OWA and ECP login with AD FS through the WAP

It is possible to make the Exchange services available through the Web Application Proxy with AD FS Authentication.
One of the big positive sides in my opinion is that you can offer your users the same kind of login page for all the services which use AD FS.

In this article I’m assuming you’ve already installed and configured AD FS(and the Web Application Proxy(WAP)), and wish to configurate the settings for Exchange server.

Configuring the AD FS Server

Personally I like to automate things, so I will be offering you the configurations by powershell commands.

#Owa URL
[string]$ExchangeOWAURL = Read-Host "Your OWA URL, If unsure run: '(Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri' on your Exchange server."
[string]$ExchangeECPURL = Read-Host "Your ECP URL, if unsure run: '(Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri' on your exchange server"

# Create the new ADFS Rule
[string]$IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule"

	=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
Value = "true");'

# Create the new ADFS Rule
[string]$IssuanceTransformRules = '@RuleName = "ActiveDirectoryUserSID"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

	=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value); 

	@RuleName = "ActiveDirectoryUPN"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);'

# Apply the new Rules
Add-ADFSRelyingPartyTrust -Name 'Outlook Web App' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeOWAURL) -WSFedEndpoint $ExchangeOWAURL -Identifier $ExchangeOWAURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules
Add-ADFSRelyingPartyTrust -Name 'Exchange Control Panel' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeECPURL) -WSFedEndpoint $ExchangeECPURL -Identifier $ExchangeECPURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules

This script will ask you for the needed information, if you provide it, it shall configure your AD FS Server for the Exchange Authentication.
Now that you have created the rules we can configure the WAP

Configuring the Web Application Proxy (WAP)

Even though powershell is usually easier, I prefer publishing the web applications through the GUI (simply cause it will let you pick the certificate and you wont have to hunt the thumbprint).

In the first screen, you will have to choose for AD FS Pre authentication

Choose for Web and MSOFBA 

Choose for the Outlook Web App rule or Exchange Control Panel (Since you have to repeat the same steps to publish the ECP)

Fill in the information on the form, again either /owa/ or /ecp/ depends which on your are configuring.
Be sure that at the end of the URL there is a ‘/’ if not you will receive an error.

And lastly confirm the settings and press Configure

Repeat the same steps for the ECP as for OWA, only replace owa with ecp where needed.
After this we will have to publish rules for Autodiscover, EWS, MAPI, OAB, Outlook Anywhere and Active Sync.
(if you know you dont use some of the services feel free to skip them.)

The URL’s for these services are:

  1. https://your.emaildomain.com/rcp/  (Outlook Anywhere)
  2. https://your.emaildomain.com/oab/ (Offline Address Book)
  3. https://your.emaildomain.com/Microsoft-Server-ActiveSync/
  4. https://your.emaildomain.com/EWS/  (Exchange Web Services)
  5. https://your.emaildomain.com/MAPI/
  6. https://your.emaildomain.com/Autodiscover/

Again in the interface choose for Publish new Application
This time however choose for “Pass-Through”

And fill in the information for each of the URL’s like this:

After this your WAP is configured for the Exchange URL and then all that is left to do is to tell Exchange to use ADFS Authentication instead of Forms/windows.

Configuring Exchange Server

This will be done with another powershell script, as below: 
Note: At the end of the script it will restart the IIS Service of your Exchange server, If you have multiple servers you must do the same on the other servers.

$OwaURL = (Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri
$ECPUrl = (Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri
$ADFSUrl = Read-Host "Please enter your ADFS URL"
$CertThumbprint = Read-Host "Please enter the TokenSigning certificate thumbprint; Run this on your AD FS Server: 'Get-AdfsCertificate -CertificateType Token-Signing | ft Thumbprint' "

$uris = @($OwaURL, $ECPUrl)
Set-OrganizationConfig -AdfsIssuer "https://$ADFSUrl/adfs/ls/" -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint $CertThumbprint
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

Restart-Service W3SVC,WAS -noforce

Completed, time for testing!

After all these steps you have finished setting up your Exchange server to authenticate with AD FS.
Important is that for the internal user the adfs.domain.com url is added to the local intranet zone this way SSO will work properly.
When you go to your OWA Address internally it should automaticly log you in now.
If you wish for Other browsers beside Internet explorer to be SSO follow this guide

As for the external user, they should get to see AD FS Sign in Page.

2 thoughts on “OWA and ECP login with AD FS through the WAP”

  1. Is ‘pass-through’ realy needed for the other services?
    Does this mean that the authentication of these service will be done on the Exchange server instead of the ADFS server?

    We are looking for a MFA solution for our on-premise Exchange, in my opinion ADFS (in combination with MFA) will only work for OWA and not for mobilephones and Outlook clients, is that correct?

Leave a Reply

Your email address will not be published. Required fields are marked *