Skip to content

Enable ADFS Authentication on Exchange 2016

Is it possible to use ADFS Authentication with a Microsoft Exchange 2016 Server? Sure!
A customer asked me that question a few days ago; they have mailboxes on premises and on Exchange Online. ADFS cloud to provide a great way to bring the same login experience to both.

Here are two GIST Files that configured everything for them 😉

# Execute this on or against your Exchange Server:
# (Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeOWAURL = 'FILL_IN_THE_INFO'

# Execute this on or against your Exchange Server:
# (Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeECPURL = 'FILL_IN_THE_INFO'

<#
	Disclaimer:
	They use the same URL for internal and external access.
#>

# Create the new Rule
[string]$IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule"

	=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
Value = "true");'

# Create the new Rule
[string]$IssuanceTransformRules = '@RuleName = "ActiveDirectoryUserSID"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

	=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value); 

	@RuleName = "ActiveDirectoryUPN"
	c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);'

# Apply the new Rules
Add-ADFSRelyingPartyTrust -Name 'Outlook Web App' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeOWAURL) -WSFedEndpoint $ExchangeOWAURL -Identifier $ExchangeOWAURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules

Add-ADFSRelyingPartyTrust -Name 'Exchange Admin Center (EAC)' -Enabled $true -Notes ('This is a trust for {0}' -f $ExchangeECPURL) -WSFedEndpoint $ExchangeECPURL -Identifier $ExchangeECPURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules

# Execute this on or against your Exchange Server:
# (Get-OwaVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeOWAURL = 'FILL_IN_THE_INFO'

# Execute this on or against your Exchange Server:
# (Get-EcpVirtualDirectory).ExternalUrl.AbsoluteUri
[string]$ExchangeECPURL = 'FILL_IN_THE_INFO'

# Get the URL Info...
# Execute the following on your main ADFS Server:
# Get-ADFSProperties | Select-Object HostName, FederationPassiveAddress
[string]$ADFSURL = 'https://FILL_IN_THE_INFO'

# Get the Signing certificate Thunbprint
# Execute the following on your main ADFS Server:
# dir Cert:\LocalMachine\My
# Get-AdfsCertificate -Thumbprint THUMBFROMABOVE
[string]$AdfsSignCertThumbprint = 'FILL_IN_THE_INFO'

# Define a new Arry
$uris = @($ExchangeOWAURL, $ExchangeECPURL)

# Apply the new Exchange Organisation settings
Set-OrganizationConfig -AdfsIssuer $ADFSURL -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint $AdfsSignCertThumbprint

# Enable AD FS only
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

# If you want to revert that
#Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $false -BasicAuthentication $true -DigestAuthentication $true -FormsAuthentication $true -WindowsAuthentication $true -OAuthAuthentication $false

#Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $false -BasicAuthentication $true -DigestAuthentication $true -FormsAuthentication $true -WindowsAuthentication $true

The files above are part of my configuration script, but the only part missing is all the central connection stuff. I used one script that connects to all involved systems via Remote PowerShell and execute everything a one big script.

Update:
I published an troubleshooting article!

This content is older than 3 years. It might be outdated.
Published inPowerShell

10 Comments

  1. Joerg Hochwald Joerg Hochwald

    Sorry, I forgot to mention:
    This will work with Exchange 2013 (Min SP1, or newer) as well. Nevertheless, the customer updated to 2016 a while ago, so I developed it with Exchange 2016 in mind.

    However, I did some tests with Exchange 2013 with CU14.

  2. AL AL

    What about ActiveSync/Outlook/EWS using ADFS with Exchange 2016?

    • Joerg Hochwald Joerg Hochwald

      Al,
      the Stuff above works with OWA and ECP.
      Honestly, never tried it with EAS (Active Sync) or Outlook (MAPI).
      You have to check the corresponding VirtualDirectory command, if they support “AdfsAuthentication”, you might give it a try. And I think it should work 🙂

      Honestly, I never tried it. The command above was my idea for a hybrid environment. So the OWA and especially the ECP stuff work with the same login. If not, I have to login separately for on premises and Office 365.

      Let me know if it works for you.

  3. AL AL

    Thanks! I will have to test it out. Most likely it will be some form of pass through authentication or requirement to use modern authentication, but that won’t be available until Exchange 2019.

    • Joerg Hochwald Joerg Hochwald

      Hi,

      I will post a minor update for that… There are a few things that needs to be tweaked to support EAS and some others.
      Evaluate that during the week.

    • Joerg Hochwald Joerg Hochwald

      Microsoft published a how to that covers modern Authentication with on premise exchange servers: https://blogs.technet.microsoft.com/exchange/2017/12/06/announcing-hybrid-modern-authentication-for-exchange-on-premises/

  4. AuzOZ AuzOZ

    how to setup the wap servers for adfs owa thank you

    • Joerg Hochwald Joerg Hochwald

      The WAP role is just a Reverse Proxy that doesn’t need any configuration to do this.
      The only reason to use the WAP role instead of an Apache/NGINX or load Balancer: tell the ADFS Service that the traffic is external.

      In plain English: Nothing, it will just work if your WAP is working properly.

  5. vecon20 vecon20

    I think the top portion/window of the code should be executed on the ADFS server, is that correct?

    • Joerg Hochwald Joerg Hochwald

      Hi vecon20,

      correct! The 1st one needs to run on one of the ADFS Farm member servers. The 2nd one on one of the Exchange servers.

      If, and only then, you have installed the ADFS PowerShell module and use remote Powershell for Exchange, you can run it alle from one system. This is what I do (I have a dedicated admin system (VM) running for such tasks.

Comments are closed.