Applies ToExchange Server 2016

Symptoms

Assume that you deploy AD FS for single sign-on (SSO) by using Windows Server 2016 in Exchange Server 2016 environment. Then you set the value of ActivityBasedAuthenticationTimeoutInterval to less than 4 hours for device registration for users. When the time out value is reached, the Outlook on the web (formerly Outlook Web App) may sign out, and then enters an authentication loop. In this situation, users can't sign in to the Outlook on the web.

Cause

This issue occurs because the method that the Outlook on the web uses to request a new token from AD FS isn't correct.

Workaround

You can set the value of ActivityBasedAuthenticationTimeoutInterval to more than 4 hours. For example,

Set-OrganizationConfig -ActivityBasedAuthenticationTimeoutInterval 05:00:00

This example specifies the time span for signing out to 5 hours.

Resolution

To resolve this issue, install Cumulative Update 11 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

Learn about the terminology that Microsoft uses to describe software updates.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.