As my Lab environment grows i am trying to streamline the process using ADFS to do all my authentication, below are the steps i used to setup Exchange 2013 to use ADFS for authentication
ADFS, a functioning ADFS system running
Exchange 2013, a functioning exchange system
Certificate, from a publicly trusted CA, this could be the same certificate you use for Exchange environment provided it has a SAN for ADFS environment.
Log on to the ADFS Server in the Environment
Install the certificate with a publicly trusted CA that you are going to use on the ADFS server. The certificate must contain a Subject Alternative Name (SAN) for the ADFS environment. If you are using the same certificate as one used in the ADFS initial installation then no need to install, certificate should already be on server.
Once you have confirmed certificate is installed on server you can now set the publicly trusted certificate as the default certificate for all ADFS Services (Service Communication, Token-Signing and Token-Decrypting). Using PowerShell run the commands below;
Syntax:
Set-AdfsProperties -AutoCertificateRollover $false Set-AdfsCertificate -CertificateType Token-Signing -Thumbprint <Cert Thumbprint> -IsPrimary Set-AdfsCertificate -CertificateType Token-Decrypting -Thumbprint <Cert Thumbprint> -IsPrimary
Example:
Set-AdfsProperties -AutoCertificateRollover $false Set-AdfsCertificate -CertificateType Token-Signing -Thumbprint D3590BE2E1290F906607373108775C1DB789CB94 -IsPrimary Set-AdfsCertificate -CertificateType Token-Decrypting -Thumbprint D3590BE2E1290F906607373108775C1DB789CB94 -IsPrimary
Next, you need to create a relying party trust (RP) for the OWA and ECP URLs, on the RP you can add as much claim as you want but there are 3 required ones for RP to work with Exchange, these are primarysid, groupsid and upn. I have created a script that will save you some time on this step you can get it here.
Syntax for script:
.\ExchangeRPCreation.ps1 -OWAURL <OWA URL> -ECPURL <ECP URL> -Name <RP Name Prefix>
Example:
.\ExchangeRPCreation.ps1 -OWAURL https://w12e13.hazelnest.com/owa -ECPURL https://w12e13.hazelnest.com/ecp -Name W12E13
Once the RPs are in place you are done with changes on the ADFS Server.
Log on to an Exchange Server in the environment Using the Exchange management shell run the commands below;
Command:
$URLs = @("<OWA URL>","<OWA ECP>") Set-OrganizationConfig -AdfsIssuer "<ADFS Issuer URL>” -AdfsAudienceUris $URLs -AdfsSignCertificateThumbprints"<Cert Thumbprint>" Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false OAuthAuthentication $false
Example:
$URLs = @("https://w12e13.hazelnest.com/owa","https://w12e13.hazelnest.com/ecp") Set-OrganizationConfig -AdfsIssuer "https://w12e13.hazelnest.com:8085/adfs/ls/" -AdfsAudienceUris $URLs -AdfsSignCertificateThumbprints"D3590BE2E1290F906607373108775C1DB789CB94" Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false OAuthAuthentication $false
Once all those commands are run without errors Exchange is now configure to use AFDS to authenticate.
Final step is to reset IIS on all the Exchange CAS Servers, you can use a script i have here.
Outcome… https://w12e13.hazelnest.com