Adding OWA 2010

Note: Before attempting this configuration ensure that all settings and config files are modified are backed up independently.

Note: This configuration is only compatible with OWA Exchange 2010

  1. Configuration Steps
  2. Select Directory Manager.
  3. Select Groups.
  4. Name the Group OWA Users.
    Note: If you have other existing Groups for SSO users you can use one of these as well. 
    Select ADD GROUP.
    Select SSO Manager.
    Select the green plus sign in the bottom right corner.

    Select the Catalog Icon.
  5. Select Outlook Web Access.
  6. Select Application is Enabled.
  7. Select your desired Authentication Policy.
  8. Select Protocol Setup and
    Update the Reply To URL value to match the FQDN of your Exchange host.
    Update the Audience URI value to match the FQDN of your Exchange host.
  9. Select Attribute Transformation.
  10. Verify the User.EmailAddress property is the correct value to send to represent the UPN in Active Directory. 
    Note: If this value does not work you might consider creating a custom transform such as "{User.PrincipalName}@domain.com" which will generate a value of "name@domain.com".
    Note: Exchange explicitly requires the PrimarySid claim and will not sign a user in without the value matching the SID of the user. This attribute was added to the sync set recently and may require a minor configuration update to include it in the DirSync process. You can find the steps to update the synchronization below.
    You will need to provide this value manually as a custom attribute for a user if you have not configured Directory Synchronization.
  11. Select Add Application 
  12. Select Permissions.
  13. Select Add Groups.
  14. Select the Group you chose in Step 4.
  15. Select the green plus sign in the bottom right corner.

     

 

Step 1 – Ensure that Windows Identity Foundation (WIF) is installed on Exchange server

Windows Identity Foundation (WIF) is a Microsoft framework for building identity-aware applications. It is a core component in configuring OWA for Single Sign On and will need to be in place before proceeding.

You can download WIF from Microsoft’s Download Center.

Step 2 – Modify the C2WTShost.exe.config File

  1. Run notepad elevated (Run as Administrator) and open C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config
  2. Add the following values if necessary:

    <allowedCallers>
    <clear />
    <add value="NT AUTHORITY\System" />
    </allowedCallers>

  3. Save the file

Step 3 – Enable the C2WTS Service.

  1. Open services.msc
  2. In the list of services look for Claims to Windows Token Service
  3. Right-click on this service and select Properties
  4. Ensure the Startup type is set to Automatic
  5. Ensure the service is started by clicking Start if it is not greyed out.

Step 4 – Configure the OWA Application in AuthAnvil SSO

Note: Back up the OWA web.config and ECP web.config by copying them to a safe location before attempting this configuration.

 

Adding the application in the On-Demand Tenant

  1. Log in to AuthAnvil Two Factor Auth and click on the Single Sign On tab.
  2. Expand Applications and click on Add New Application.
  3. Fill out the following information specific to your exchange environment:
    1. Display Name: Outlook Web
    2. Reply To URL: https://<your exchange server>/owa/
    3. Audience URI: https://<your exchange server>/owa/
    4. Protocol: WS-Federation
    5. Token Lifetime: 480 Minutes

    Note: Make sure that your URLs have /owa/ with the trailing slash at the end

  4. Once your configuration is complete, click Save Changes.
  5. Click into the Outlook Web application that we just created so we can modify the attribute settings.
  6. At the top of the Application Settings click Edit Attribute Maps to open up the attribute editor.
  7. Click Create New Map and create an attribute with the following settings:
    1. Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
    2. Value: {Email}

    Note: If your normal OWA login only requires the username and not the full email address, select {Username} for the value of the above attribute.

    This attribute allows AuthAnvil SSO to use the email address on your 2FA account as the login.

  8. Click Save Changes to apply this attribute.

 

Step 5 – Update the OWA web.config

  1. Run notepad elevated (Run as Administrator) and open C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\Web.config
  2. At the top of the file, after <configuration> add the following lines:

    <!-- SSO -->
    <configSections>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </configSections>
    <!-- /SSO -->

  3. Find the <modules> tag and update it to reflect <modules runAllManagedModulesForAllRequests="true">
  4. After the <modules> section but before the entry for “OwaModule” add the following lines:

    <!-- SSO -->
    <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />

    <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
    <!-- /SSO -->

  5. Modify (or add) the <authorization> and <authentication> tags below the <system.web> tag to reflect the following lines:

    <!-- SSO -->
    <authorization><deny users="?" /></authorization>
    <authentication mode="None" />
    <!-- /SSO -->

    Note: The line <authentication mode=”Windows” /> may already exist in your configuration. If so, only add our authorization tag above and ignore the authentication tag.
  6. Get the certificate “Thumbprint” from the AuthAnvil SSO signing certificate in the Outlook Web application. Download the certificate from the Outlook Web application in AuthAnvil Single Sign On. Open the certificate, click on the Details tab, scroll to the bottom and look for the Thumbprint item. Copy out this value, removing all spaces and changing all letters to UPPERCASE. A simple way to do this is to open a Powershell window and execute the following command:
    "<paste thumbprint here>".ToUpper().Replace(" ", "")
    If the result has a ? in front of it, remove it. You will need this uppercase Thumbprint value for the next step.
  7. Add the following lines right after </runtime> (near the end of the file). Note that the values in red must be entered to match your OWA and AuthAnvil SSO server configuration:

    <!-- SSO -->
    <microsoft.identityModel>
    <service>
    <audienceUris>
    <add value="https://<FQDN>/owa/" />
    </audienceUris>
    <securityTokenHandlers>
    <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
    <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
    </add>
    </securityTokenHandlers>
    <federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" issuer="https://<SSO FQDN>/sso/federation/passive/wsfed" realm="https://<OWA FQDN>/owa/" requireHttps="true" />
    <cookieHandler requireSsl="true" />
    </federatedAuthentication>
    <applicationService>
    </applicationService>
    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
    <trustedIssuers>
    <add thumbprint="A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6ABCD" name="uri:authanvil:sso:site1" />
    </trustedIssuers>
    </issuerNameRegistry>
    <certificateValidation certificateValidationMode="None" />
    </service>
    </microsoft.identityModel>
    <!-- /SSO -->


    Note: “uri:authanvil:sso:site1″ represents the Token Issuer Name in the AuthAnvil Manager -> Single Sign On -> Server Settings

  8. Save the file.

Step 6 – Update ECP

The Exchange Control Panel (ECP) is the section of Outlook Web that manages user details such as changing a password, setting an Inbox rule, or configuring automatic replies. This panel requires an additional configuration change which is almost identical to the /owa/web.config in Step 5, but this configuration file has a different use so do not copy the owa/web.config into the ecp/web.config folder.

    1. Run notepad elevated (Run as Administrator) and open C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ecp\Web.config
    2. At the top of the file, after <configuration> add the following lines:

      <!-- SSO -->
      <configSections>
      <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      </configSections>
      <!-- /SSO -->

    3. Find the <modules> tag and update it to reflect <modules runAllManagedModulesForAllRequests="true">
    4. Inside the <modules> section, after the <remove name="ServiceModel" /> line and immediately before <add name="PerformanceConsoleModule" />, add the following lines:

      <!-- SSO -->
      <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />

      <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
      <!-- /SSO -->

    5. Get the certificate “Thumbprint” from the AuthAnvil SSO signing certificate in the Outlook Web application. Download the certificate from the Outlook Web application in AuthAnvil Single Sign On. Open the certificate, click on the Details tab, scroll to the bottom and look for the Thumbprint item. Copy out this value, removing all spaces and changing all letters to UPPERCASE. A simple way to do this is to open a Powershell window and execute the following command:
      "<paste thumbprint here>".ToUpper().Replace(" ", "")
      If the result has a ? in front of it, remove it. You will need this uppercase Thumbprint value for the next step.
    6. Add the following lines right after </runtime> (near the end of the file). Note that the values in red must be entered to match your OWA and AuthAnvil SSO server configuration:

      <!-- SSO -->
      <microsoft.identityModel>
      <service>
      <audienceUris>
      <add value="https://<OWA FQDN>/owa/" />
      </audienceUris>
      <securityTokenHandlers>
      <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
      </add>
      </securityTokenHandlers>
      <federatedAuthentication>
      <wsFederation passiveRedirectEnabled="true" issuer="https://<SSO FQDN>/sso/federation/passive/wsfed" realm="https://<OWA FQDN>/owa/" reply="https://<OWA FQDN>/ecp/" requireHttps="true" />
      <cookieHandler requireSsl="true" />
      </federatedAuthentication>
      <applicationService>
      </applicationService>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <trustedIssuers>
      <add thumbprint="A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6ABCD" name="uri:authanvil:sso:site1" />
      </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode="None" />
      </service>
      </microsoft.identityModel>
      <!-- /SSO -->

      Note: “uri:authanvil:sso:site1″ represents the Token Issuer Name in the AuthAnvil Manager -> Single Sign On -> Server Settings

    7. Save the file.


Updating the AuthAnvil Database to allow for access to /ecp/

  1. Open SQL Management Studio and connect into the AuthAnvil SQL instance
  2. Expand Databases > Anvil > Tables
  3. Right-click on SSO_ServiceProviderProperty and select “Edit Top 200 Rows” or “Open Table”
  4. There should be two “Outlook Web App” entries. Look for the one that has data in the “ProtocolConfiguration” column.
  5. In the “ProtocolConfiguration” column there should be some text similar to this:

    {
    "Properties":
    [
    {"Key":"WSFedProtocolVersion","Value":"WS 1.3"},
    {"Key":"SignatureAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256"},
    {"Key":"DigestAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmlenc#sha256"}
    ]
    }
    Note: It will look a little bit different all on one line.

  6. First, copy it out into Notepad so you have a backup of the text. Next, we will add one more {Key,Value} pair into these Properties. Copy this with the comma:

    {"Key":"ReplyToOption","Value":"SameDomain"},

    Add that code immediately after:

    {“Properties”:[

    and immediately before:

    {"Key":"WSFedProtocolVersion","Value":"WS 1.3"},

    The end result looks something like this when it's all crammed on one line:

    {"Properties":[{"Key":"ReplyToOption","Value":"SameDomain"},{"Key":"WSFedProtocolVersion","Value":"WS 1.3"},{"Key":"SignatureAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256"},{"Key":"DigestAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmlenc#sha256"}]}

  7. Hit “Enter” to save the configuration, then let’s test it. You might want to run an IISreset on AuthAnvil and restart your browser, but it should just work once you refresh the page.

Step 7 – Update Exchange

  1. Open the Exchange Management Console.
  2. Under Server Configuration -> Client Access, open the owa configuration under the “Outlook Web App” tab.
  3. In the Authentication tab and make sure “Use forms-based authentication” is not checked. Select “Use one or more standard authentication methods:” and leave the checkboxes blank.
  4. Open up Internet Information Services (IIS) Manager.
  5. Expand the site where OWA is installed and click on the “owa” application.
  6. Double-click the Authentication icon and verify that Anonymous Authentication is set to Enabled.

Verifying Functionality

Once the configuration is complete, you should test that everything is working as expected. Log into the SSO portal with a user that is authorized to access OWA and attempt to click on the “Outlook Web” application. You should automatically be redirected to your OWA inbox.

You can test the ECP menu by going into OWA and clicking Options > See All Options. If the Options portal loads with no errors or other authentication, both the OWA and ECP configurations are successful.

Have more questions? Submit a request

0 Comments

Article is closed for comments.