Setting up Microsoft Exchange 2016 Outlook Web Access (OWA) with PingFederate
Learn how to set up Microsoft Exchange 2016 Outlook Web Access (OWA) with PingFederate.
Before you begin
-
On the Client Access Server (CAS), make sure that .NET 4.5 is installed.
-
Share your WS-Federation token signing certificate with the OWA server.
If the signing certificate is not already trusted by the OWA server, you must install the certificate as a trusted root authority in the OWA’s machine certificate store.
-
The certificate’s common name (CN) should be in the format of a fully-qualified domain name (FQDN).
About this task
OWA naturally assumes that external claims-based authentication will use Active Directory Federation Services (ADFS), however, you can substitute PingFederate by defining it as the ADFSIssuer.
For information on configuring federation with Microsoft Azure Active Directory (AD) Connect and PingFederate, see .microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom//[Custom installation of Azure Active Directory Connect].
Steps
-
Sign on to the Exchange CAS (OWA).
-
Open the Exchange PowerShell command window.
-
Set the
AdfsAudienceUris
names for OWA with the following command.$uris = @(“https:///owa/”,”https:///ecp/”)
These variables correspond to the service provider (SP) Connector configured in PingFederate as well as the relative path for the
wtrealm
variable in the authentication request.The URIs include an array for user-based OWA and access to the Exchange Control Panel for administrators.
-
Set the organization configuration for the CAS server to use for claims-based authentication with the following command.
Set-OrganizationConfig -AdfsIssuer “https:///idp/prp.wsf” -AdfsAudienceUris $uris –AdfsSignCertificateThumbprint ““
This command includes the PingFederate identity provider (IdP) WS-Federation endpoint (/idp/prp.wsf), the URIs from the previous step, and the SHA-1 version of the thumbprint used to sign the assertion.
-
To set OWA to use ADFS authentication (PingFederate acting as the IdP) and to disable other ECP and OWA authentication methods, run the following commands.
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false
The trailing forward slash (“/”) in the above
$uris
variable must match the relative path that OWA sets as theReturnURL
(ru parameter) in the authentication request.