• Microsoft Exchange Server 2010 Administration Instant Reference
    Microsoft Exchange Server 2010 Administration Instant Reference
    by Ken St. Cyr
  • Mastering Microsoft Exchange Server 2010
    Mastering Microsoft Exchange Server 2010
    by Jim McBee, David Elfassy
« Adding Claims to an Existing Token Issuer in SharePoint 2010 | Main | Populate your Active Directory Lab in a Flash »
Friday
Oct152010

Access OWA with ADFS

One of the biggest advantages of using ADFS for your web applications (or any federated identity product for that matter) is that you can take advantage of the claims being passed to the application in the token. This data can be used by the application for making decisions about what the user will see – in other words, authorization. Or that identity data could be used for user personalization – such as displaying the text “Welcome, Ken”.

But what if your application doesn’t support claims? Do you need to rewrite it? In some cases, the answer is no – and what I’m talking about here today is one of those cases. You see, it is possible to use ADFS on applications that aren’t claims-aware, and what better to illustrate that on than Outlook Web App. In this post, I’m going to show you how to enable ADFS v2 for logging on to Outlook Web App in Exchange Server 2010.

The Mechanics of How This Works

Before we get started, let me explain a little bit about how this works. Outlook Web App is just like any other ASP.Net application – it uses IIS for hosting the site, which means that IIS also handles authentication for the web app.

Now, typically, applications that are claims aware use Windows Identity Foundation (WIF). WIF is the API that does all of the token-handling things that the application needs to happen. If I want to use ADFS and claims-based access in my application, I would use WIF as a fundamental component of that app. WIF would do a lot of the heavy lifting so my app doesn’t have to. For example, WIF would take care of receiving the token from ADFS, verifying that it’s legitimate, and even taking the claims out of it and making them consumable by my application.

WIF uses an HTTP module that listens for unauthenticated requests to the application and then takes over. For example, if I access an application without having logged in already, WIF will step in and take care of redirecting me to the ADFS server that it trusts – whom I might use for authentication. We add this HTTP module to an application by putting it in the app’s web.config file. Easy enough.

So what happens after I’m authenticated and my federated identity token is returned to the app? Typically, the token would be validated and parsed so that the claims can be used. However, let’s say that I’m using an app like OWA. OWA doesn’t know anything about claims and tokens, so if I gave it an ADFS token, it wouldn’t know what to do with it.

So what can we do? In older versions of ADFS (v1), there was an agent that you could install on the web server called the NT Token agent. This agent would sit on the server as an ISAPI filter, and after the token is passed to the server, it would map it to an Active Directory account and create an NT token for the user. This effectively turned an ADFS token into an NT token. This way, the application did not require claims – any old app could use ADFS for authentication. The only requirement was that an account has to exist in Active Directory for the user.

The NT Token agent got canned with ADFS v1 and is no longer available in ADFS v2. Some people found this disappointing, but one thing that many people missed is that we now have something even better. When you install WIF on a server, it installs a new Windows service that is Disabled by default. This service is called the Claims to Windows Token Service – or C2WTS. This service effectively does the same thing as the NT Token agent used to do – it turns an ADFS token into a Windows token. However, this time it doesn’t use an NT token – rather, it uses Kerberos Constrained Delegation (KCD) to request a Kerberos ticket on behalf of the identity specified in the UPN claim of the token. The target scenario of this capability is being able to use Kerberos delegation from a claims-based web app to a back-end system such as SQL Server.

Now, if we enable the C2WTS service, it basically steps in when a token is received, gets a Kerberos ticket, and passes it to the app instead. Since OWA is an ASP.Net application, and since it can use Windows Integrated Authentication, there is no reason why we should not be able to configure this in OWA.

Configuring OWA for ADFS

At a high level, here are the things that we are going to do to federate OWA with ADFS:

  • Make sure OWA works fine without ADFS first
  • Install WIF on the Exchange Client Access Server
  • Configure the OWA web.config file to use the WS-Federation Authentication Module supplied by WIF
  • Enable and configure the Claims to Windows Token Service
  • Configure the Relying Party trust in ADFS

Step 1: Make Sure that OWA is Working Without ADFS

This may be common sense, but it’s a good idea to make sure that OWA is working normally before getting started. In this example, I’ve installed Exchange 2010 on a server called CONTOSO-EX1 and URL for OWA is mail.contoso.com. As you can see, when I browse to OWA, I’m prompted for my Active Directory credentials in Exchange’s Forms Based Authentication page.

image

Step 2: Install Windows Identity Foundation

The next thing to do is to install Windows Identity Foundation on the Client Access Server. You can download WIF from here. After you install WIF, you should see a new service on the Client Access Server called the Claims to Windows Token Service. This service is not enabled by default. This is what we will be using to turn our SAML token into a Kerberos ticket.

image

Step 3: Install the Windows Identity Foundation SDK

You installed WIF in the previous step, so you may be wondering why you need the SDK. There is one tool included in the SDK that you need – FedUtil.exe. If you have the SDK installed somewhere else, you can just grab that tool from the SDK and copy it to the Client Access Server. Otherwise, you can download the WIF SDK from here and install it on the Client Access Server. After you install the WIF SDK, you should have FedUtil in the “c:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\” folder.

image

Step 4: Configure OWA

Now, you need to run the utility called FedUtil.exe. This tool will update the web.config file for OWA and configure it to trust the ADFS server. You will find the tool on the Client Access Server under “c:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\”. When you run FedUtil.exe, you will get the following dialog:

image

For the Application Configuration Location field, enter the path to the OWA web.config, which will be “c:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\web.config” if you are using a default installation of Exchange.

In the Application URI field, enter the URL for OWA – https://mail.contoso.com/owa in my example.

After you click Next, you will need to enter the URL of your ADFS server so FedUtil can grab the federation metadata file. You can just type in the DNS name of the ADFS service, and FedUtil will fill in the rest.

image

You can walk through the rest of wizard, leaving everything else at the default value. If you were to browse to OWA now, you would see that the authentication module is working, and it will redirect you to the ADFS server instead of presenting you with the OWA forms-based logon page. You can see from the following screen capture that I’m being asked to logon at sts.contoso.com (the ADFS server) instead of mail.contoso.com (the Exchange server).

image

However, we don’t have the ADFS side of the trust configured yet. And even if we did, OWA would get the SAML token back from ADFS and not know what to do with it because we didn’t configure C2WTS yet.

But before we do, there is one other thing we have to do in OWA. We need to turn off Forms Based Auth. In the Exchange Management Console, open your OWA authentication settings dialog and tell OWA to use IIS. You can get to this dialog by choosing Server Configuration > Client Access, and then select the OWA virtual directory in the bottom pane of the Exchange Management Console.

image

Just choose Properties to bring up the configuration dialog. Go to the Authentication tab and set the option to “Use one or more standard authentication methods”.

image

Then, you’ll need to go into IIS on the Client Access server and enable Anonymous Authentication on the OWA virtual directory. To do this, open IIS Manager, browse to the OWA virtual directory, and double-click on the Authentication icon.

image

Set the Anonymous Authentication setting to Enabled. After you are done, make sure that you run iisreset.

image

Step 5: Configure C2WTS

There are a few things that you need to do to configure C2WTS. The first is to configure the service and turn it on. To configure it, you will need to allow the Exchange server to use it by modifying C2WTS’es configuration file. You will find this file in “C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config”. Open the file in Notepad, and uncomment the following line:

image

Save the file, and then set the C2WTS service to Automatic and start it up.

image

The second thing is that you need to go back into the OWA web.config file and tell WIF to use C2WTS to turn the SAML token into a Windows token instead of giving the SAML token back to OWA directly. So go back into OWA’s web.config file, scroll all the way down near the bottom, and add the following text into the Microsoft.IdentityModel element under the Service element:

<securityTokenHandlers>
 
<add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
   
<samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
  </add>
</securityTokenHandlers>

Two main things that we’re adding here are the parameters mapToWindows and useWindowsTokenService. These two things enable OWA to use C2WTS. Here’s a screen capture of the modified file after the text was added:

image

Step 6: Set up Relying Party Trust in ADFS

The last step is to add the Relying Party side of the trust in ADFS. You can do this using the standard Add Relying Party Trust wizard in ADFS and using OWA’s Federation Metadata file, which was created in step 4 when we ran FedUtil. In the RP trust wizard, enter the URL for OWA. The wizard will take care of finding the Federation Metadata file, so you don’t have to specify the full path to it.

image

You can just specify the default values for the rest of the wizard. After you are done, you may get the Claims Rules dialog for the trust. If you do, you can just close it for now.

In order for C2WTS to work, you need to pass a UPN claim in the SAML token. C2WTS uses the UPN claim to look up the user that you want to create the Windows Token for in Active Directory. So, now we need to configure a couple of claim rules to get the UPN out of Active Directory and into the SAML token passed to OWA.

First, we need to make sure that the UPN claims is coming in from Active Directory.

  1. In ADFS, go to your Claims Provider Trusts, select the Active Directory claims provider, and choose Edit Claim Rules.image
  2. In the Edit Claim Rules dialog, click the Add Rule button.
  3. In the rule wizard, choose the “Send LDAP Attributes as Claims” template
  4. In the rule configuration screen, select the Active Directory attribute store and choose to send LDAP attribute User-Principle-Name in the Outgoing Claim Type labeled UPN, as shown in the following screen capture.
    image

The second thing we need to do is to configure ADFS to pass the UPN claim to OWA.

  1. In the ADFS Management Tool, go to the Relying Party Trust that you created for OWA and choose to edit the claim rules there.
    image
  2. In the Issuance Transform Rules tab, click the Add Rule button.
  3. In the rule wizard, use the template called Pass Through or Filter an Incoming Claim
  4. In the Incoming Claim Type field, select the UPN claim and choose “Pass through all claim values”, as shown in the following screen capture:
    image

Trying it Out

Now that everything is configured, we can try it out. Before you do, make sure that the account you are testing has a valid mailbox in Exchange and also has the UPN attribute populated in Active Directory.

Using my client, I will browse to https://mail.contoso.com, and I am re-directed to ADFS to log in. I’ll log in with my user’s credentials:

image

And voila… I’m now logged into OWA via ADFS -

image

Enjoy!

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (89)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Windows authentication have been always fortified, which was for a good reason. Yet this fortification...
  • Response
  • Response
    Response: Single sign-on
    Onderstaande zijn bronnen die ik gevonden heb tijdens het zoeken naar een SSO oplossing voor Singelland (Magister via OpenID Outlook WebApp). Oplossing richting waarin ik zit te denken: Bronnen:\\
  • Response
    Response: Single sign-on
    Onderstaande zijn bronnen die ik gevonden heb tijdens het zoeken naar een SSO oplossing voor Singelland (Magister via OpenID Outlook WebApp). Oplossingsrichting waarin ik zit te denken: !singellandssobrainstorm.PNG border=1! Bronnen:\\
  • Response
    Response: trackback test
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: web hosting Small
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: richard goozh
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: exchange server
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    the identity guy - articles - access owa with adfs
  • Response
    the identity guy - articles - access owa with adfs
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    the identity guy - articles - access owa with adfs
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: All Euro Garage
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: All Euro Garage
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: Michael Honari
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: luotot lainat
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: 2014
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: Eye Health
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    How do I go about copyrighting content of my website?
  • Response
    I want to start my own website. Are there any places I can do this for free with minimum advertising on them? Or all free places have heaps of advertising?.
  • Response
    Would becoming a paid blogger be a good idea to get money?
  • Response
    Response: openvz vps plans
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    How soon do you think web crawler will pickup my blog posts?
  • Response
    I want to build a blog in wordpress where I can share photos, have people upload photos and everyone can rate them. Can anybody recommend a good theme or some tips? Free is preferred or like, under $100.. . Thanks!.
  • Response
    In Firefox - How to open in new tab automatically when I click a bookmark?
  • Response
    How to install a custom blog design while using ftp publishing?
  • Response
    How do I start my own website about fantasy sports?
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: venus factor tips
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    What is the average start up cost for a high profile website?
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    How can I access my home computer that is hooked up to a router through my work computer to view webcam?
  • Response
    I was diagnosed with celiac over a year ago and have started inventing my own gluten-free recipes. I've gotten so many requests from people that I want to start a blog to start posting them. What free blog websites are out there and which ones are the easiest to access/most likely ...
  • Response
    What are the laws on republishing newspaper articles in a book? Are there copyright issues?
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: financial planning
    How do I add Facebook comment box to Blogger, different in each post?
  • Response
    I just bought business plan pro, but I still don't quite understand how to estimate/compute the start-up costs for starting a business, in my case an online business at that. Is there a website that can assist me? Any suggestions? Thanks.
  • Response
    I started creating templates, but I don't know how to make demos in my Joomla website, for my visitors to test them..
  • Response
    Response: insurance products
    I want to create my own website but I have no experience. A classmate recommended me to instead create a blog so that I can get experience. . What free blog site should I use?. Any tips?.
  • Response
    Response: diabetes cure
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: reverse diabetes
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    How to create own radio streaming and add the radio into my blogspot? can you give me step by step?
  • Response
    Response: consultor seo
    The top quality posicionamiento google anywhere
  • Response
    go here for best dog arthritis pain anywhere
  • Response
    Response: seovolución
    My partner is making a template in dreamweaver for joomla site and we are not to sure on how to upload it to it. We appreciate the help, thanks in advance..
  • Response
    Response: seovolución
    How do IE and Firefox make money? Where is the revenue source coming in from?
  • Response
    Response: seovolución
    I am new to blogging. How do I add a subscribe function to my site so new post will go to their email?.
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: HayDay cheats
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: qcservices
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: www.youtube.com
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: click here
    How to add a new button to firefox navigation toolbar?
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: cure for hair loss
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    I want to protect some of the original writing on my website & was wondering how to do this.... a)Can I put the Copyright notation on it without revealing my real name? . b)How do I have proof that it is my original work? How about saving the writing in MS ...
  • Response
    Response: prevent balding
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    The Identity Guy - Articles - Access OWA with ADFS
  • Response
    Response: terry cloth robe
    I made a blogger account a few months ago, and i added some pictures to my sidebar and don't know how to remove them. I used the image hosting site 'Photobucket' to put the pictures on my blog, and put my login information there nd they did it for me. I ...
  • Response
    How to restore computer when my computer just randomly shuts off?
  • Response
    How can I copyright the material on my website, content, images and all?
  • Response
    Response: pizza hut coupons
    I have a portable version of Firefox on an external drive and I'd like to export my current Firefox settings form my laptop Firefox to it.. . Is this possible?.
  • Response
    Response: pizza hut coupons
    There are thousands of blogs that requires comments on them. What is the intention of blog comments?
  • Response
    Response: homeowners policy
    I'm planning to start website where people can post projects and buy projects. Do you think it is a good idea?
  • Response
    Response: arthritis in dogs
    click here for greatest dogs with arthritis around
  • Response
    see here for greatest design work around
  • Response
    Response: payday loan
    If you say admit to crimes (real or not real) on blog posts, can you be reported to the police and be tried on what is written online?. What if the crime was just a lie, and its a supposed crime you did in another country?.
  • Response
    get best dog medication around
  • Response
    I wish to write articles based on the information collected through some copyright books. I won't copy - paste the material but edit or modify it in such a way that the meaning remains the same. I would also give credit to the books and their authors. Am I breaking any ...
  • Response
    What I have tried so far is: copy pasting from googledocs to Notes to wordpress, and copy pasting from googledics into HTML tab in wordpress. Neither tries retained the boldface text. Thanks in advance!.
  • Response
    Response: tecnicas seo
    get top quality servicios seo around
  • Response
    How does one find out how to become a blogger, or how much a blogger makes?

Reader Comments (42)

Hi Ken,

Great article. I'm no expert on ADFS, or SAML - though I expect I'm going to have to start learning soon. Just wondering if the instructions roughly apply to any IIS site that can use Windows Intergrated Authentication to login users? Looks like an easy way to ADFS-enable a fair few legacy apps.

Steve

October 15, 2010 | Unregistered CommenterSteve Goodman

Hi Steve -

Thanks so much! That's a great question. C2WTS is included with Windows Identity Foundation, so the app needs to be .NET based. For example, you couldn't use this on a static web page because it won't support the federated authentication module that WIF uses. When the user gets logged in, WIF turns the SAML token into an actual WindowsIdentity, so if your web app works with native Windows identities, it should work well with C2WTS. So, yes, you should be able to use this approach with some of your legacy apps as well.

Also, there is another technique that I didn't mention in the post, but I think I'll do another post about it next week. Essentially, we can use UAG to put a pre-authentication shim in between the app and ADFS. That would allow us to do the token exchange in the pre-authentication sequence. When that happens, UAG would be able to use C2WTS to issue a Windows Identity to the back-end app. If you did this, you would not be required to use a .NET web app - we could even use static web pages as the target. Another interesting scenario with this is that you could use this technique for tunneling MAPI traffic over a UAG SSL wrapper, essentially allowing you to use ADFS to log into a full Outlook client. One of the Exchange guys on my team here at Microsoft doesn't believe that we couldn't make this work, so I'll work on writing this up and try to get it posted this coming week. :)

Thanks!
//Ken

October 15, 2010 | Registered CommenterKen St. Cyr

Interesting article, Ken, but I wonder if you could clear something up for me?

I thought one of the benefits of federation was to achieve web SSO? I can see that users could be in different forests with the solution you outline above, but from a user experience perspective, it is simply replacing one logon screen with another. Can what you have outlined in the article be changed so that the login screen is bypassed and the upn claim is passed directly to OWA?

October 19, 2010 | Unregistered CommenterSteven Griffiths

Hi Steven -

You're absolutely correct - from the user's perspective, you are just replacing the login page with a different one. However, the real SSO benefits come when you have more applications than just OWA trusted with the same identity provider. For example, if you had a SharePoint site that trusted the same ADFS federation service as OWA, the user would log in only once when they access either one.

Now, in this example, I did use the forms based auth page, but you can also use Windows Integrated auth on ADFS and not have to be prompted for credentials, assuming that the user is logged into the same domain that ADFS is in.

Another interesting scenario this brings about, besides SSO, is the ability to use other authentication factors for logging into OWA. So rather than just a forms-based page, I can use an RSA token, a consumer device such as what Anakam offers, or even certificate-based authentication. One of the things that excites me about ADFS is that it's not just limited to Microsoft stuff. Imagine the situation of having some 3rd party LDAP directory, eDirectory for instance, and using something like CA SiteMinder as the Identity Provider. You could build out a usage scenario like this:

1. The user browses to OWA
2. OWA redirects to ADFS v2
3. ADFS v2 redirects to SiteMinder
4. The user logs in with the eDirectory account at SiteMinder
5. ADFS v2 receives the token, adds the UPN claim, and posts it to OWA
6. WIF turns the UPN claim into a Windows Identity and let's the user in

What you get here is that you can now log into OWA with a non-Microsoft authentication provider.

Great discussion!
//Ken

October 19, 2010 | Registered CommenterKen St. Cyr

Thanks for the reply, Ken. I'm trying to get up to speed with ADFS and the scenario you outline with CA SiteMinder and eDirectory certainly illustrates the power and flexibility of the technology.

Just returning to my web SSO question again and apologies if I'm wide of the mark with my ADFS understanding...!

You mention that if the auth page were configured to use Windows Integrated authentication, then the logon page could be bypassed. Could this also be used by users from other forests?

I'm imagining that:

1. A user from another forest browses to OWA
2. OWA redirects to the ADFS server in the OWA server's domain
3. The ADFS server in the OWA server's domain redirects to the ADFS server in the user's domain
4. The user is authenticated by the ADFS server, but doesn't present a login screen as Windows Integrated auth is configured
5. The user's ADFS server sends a token to the ADFS server in the OWA domain...
6. ...which then passes it on to the OWA server and the user is granted access.

Is this approach feasible or is there a big hole in my thought processes?!

October 20, 2010 | Unregistered CommenterSteven Griffiths

Hi Ken,

Since I have the scenario that the users from other domains want to get access to thier mailboxes in ADFS resource domain.
Can this apply to the total functionalities of Exchange Server 2010? such as Outlook Anywhere, ActiveSync, Autodiscover, OAB, Public Folder, and etc.

Thanks
Thanaporn S.

October 25, 2010 | Unregistered CommenterThanaporn

Hi Steven - The approach that you laid out is absolutely accurate. We typically refer to this scenario as "identity delegation", where you are allowing the user's home organization to manage their identity. For OWA specifically, you'll need a valid UPN in the resource domain (OWA's domain). This doesn't mean that the UPNs need to match, however. For example, you could use a claim rule to turn the UPN joe.smith@contoso.com into joe.smith@fabrikam.com for the resource domain.

Hi Thanaporn - That's a great question. The answer is "it depends". The process that I outlined in this post can be used for OWA and ECP because the client is the web browser and the user is presented an authentication page. It doesn't work the same way with other access methods in Exchange. However, there are other ways to accomplish this, and I'll be outlining this in a future post, so stay tuned :)

Thanks!
//Ken

October 27, 2010 | Registered CommenterKen St. Cyr

Hi Ken,

Great post! Any guidance on how this applies to the ecp virtual directory? Doing this for OWA was a straightforward endeavor with your walkthrough, but all options and administrative functions are run through the ecp directory. Given the CAS-2-CAS proxy functionality on the same directory, this doesn't seem plausible. Just curious if you’ve thought about this. Thanks!

-Joe

October 28, 2010 | Unregistered CommenterJoe C

Thanks, Joe - I didn't mention the ECP configuration, but perhaps I should have. The configuration should be exactly the same. Since it is effectively a separate web app and has it's own web.config file, you would just run the same steps using the ECP paths instead of OWA. Since you are already signed in at the Identity Provider, there will not be another prompt for authentication.

Thanks!
//Ken

October 29, 2010 | Registered CommenterKen St. Cyr

Hi Ken,

Thanks for the response. I figured this was the case, however when I ran FedUtil for the ECP directory it caused problems in the web.config file that made IIS Manager throw parsing errors (for instance trying to enable Anonymous Authentication) and browsing the web app gave HTTP 500 errors. The other difference with the ECP directory is that it's a WCF application which seems to require an application certificate. I guess I'm trying to figure out if it really should work exactly like the OWA directory. If so, I must have issues specific to my setup that is making FedUtil insert the wrong information (or put it in the wrong place).

-Joe

October 29, 2010 | Unregistered CommenterJoe C

Hi Joe -

Ahhh - that's interesting... I'll take a look at it when I get an opportunity and see if I can understand what's going on. In theory it should work. I'll let you know - this may require another post. :)

Thanks!
//Ken

October 29, 2010 | Registered CommenterKen St. Cyr

I actually get a similar error message when I follow the blog entry.. running FEDUTIL and stipulate no encryption certificate on the /OWA virtual directory... generates the following error:

ID1032: A WCF application federated to a security token service requires an application certificate....

This is on Exchange 2010 SP1.. weird :-)

Regards,
Mylo

October 29, 2010 | Unregistered CommenterMylo

Hello

im having a few problems setting this up on 2008 r2 and 2010 ex 2010sp1 could some one please send me a copy of their working web.config files as im sure this is why its not working many thanks

June 2, 2011 | Unregistered Commenterrick cross

Hello Ken,

I tried to follow another step by step guide : Exposing OWA 2010 with AD FS 2.0 to other organizations. The procedure is almost the same as yours.

There is a major problem with Exchange SP1 : OWA cannot start if Anonymous Authentication method is activated on the owa virtual folder ... It throw this error in the event log :

There's an error in your Outlook Web App configuration.

The authentication type on the /owa virtual directory is set to Anonymous. This check box must be cleared for Outlook Web App to function correctly.

Except if there is a way to disable this check, it's no more possible to allow ADFS login in OWA !?

July 8, 2011 | Unregistered CommenterSnipe Foo

I am also unable to get ADFS to work with Exchange 2010 SP1. I can make it work with Exchange 2007. If anyone succeeds with 2010SP1 please post your procedure or your web.config.

July 17, 2011 | Unregistered Commenterrandy wiemer

Ken,

I know this post is older now but one of the posters "Steven" identified my exact situation where I need to authenticate users from disparate forests against an Exchange 2010 SP1 server in a dedicated resource forest without being prompted for login. I believe you referred to this as "identity delegation". Can you point me to some resources to facilitate implementation of such a project. I'm looking for articles but would also entertain a pointer to an integrator who has good experience with this type of project.

July 18, 2011 | Unregistered CommenterKelley Underwood

Hi Ken,

I've managed to integrate Exchange 2010 SP1 OWA with Azure AppFabric Access Control which I assume is essentially ADFS 2.0 server. I'm using my Windows Live ID to access my Inbox, but Azure Access Control also allows me to use Google ID, Facebook, etc.

What I'm really curious about is integrating Outlook Anywhere. You mentioned in one of your comments that you have a solution based on UAG and I wonder if you've ever tried that out?

Thanks,
Dinko

August 16, 2011 | Unregistered CommenterDinko

When using Exchange 2010 Service Pack you need also do this in additional to this blogpost:
To enable Outlook Web App to accept anonymous access, you must disable all forms of authentication:
Configure Outlook Web App to Work with Active Directory Federation Services
http://technet.microsoft.com/en-us/library/bb691348.aspx

August 24, 2011 | Unregistered Commentershadowman

The Technet article seems to descibe exactly the same method as this article. Anyway, followinf the technet article doesn't solve the problem : OWA still not start.

August 25, 2011 | Unregistered CommenterSnipe Foo

Any info about configuration Exchange 2010 SP1 for ADFS2.0 ? After using fedutil authentication module does not redirect to federation service.

September 13, 2011 | Unregistered CommenterEagler

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>