Share via

401 Unauthorized errors after enabling Certificate-Based Auth

Burgos Shirnava 80 Reputation points
2026-03-10T08:15:20.62+00:00

Since upgrading our on-premises farm to Exchange Server SE and enabling Hybrid Modern Authentication (HMA), we’ve hit a wall with mobile users. While Outlook on the web and Desktop clients authenticate fine using Entra ID, mobile devices using Certificate-Based Authentication (CBA) are stuck in a 401 Unauthorized loop

Any idea ?

Exchange | Exchange Server | Management
Exchange | Exchange Server | Management

The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

0 comments
Answer accepted by question author
  1. Dora-T 11,125 Reputation points Microsoft External Staff Moderator
    2026-03-10T09:31:26.1266667+00:00

    Hi Burgos Shirnava

    Thank you for reaching out to the Microsoft Q&A forum.

    The root cause may lie in how Entra ID validates client certificates in the context of HMA. When a mobile client attempts to authenticate, it first completes CBA against Entra ID to receive an OAuth token, and then presents that token to the on-premises Exchange server via the X-MS-With-OAuth-Assertion header. If this token acquisition fails, Exchange never receives a valid assertion and returns a 401 Unauthorized.

    You may want to check the following:

    1.Check Microsoft Entra sign-in logs

    Go to Entra ID > Monitoring > Sign-in logs, filter by the affected user and the Exchange resource, and review the error details. The logs may indicate whether the issue is related to certificate validation, token issuance, or Conditional Access.

    2.Verify the certificate authority configuration

    Ensure the issuing CA is uploaded under Entra ID > Security > Certificate Authorities and confirm that the CRL Distribution Point (CDP) for the certificate can be reached externally over HTTP.

    You may also review the trusted certificate authorities with: 

    Get-AzureADTrustedCertificateAuthority

    3.Validate the client certificate

    Confirm that the certificate includes the correct UPN or SAN value that matches the user’s Entra ID account (for example, ******@domain.com).

    4.Check Hybrid Modern Authentication configuration on Exchange

    -You may want to confirm the OAuth configuration with the following commands:

    Get-AuthServer | FL Name, Enabled, IssuerIdentifier, AuthMetadataUrl
Get-OrganizationConfig | FL OAuth2ClientProfileEnabled

    -You can also test OAuth connectivity:

    Test-OAuthConnectivity -Service EWS -TargetUri https://<exchange-fqdn>/ews/exchange.asmx -Mailbox ******@domain.com | FL

    5.Review reverse proxy or WAF configuration

    If a reverse proxy or WAF is used, ensure it is not removing the Authorization: Bearer header on Exchange paths such as ActiveSync and MAPI-HTTP paths, as Outlook Mobile relies on MAPI over HTTP.

    Please note that, as a moderator in this forum, I do not have access to your environment and cannot reproduce the issue on my side. The steps above are general troubleshooting suggestions that may help you narrow down the possible cause. If the issue persists, you may consider opening a Microsoft support ticket through Services Hub for further assistance so the support team can investigate the issue directly in your environment.

    I hope the information above helps you further investigate this issue.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-10T08:15:39.9633333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    401 loops for mobile clients using Certificate-Based Authentication (CBA) after enabling Hybrid Modern Authentication (HMA) almost always indicate that CBA isn’t fully wired through ADFS/Web Application Proxy to Entra ID, or that the client certificate chain/CRL can’t be validated end to end.

    Use the following checks, in order, focusing on the CBA path rather than general HMA (which explains why OWA/desktop work while mobile fails):

    1. Confirm CBA prerequisites
    • Environment must be federated with ADFS 2012 R2 or later, using Web Application Proxy for the CBA flow.
    • CBA is supported only for federated environments with Modern Authentication, except EAS for Exchange Online managed accounts.
    • The user certificate on the device must contain the user’s routable email address in the Subject Alternative Name (SAN) as either UserPrincipalName or RFC822; Entra ID maps RFC822 to the ProxyAddress attribute.
    1. Validate that CBA works directly against Entra ID From an affected mobile device (or a test device with the same certificate):
    2. Browse to the Azure portal sign-in page.
    3. Enter the user’s email; this should redirect to ADFS.
    4. On the ADFS page, choose “Sign in using an X.509 certificate” instead of entering a password.
    5. Approve the client certificate when prompted.

    If there is no certificate prompt or the sign-in fails with 401:

    • Verify the user certificate and issuing CA root/intermediate certificates are installed on the device.
    • Verify TCP port 49443 is open on ADFS/Web Application Proxy and that the full issuing CA chain is installed on all ADFS/WAP servers.
    1. Check ADFS and Web Application Proxy configuration for CBA On ADFS/WAP servers:
    2. Ensure ADFS version is 2012 R2 or later and that Microsoft Web Application Proxy is used (third‑party proxies must fully support the MS-ADFSPIP protocol to be supported).
    3. Confirm CA chain placement:
      • Root CA .CER in Local Computer → Trusted Root Certification Authorities → Certificates.
      • Intermediate CA .CER in Local Computer → Intermediate Certification Authorities → Certificates. Use certlm.msc or:
         certutil -verifystore root
   certutil -verifystore CA
    4. Verify CRL (CDP) endpoints are reachable from ADFS and WAP under the service identities:
      • Export the Intermediate CA certificate and a sample user certificate to .CER.
      • Use psexec -s -i -d cmd.exe to open a SYSTEM context shell on each ADFS/WAP server.
      • Run: 
             certutil.exe -verify -urlfetch SubCA.cer > %computername%_%username%_SubCA.txt
     certutil.exe -verify -urlfetch usercert.cer > %computername%_%username%_usercert.txt
      • In the output, inspect the “---------------- Certificate CDP ----------------” section and confirm all HTTP/LDAP endpoints are reachable.
      • If HTTP URLs cannot be resolved, ensure:
        • The ADFS group managed service account has proxy/firewall access.
        • The WAP server’s ComputerName$ account has proxy/firewall access.
    5. Verify claims and authentication method configuration in ADFS
    • Ensure pass-through claims for serialNumber and issuer are configured on:
      • The Active Directory Claims Provider Trust.
      • The Microsoft Office 365 Identity Platform Relying Party Trust.
    • Confirm the “Certificate Authentication” method is enabled for the appropriate access locations (Extranet, and Intranet if required) using the ADFS PowerShell cmdlets.

    If these are missing or misconfigured, ADFS will fail to map the certificate to a user and return 401, even though HMA works for password-based flows.

    1. Re-test mobile CBA after fixing ADFS/WAP Once the above are corrected:
    • Re-test sign-in via the Azure portal from the device using CBA.
    • Then re-test mobile Outlook/Exchange connectivity. If OWA/desktop continue to work and mobile CBA still fails, focus on:
      • Whether the mobile app is actually using the CBA flow (correct profile, correct certificate selected).
      • Whether the certificate on the device matches the one validated in ADFS (serial number, SAN, issuer).

    These steps align the CBA path (certificate, CA chain, CRL, ADFS claims, and auth methods) with the already-working HMA configuration and typically resolve 401 loops specific to mobile CBA.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.