Section 2: Exchange Server and AD FS Integration
Abstract: This document covers the steps to delegate authentication processes for OWA (Outlook on the web) and ECP (Exchange Control Panel) services on Microsoft Exchange Server to Active Directory Federation Services (AD FS) using Claims-Based Authentication.
Prerequisites:
Service interruptions may occur on Exchange and AD FS services during the process. It is recommended to perform these actions during a maintenance window.
Commands must be run on PowerShell and Exchange Management Shell (EMS) with "Administrator" privileges.
Please update the
domain.comandEXCHSRV-2022placeholders in the commands below with your institution's actual FQDN and Server Hostname.
Step 1: AD FS Server Configuration (Relying Party Trust)
In this step, a trust relationship for Exchange services will be defined on the AD FS server. These operations must be performed on the AD FS server via PowerShell (Run as Administrator).
1.1. Defining Trust for OWA (Outlook on the web)
PowerShell
# Creating Relying Party Trust
Add-AdfsRelyingPartyTrust -Name "Outlook on the web" `
-Notes "Trust Definition for Exchange OWA" `
-Identifier "<https://EXCHSRV-2022.domain.com/owa/>" `
-WSFedEndpoint "<https://EXCHSRV-2022.domain.com/owa/>" `
-IssuanceAuthorizationRules '=> issue(Type = "<http://schemas.microsoft.com/authorization/claims/permit>", Value = "true");'
# Defining Claims Rules - For UserSID and UPN mapping
Set-AdfsRelyingPartyTrust -TargetName "Outlook on the web" `
-IssuanceTransformRules '@RuleName = "ActiveDirectoryUserSID" c:[Type == "<http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname>", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("<http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid>"), query = ";objectSID;{0}", param = c.Value); @RuleName = "ActiveDirectoryUPN" c:[Type == "<http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname>", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn>"), query = ";userPrincipalName;{0}", param = c.Value);'1.2. Defining Trust for ECP (Exchange Control Panel)
PowerShell
Step 2: Certificate Management and Retrieving Thumbprint
For the Exchange server to accept AD FS tokens, the AD FS Token-Signing certificate must be physically imported to the Exchange server.
2.1. Exporting the Token-Signing Certificate (AD FS Server)
Open the AD FS Management console.
Navigate to Service > Certificates.
Double-click the Token-Signing certificate.
Go to the Details tab and click Copy to File....
Save the certificate in
.CERformat (e.g.,token_signing.cer) and copy this file to the Exchange server.
2.2. Retrieving the Certificate Thumbprint
Run the following command on the AD FS Server via PowerShell and note down the Thumbprint value. This value will be used in Step 3.
PowerShell
Note: Copy the alphanumeric string under the "Thumbprint" header from the output.
2.3. Importing the Certificate to Exchange Server
Open the
certlm.msc(Local Computer Certificates) console on the Exchange server.Right-click on Trusted Root Certification Authorities > Certificates, then select All Tasks > Import.
Import the
.CERfile you transferred from the AD FS server.
Step 3: Exchange Server Configuration
The operations in this section must be performed using the Exchange Management Shell (EMS) on the Exchange server.
3.1. Configuring AD FS Settings in Exchange Organization
Paste the certificate thumbprint you obtained in Step 2.2 into the PASTE_THUMBPRINT_HERE placeholder below.
PowerShell
3.2. Switching Virtual Directories to AD FS Mode
Basic and Forms authentication will be disabled for Exchange services, and only AD FS authentication will be enabled.
PowerShell
3.3. Restarting Services
The IIS service requires a restart for the configuration to take effect.
PowerShell
Verification: After completing the steps, navigating to https://EXCHSRV-2022.domain.com/owa should automatically redirect the browser to the AD FS login page.
Last updated