructions on http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html and after a fair bit of poking and prodding I seemed to get it working correctly as users could log in without any problem.

However I am experiencing an issue when users try to delete emails, OWA reports "Your network connection isn't available.if the proplem continues, contact your helpdesk with this HTTP statis code:302.". 

After some Googling I can see numerous articles referencing the same issue- and they all seem to point towards authentication problems with the IIS web.config from the exchange server. This makes perfect sense since that's what I've been playing with to get ADFS working. I tested this by reverting the web.config back to its original state and voila- it works again (albeit without ADFS).

Below is the contents of web.config with ADFS working (but with the delete error)

URL has been changed to company.com

<?xml version="1.0" encoding="UTF-8"?><configuration><configSections><section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /></configSections><system.webServer><httpRedirect enabled="false" /><modules runAllManagedModulesForAllRequests="true"><add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /><add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /></modules></system.webServer><appSettings><add key="FederationMetadataLocation" value="https://login.company.com/FederationMetadata/2007-06/FederationMetadata.xml" /></appSettings><location path="FederationMetadata"><system.web><authorization><allow users="*" /></authorization></system.web></location><system.web><authorization><deny users="?" /></authorization><authentication mode="None" /><compilation><assemblies><add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /></assemblies></compilation></system.web><microsoft.identityModel><service><audienceUris><add value="https://webmail.company.com/owa/" /></audienceUris><securityTokenHandlers><add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"><samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" /></add></securityTokenHandlers><applicationService><claimTypeRequired><!--Following are the claims offered by STS 'http://login.company.com/adfs/services/trust'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.--><claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" /><claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" /><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/claims/CommonName" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/claims/EmailAddress" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/claims/Group" optional="true" />--><claimType type="http://schemas.xmlsoap.org/claims/UPN" optional="true" /><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/san" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/subject" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2012/01/passwordchangeurl" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/claims/authnmethodsreferences" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id" optional="true" />--></claimTypeRequired></applicationService><certificateValidation certificateValidationMode="None" /><federatedAuthentication><wsFederation passiveRedirectEnabled="true" issuer="https://login.company.com/adfs/ls/" realm="https://webmail.company.com/owa/" requireHttps="true" /><cookieHandler requireSsl="true" path="/" /></federatedAuthentication><issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"><trustedIssuers><add thumbprint="5AB73BD59404270968C35A041354D8D25BFA84FC" name="http://login.company.com/adfs/services/trust" /></trustedIssuers></issuerNameRegistry></service></microsoft.identityModel></configuration>

Below is the original web.config which I have reverted to and everything works fine (without ADFS)

<?xml version="1.0" encoding="UTF-8"?><configuration><system.webServer><httpRedirect enabled="false" /></system.webServer></configuration>