OWA and ECP login with AD FS through the WAP

It is possible to make the Exchange services available through the Web Application Proxy with AD FS Authentication.
One of the big positive sides in my opinion is that you can offer your users the same kind of login page for all the services which use AD FS.

In this article I’m assuming you’ve already installed and configured AD FS(and the Web Application Proxy(WAP)), and wish to configurate the settings for Exchange server.

Configuring the AD FS Server

Personally I like to automate things, so I will be offering you the configurations by powershell commands.

#Owa URL
[string]$ExchangeOWAURL = Read-Host "Your OWA URL, If unsure run: '(Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri' on your Exchange server."
#ECP URL
[string]$ExchangeECPURL = Read-Host "Your ECP URL, if unsure run: '(Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri' on your exchange server"

# Create the new ADFS Rule
[string]$IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule"

	=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
Value = "true");'

# Create the new ADFS Rule
[string]$IssuanceTransformRules = '@RuleName = "ActiveDirectoryUserSID"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

	=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value); 

	@RuleName = "ActiveDirectoryUPN"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);'

# Apply the new Rules
Add-ADFSRelyingPartyTrust -Name 'Outlook Web App' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeOWAURL) -WSFedEndpoint $ExchangeOWAURL -Identifier $ExchangeOWAURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules
Add-ADFSRelyingPartyTrust -Name 'Exchange Control Panel' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeECPURL) -WSFedEndpoint $ExchangeECPURL -Identifier $ExchangeECPURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules

This script will ask you for the needed information, if you provide it, it shall configure your AD FS Server for the Exchange Authentication.
Now that you have created the rules we can configure the WAP

Configuring the Web Application Proxy (WAP)

Even though powershell is usually easier, I prefer publishing the web applications through the GUI (simply cause it will let you pick the certificate and you wont have to hunt the thumbprint).

In the first screen, you will have to choose for AD FS Pre authentication

Choose for Web and MSOFBA 

Choose for the Outlook Web App rule or Exchange Control Panel (Since you have to repeat the same steps to publish the ECP)

Fill in the information on the form, again either /owa/ or /ecp/ depends which on your are configuring.
Be sure that at the end of the URL there is a ‘/’ if not you will receive an error.

And lastly confirm the settings and press Configure

Repeat the same steps for the ECP as for OWA, only replace owa with ecp where needed.
After this we will have to publish rules for Autodiscover, EWS, MAPI, OAB, Outlook Anywhere and Active Sync.
(if you know you dont use some of the services feel free to skip them.)

The URL’s for these services are:

  1. https://your.emaildomain.com/rcp/  (Outlook Anywhere)
  2. https://your.emaildomain.com/oab/ (Offline Address Book)
  3. https://your.emaildomain.com/Microsoft-Server-ActiveSync/
  4. https://your.emaildomain.com/EWS/  (Exchange Web Services)
  5. https://your.emaildomain.com/MAPI/
  6. https://your.emaildomain.com/Autodiscover/

Again in the interface choose for Publish new Application
This time however choose for “Pass-Through”

And fill in the information for each of the URL’s like this:

After this your WAP is configured for the Exchange URL and then all that is left to do is to tell Exchange to use ADFS Authentication instead of Forms/windows.

Configuring Exchange Server

This will be done with another powershell script, as below: 
Note: At the end of the script it will restart the IIS Service of your Exchange server, If you have multiple servers you must do the same on the other servers.

$OwaURL = (Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri
$ECPUrl = (Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri
$ADFSUrl = Read-Host "Please enter your ADFS URL"
$CertThumbprint = Read-Host "Please enter the TokenSigning certificate thumbprint; Run this on your AD FS Server: 'Get-AdfsCertificate -CertificateType Token-Signing | ft Thumbprint' "

$uris = @($OwaURL, $ECPUrl)
Set-OrganizationConfig -AdfsIssuer "https://$ADFSUrl/adfs/ls/" -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint $CertThumbprint
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

Restart-Service W3SVC,WAS -noforce

Completed, time for testing!

After all these steps you have finished setting up your Exchange server to authenticate with AD FS.
Important is that for the internal user the adfs.domain.com url is added to the local intranet zone this way SSO will work properly.
When you go to your OWA Address internally it should automaticly log you in now.
If you wish for Other browsers beside Internet explorer to be SSO follow this guide

As for the external user, they should get to see AD FS Sign in Page.

10 thoughts on “OWA and ECP login with AD FS through the WAP”

  1. Is ‘pass-through’ realy needed for the other services?
    Does this mean that the authentication of these service will be done on the Exchange server instead of the ADFS server?

    We are looking for a MFA solution for our on-premise Exchange, in my opinion ADFS (in combination with MFA) will only work for OWA and not for mobilephones and Outlook clients, is that correct?

  2. Hello Reinier,

    Nice post.

    What are the implications of turning on ADFS authentication on the OWA directory? Will this have a knock-on effect on internal webmail, or will it continue as normal?

    Also, I am using ADFS and WAP on 2012 R2: are these versions ok to achieve the above? I notice some of the wizards you show are slightly different.

    Many thanks,

    Brian

    1. Internal webmail will also go through ADFS then, if you have it added in the trusted zone of your browser it should SSO the users. (If they are logged in on the machine under their own name obviously.)

  3. I followed your setup, using Windows Server 2019 and Exchange 2019. Login works.
    But for some reason owa and ecp are very slow in loading the page when accessed through the WAP, from the lan and from the internet. OWA says ‘Still working on it…” for minutes. In the end, the pages are show.
    Do you know what could cause this? Thanks!

    Jac

    1. Im afraid I have not ran into this issue.
      Is the WAP in a DMZ? And did you try perhaps publishing another page using passthrough or anything simply to test if that is also slow?

      1. Yes, the WAP is in DMZ. But I found the problem: It seems to be an old problem that still has not been solved in Windows Server 2019. You have to disable HTTP/2 in Windows on the WAP and that solved it.
        You need to add this key:
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

        “EnableDefaultHttp2″=dword:00000000

        And I forgot to mention: Thanks a lot for your post! It was very helpful in configuring the WAP.

        Jac

  4. Thanks Jac for this solution! I ran into this issue and owa and ecp were very slow… Adding registry key did the trick! Great!
    Just a question, how do you do to receive email using WAP and ADFS? May I open TCP Ports? Nothing seems to be received when I send an email from the external domain. Sending from it seems working fine…

    1. The mailflow remains the same as before.
      The ADFS/WAP solution is only for the client access (OWA/ECP/ActiveSync)
      SMTP (port 25/587(?) ) remains the same, this goes not through the WAP.
      Either directly to exchange or an Antispam machine you put in between

Leave a Reply

Your email address will not be published. Required fields are marked *