Outlook Web Access

Introduction

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps in which individuals are authenticated through more than one factor, for example something that only you know or have access to. Acceptto offers a simple solution for adding MFA for Active Directory Federation Services (AD FS) v3.0 on Windows Server 2012 R2 and v4.0 on Windows Server 2016. With this feature, customers can use ADFS as their Identity Provider (IdP) to login to their applications and empower it with Acceptto MFA to provide a strong method of authentication. This integration guide illustrates how this authentication can be extended to Microsoft Exchange versions 2013 to 2019, this case the Exchange Server acts as the Service Provider (SP) requesting user authentication to AD FS.


Pre-Requisites
  1. Setup your ADFS server using the instructions provided in the ADFS integration guide.

  2. One or more instances of Microsoft Exchange Server, note that the steps for Exchange will need to be repeated in each instance.

  3. One or more instances of Microsoft AD FS, note that the steps for AD FS will need to be repeated in each instance.

  4. Obtain your organization universal resource location (URL) for your Exchange Outlook Web Access (OWA) and your Exchange Control Panel (ECP).

  5. Administrative rights to configure AD FS and Exchange.

  6. Access to the ADFS Signing Certificate.

Configure AD FS as an Identity Provider (IdP) for Exchange
  1. Open a powershell interface using a user with Administrative privileges for AD FS and Exchange.

  2. Set the local variable $OwaUrl to the OWA URL:

    $OwaUrl = ‘https://example.com/owa/’

  3. Set the local variable $EcpUrl to the ECP URL:

    $EcpUrl = ‘https://example.com/ecp/’

  4. Create an issuance rule to authorize the users:

    $IssuanceAuthRules = '@RuleTemplate = "AllowAllAuthzRule"
    => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",Value = "true");'

  5. Create Custom transformation rules for Active Directory users SID and Windows Account names:

    $IssuanceTransformRules = '@RuleName = "ActiveDirectoryUserSID"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

    => issue(store = "Active Directory", types =
    ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value);

    @RuleName = "ActiveDirectoryUPN"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types =
    ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);'



  6. Note if you need different transformation rules see the Microsoft document about supported claims at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims

  7. Create rules for OWA:

    Add-ADFSRelyingPartyTrust -Name 'Outlook Web App' -Enabled $true -WSFedEndpoint $ OwaUrl -Identifier
    $ OwaUrl -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules
    $IssuanceAuthRules

  8. Create rules for ECP:

    Add-ADFSRelyingPartyTrust -Name Exchange Admin Center' -Enabled $true -WSFedEndpoint $ EcpUrl -Identifier $ EcpUrl -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules
    $IssuanceAuthRules

  9. Get the fingerprint of the certificate used to sign tokens in AD FS, you will need this to configure Exchange:

    Get-AdfsCertificate -CertificateType "Token-Signing"

  10. Opening the AD FS Management interface should show a configuration similar to:

Configure Exchange as a Service Provider (SP)
  1. Open the Exchange Management shell.

  2. Populate the variable for the OWA and ECP URLs:

    $OwaUrl = ‘https://example.com/owa/’
    $EcpUrl = ‘https://example.com/ecp/’

  3. Configure the ADFS trust URL, note that if you changed the default endpoint from ‘adfs/ls’ you will need to change it here as well:

    $ADFS = ‘https://example.com/adfs/ls’

  4. The ADFS certificate used to sign the tokens obtain in step 8 of the AD FS section in this document:

    $certificate = ‘thefingerprint’

  5. Setup the array of URLs that is going to be subject to AD FS authentication:

    $urls = @($OwaUrl, EcpUrl)

  6. Apply the configuration to your Exchange organisation:

    Set-OrganizationConfig -AdfsIssuer $ADFS -AdfsAudienceUris $urls -AdfsSignCertificateThumbprint $certificate

  7. Configure the Exchange ECP directory to use AD FS for authentication:

    Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

  8. Configure the Exchange OWA directory to use AD FS for authentication:

    Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false


Test the login to Exchange through ADFS

  1. Open a web browser and access https://example.com/owa
  2. Type your user credentials, the Outlook Web Access page should open.
  3. Open a web browser and access https://example/ecp
  4. Type your user credentials, the Exchange Control Panel page should open.
Configure AD FS to use Multi-Factor
  1. Open the AD FS management console.
  2. Select

Disclaimer

All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks, and brands does not constitute an endorsement by the Acceptto Corporation.


OWA® is registered or trademark of Microsoft Corporation. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.