Adding Exchange & OWA 2013 and 2016

This document explains how to configure Exchange 2013 and 2016 Outlook Web Access and Exchange Control Panel to support Single Sign-On from AuthAnvil.

Configuration Steps

  1. Select Directory Manager.
  2. Select Groups.
  3. Select the green plus sign in the bottom right corner.
  4. Name the Group Exchange Users.
    Note: If you have other existing Groups for SSO users you can use one of these as well.
  5. Select ADD GROUP.
  6. Select SSO Manager.
  7. Select the green plus sign in the bottom right corner.
  8. Select the Catalog Icon.
  9. Select Exchange Control Panel.

  10. Select Application Enabled option.
  11. Select Protocol Setup and
    Update the Reply To URL value to match the FQDN of your Exchange host.
    Update the Audience URI value to match the FQDN of your Exchange host.


  12. Select Attribute Transformation.
    Verify the User.EmailAddress property is the correct value to send to represent the UPN in Active Directory.
    Note: If this value does not work you might consider creating a custom transform such as "{User.PrincipalName}@domain.com" which will generate a value of "name@domain.com".

    Note: Exchange explicitly requires the PrimarySid claim and will not sign a user in without the value matching the SID of the user. This attribute was added to the sync set recently and may require a minor configuration update to include it in the DirSync process. You can find the steps to update the synchronization below.
    You will need to provide this value manually as a custom attribute for a user if you have not configured Directory Synchronization.
  1. Select Add Application 
  2. Select Permissions.
  3. Select Add Groups.
    Select the Group you chose in Step 4.
  4. Select Signing and Encryption.

    Select Copy.

    Save the Thumbprint value to a safe location as it will be used a little later to configure Exchange itself. 
  5. Select Download.
     
    Note: The signing certificate will be needed to be installed on the Exchange server(s).

Select Save changes.


Repeat the process with the Outlook Web Access application.
Note that the signing certificate will be the same for both applications.

  1. elect Directory Manager.
  2. Select Groups.
  3. Select the green plus sign in the bottom right corner.
  4. Name the Group OWA Users.
    Note: If you have other existing Groups for SSO users you can use one of these as well.
  5. Select ADD GROUP.
  6. Select SSO Manager.
  7. Select the green plus sign in the bottom right corner.
  8. Select the Catalog Icon.
  9. Select Outlook Web Access.
  10. Select Application is Enabled.


  11. Select your desired Authentication Policy.
  12. Select Protocol Setup and
    Update the Reply To URL value to match the FQDN of your Exchange host.
    Update the Audience URI value to match the FQDN of your Exchange host.
  13. Select Attribute Transformation.
  14. Verify the User.EmailAddress property is the correct value to send to represent the UPN in Active Directory. 
    Note: If this value does not work you might consider creating a custom transform such as "{User.PrincipalName}@domain.com" which will generate a value of "name@domain.com".
    Note: Exchange explicitly requires the PrimarySid claim and will not sign a user in without the value matching the SID of the user. This attribute was added to the sync set recently and may require a minor configuration update to include it in the DirSync process. You can find the steps to update the synchronization below.
    You will need to provide this value manually as a custom attribute for a user if you have not configured Directory Synchronization.
  15. Select Add Application 
  16. Select Permissions.
  17. Select Add Groups.
  18. Select the Group you chose in Step 4.

 

Configure Exchange

  1. Connect to the Exchange Server(s) hosting OWA and ECP. Copy the downloaded certificate from the previous steps and double click to install.
    This certificate will need to be installed in the "Trusted Root Certification Authorities" store for the LOCAL MACHINE. This will allow ECP and OWA to trust the source of the certificate.
  2. Open mmc.exe
  3. File > Add/Remove Snap-in...
  4. Select Certificates > Add...
  5. Select Computer account.
  6. Add.
  7. Expand Certificates > Trusted Root Certification Authorities > Certificates.
  8. Right click > All Tasks > Import.
  9. Find the downloaded .cer file.
  10. Approve cert installation.
  11. Open the Exchange Server PowerShell console.
  12. Run the following script replacing the domain names of the various services to match your configuration.
    # these values tell Exchange to expect tokens targeted for these values
    $uris = @("https://contoso.com/owa/","https://contoso.com/ecp/")
    # Tells Exchange that it should navigate to and accept a token from this source.
    Set-OrganizationConfig -AdfsIssuer "https://company.my.authanvil.com/trust/launch" -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint "AABBCCDDEEFF11223344556677889900AABBCCDD"
    # Configures ECP to support federated authentication
    Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
    # Configures OWA to support federated authentication
    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false
    # These configuration changes won't take affect until the services are restarted
  13. Restart-Service W3SVC,WAS -noforce
  14. Try launching OWA or ECP from the AuthAnvil launchpad, or by navigating directly to OWA. You should be signed in automatically.
  15. Updating Directory Synchronization to include the PrimarySid attribute.
  16. In the AuthAnvil tenant. Navigate to the Directory Sync in the Directory Manager.
  17. Select the Dirsync agent and expand the "Mapped Attributes" section. You already have the update in place if you see a mapping of objectsid to ad.objectSid within the User Custom Attributes section.
  18. To include this value, scroll to the top section and click "Edit". This will open a new panel.
  19. Select Save Changes. This will initiate an update behin the scenes to include the new attribute.
  20. Wait until or kick off a full synchronization of the directory agent. Each synchronized user should now have their objectsid attribute included in their attribute collection.

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.