Learn how to set up Microsoft Exchange 2016 Outlook Web Access (OWA) with PingFederate.
- On the Client Access Server (CAS), make sure that .NET 4.5 is installed.
- Share your WS-Federation token signing certificate with the OWA server.Note:
If the signing certificate is not already trusted by the OWA server, you must install the certificate as a trusted root authority in the OWA’s machine certificate store.
- The certificate’s common name (CN) should be in the format of a fully-qualified domain name (FQDN).
OWA naturally assumes that external claims-based authentication will use Active Directory Federation Services (ADFS), however, you can substitute PingFederate by defining it as the ADFSIssuer.
For information on configuring federation with Microsoft Azure Active Directory (AD) Connect and PingFederate, see Custom installation of Azure Active Directory Connect.
- Sign on to the Exchange CAS (OWA).
- Open the Exchange PowerShell command window.
AdfsAudienceUrisnames for OWA with the following command.
$uris = @(“https:///owa/”,”https:///ecp/”)
These variables correspond to the service provider (SP) Connector configured in PingFederate as well as the relative path for the
wtrealmvariable in the authentication request.Note:
The URIs include an array for user-based OWA and access to the Exchange Control Panel for administrators.
Set the organization configuration for the CAS server to use for claims-based
authentication with the following command.
Set-OrganizationConfig -AdfsIssuer “https:///idp/prp.wsf” -AdfsAudienceUris $uris –AdfsSignCertificateThumbprint ““Note:
This command includes the PingFederate identity provider (IdP) WS-Federation endpoint (/idp/prp.wsf), the URIs from the previous step, and the SHA-1 version of the thumbprint used to sign the assertion.
To set OWA to use ADFS authentication (PingFederate acting as the IdP)
and to disable other ECP and OWA authentication methods, run the following
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $falseImportant:
The trailing forward slash (“/”) in the above
$urisvariable must match the relative path that OWA sets as the ReturnURL (ru parameter) in the authentication request.