• On the Client Access Server (CAS), make sure that .NET 4.5 is installed.
  • Share your WS-Federation token signing certificate with the OWA server.

    If the signing certificate is not already trusted by the OWA server, you must install the certificate as a trusted root authority in the OWA’s machine certificate store.

  • The certificate’s common name (CN) should be in the format of a fully-qualified domain name (FQDN).

OWA naturally assumes that external claims-based authentication will use Active Directory Federation Services (ADFS), however, you can substitute PingFederate by defining it as the ADFSIssuer.

For information on configuring federation with Microsoft Azure Active Directory (AD) Connect and PingFederate, see Custom installation of Azure Active Directory Connect.

  1. Sign on to the Exchange CAS (OWA).
  2. Open the Exchange PowerShell command window.
  3. Set the AdfsAudienceUris names for OWA with the following command.
    $uris = @(“https:///owa/”,”https:///ecp/”)

    These variables correspond to the service provider (SP) Connector configured in PingFederate as well as the relative path for the wtrealm variable in the authentication request.


    The URIs include an array for user-based OWA and access to the Exchange Control Panel for administrators.

  4. Set the organization configuration for the CAS server to use for claims-based authentication with the following command.
    Set-OrganizationConfig -AdfsIssuer “https:///idp/prp.wsf” -AdfsAudienceUris $uris –AdfsSignCertificateThumbprint ““

    This command includes the PingFederate identity provider (IdP) WS-Federation endpoint (/idp/prp.wsf), the URIs from the previous step, and the SHA-1 version of the thumbprint used to sign the assertion.

  5. To set OWA to use ADFS authentication (PingFederate acting as the IdP) and to disable other ECP and OWA authentication methods, run the following commands.
    Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

    The trailing forward slash (“/”) in the above $uris variable must match the relative path that OWA sets as the ReturnURL (ru parameter) in the authentication request.