profile for Hannel on Stack Exchange, a network of free, community-driven Q&A sites
Project Work Hours
Sat & Sun 6am - 9am
Subscribe via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Archives

As my Lab environment grows i am trying to streamline the process using ADFS to do all my authentication, below are the steps i used to setup Exchange 2013 to use ADFS for authentication

Prerequisite:

ADFS, a functioning ADFS system running
Exchange 2013, a functioning exchange system
Certificate, from a publicly trusted CA, this could be the same certificate you use for Exchange environment provided it has a SAN for ADFS environment.

Configuring ADFS:

Log on to the ADFS Server in the Environment

Install the certificate with a publicly trusted CA that you are going to use on the ADFS server. The certificate must contain a Subject Alternative Name (SAN) for the ADFS environment. If you are using the same certificate as one used in the ADFS initial installation then no need to install, certificate should already be on server.
20150705 - Cert1

 

Once you have confirmed certificate is installed on server you can now set the publicly trusted certificate as the default certificate for all ADFS Services (Service Communication, Token-Signing and Token-Decrypting). Using PowerShell run the commands below;

Syntax:

Set-AdfsProperties -AutoCertificateRollover $false
 Set-AdfsCertificate -CertificateType Token-Signing -Thumbprint <Cert Thumbprint> -IsPrimary
 Set-AdfsCertificate -CertificateType Token-Decrypting -Thumbprint <Cert Thumbprint> -IsPrimary

Example:

Set-AdfsProperties -AutoCertificateRollover $false
 Set-AdfsCertificate -CertificateType Token-Signing -Thumbprint D3590BE2E1290F906607373108775C1DB789CB94 -IsPrimary
 Set-AdfsCertificate -CertificateType Token-Decrypting -Thumbprint D3590BE2E1290F906607373108775C1DB789CB94 -IsPrimary

 

20150705 - Cert2

 

Next, you need to create a relying party trust (RP) for the OWA and ECP URLs, on the RP you can add as much claim as you want but there are 3 required ones for RP to work with Exchange, these are primarysid, groupsid and upn.  I have created a script that will save you some time on this step you can get it here.

Syntax for script:

.\ExchangeRPCreation.ps1 -OWAURL <OWA URL> -ECPURL <ECP URL> -Name <RP Name Prefix>

Example:

.\ExchangeRPCreation.ps1 -OWAURL https://w12e13.hazelnest.com/owa -ECPURL https://w12e13.hazelnest.com/ecp -Name W12E13


20150705 - ADFS1

 

Once the RPs are in place you are done with changes on the ADFS Server.

 

Configuring Exchange

Log on to an Exchange Server in the environment Using the Exchange management shell run the commands below;

Command:

$URLs = @("<OWA URL>","<OWA ECP>")
Set-OrganizationConfig -AdfsIssuer "<ADFS Issuer URL>” -AdfsAudienceUris $URLs -AdfsSignCertificateThumbprints"<Cert Thumbprint>"
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false OAuthAuthentication $false

Example:

$URLs = @("https://w12e13.hazelnest.com/owa","https://w12e13.hazelnest.com/ecp")
Set-OrganizationConfig -AdfsIssuer "https://w12e13.hazelnest.com:8085/adfs/ls/" -AdfsAudienceUris $URLs -AdfsSignCertificateThumbprints"D3590BE2E1290F906607373108775C1DB789CB94"
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false OAuthAuthentication $false

20150705 - ADFS2

 

Once all those commands are run without errors Exchange is now configure to use AFDS to authenticate.

Final step is to reset IIS on all the Exchange CAS Servers, you can use a script i have here.

Outcome… https://w12e13.hazelnest.com