Presenting Exchange 2019 With WAP and ADFS

KB ID 0001546

Problem

I’ve used WAP (Web Application Proxy) to present Remote Desktop Services before, but never for Microsoft Exchange. It came up as a possible requirement for a client this week, so I thought I’ll work it out on the bench. here’s the topology;

Exchange: Exchange 2019 Standard

Server OS: Server 2019 Datacenter

Solution – Step 1 Deploy ADFS

If you are going to use ‘self signed’ certificates then before you deploy ADFS, (Active Directory Federation Services,) you will want to Deploy Certificate Services. Here I’m going to use a self signed wildcard certificate. In production however, I would suggest you use a wildcard certificate signed by a public CA authority. (Click the Certificate link above).

To deploy ADFS simply follow the steps in this article;

Deploy Active Directory Federation Services

Solution – Step 2 Configure ADFS for OWA and ECP

There are a few ‘Web’ Services that Exchange provides, Outlook Web App, and Exchange Control Panel (Exchange Administration Centre), are ‘tied’ together and need to be presented in the same way, so we will cover them first.

IMPORTANT: You need to change OWA and ECP together, BE AWARE that means your Exchange Administration panel will be secured by ADFS, (and ADFS ONLY!) So you may need to change the way you do Exchange administration, (or leave one Exchange server without ADFS secured ECP for internal management).

So you create the ‘trusts’ for OWA and ECP in ADFS, then the WAP server will use those ‘trusts’. CARRY OUT THE FOLLOWING PROCEDURE TWICE, once for OWA, and once for ECP.

Open the ADFS management console > Relying Party Trusts > Add Relying Part Trust > (With ‘claims aware’ selected) > Next.

Enter data about the relying party manually > Next.

Give the trust a name e.g. ‘Outlook Web App’ > Next.

Next

Enter the ORL for OWA (with a trailing slash) e.g. https://mail.domainname.com/owa/

Permit everyone > Next.

Next

Close.

NOW REPEAT THE ABOVE PROCEDURE FOR ECP (https://mail.domain.com/ecp/)

ADFS Create “Claims Issuance Policies”

Why are you doing this? This allows you to connect to the WAP server and enter your username and password ONCE. To enable you to only supply usernames and passwords once, you need two things, 1) Claims Issuance Policies, that can query AD and collect your UPN and check your password, and 2) Exchange set to allow ADFS authentication, (instead of the usual basic, and ‘forms based’ authentication is uses for OWA and ECP out of the box).

AGAIN CARRY THIS PROCEDURE OUT TWICE, ONCE FOR OWA AND ONCE FOR ECP

From ADFS Management > Relying Party Trusts > Select your OWA Trust > Edit Claim Issuance Policy > Add Rule.

Select ‘Send claims using a custom rule’ > Next.

Client Rule Name: AD-User

Custom Rule:

[box]

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value);

[/box]

Click ‘Finish’.

Add a second rule > Again choose ‘Send Claims Using a Custom Rule’ > Next.

Client Rule Name: AD-UPN

Custom Rule:

[box]

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

[/box]

Click ‘Finish’.

You should end up with something like this;

NOW REPEAT THIS PROCEDURE FOR THE ECP

Solution – Step 3 Deploy and Configure WAP

Firewall Requirements

  • The WAP server either needs a Static public IP address that is registered in public DNS to the URLS you will be pointing to it, or HTTPS port forwarding form the firewalls outside IP address to the internal IP of the WAP server, (if you don’t have spare public IP addresses).
  • WAP Server requires TCP Port 443 (HTTPS) open TO it from the outside world.
  • WAP Server requires TCP Port 443 (HTTPS) open FROM it to BOTH the exchange server and the ADFS Server.

Installing Web Application Proxy

To be honest, this is pretty simple, the server itself does not have to be a domain member (which is good for a DMZ server!) For productions I’d disable the local administrator account and harden the server somewhat also. Make sure you have a copy of your wildcard certificate on this server also.

Server Manger > Manage > Add Roles and Features > Next > Next > Next > ‘Remote Access’ > Next > Next > Next > “Web Application Proxy” > Next > Install

Or use the following PowerShell;

[box]

Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools

[/box]

Launch the post deployment configuration wizard > Next.

Enter the FQDN of your ADFS Server, and administrative credentials > Next > Select Your Wildcard Certificate > Next.

Configure > Close.

All being well the Remote Access management console should open and should show ‘All Green’ on the Operational Status.

Configure Web Application Proxy for OWA and ECP

Navigate to > Configuration > Web Application Proxy > Publish > Next.

Select Active Directory Federation Services > Next > Select ‘Web and MSOFBA > Next.

Select the ‘Relying Trust’ object that WAP can see for Outlook Web app > Next > Give the Published Rule a Name > Set the Public URL > Select the wildcard certificate > Set the Backend URL > Next.

Publish > Close.

REPEAT TO PUBLISH ECP

When you have finished it should look something like this;

x

Solution – Step 4 Configure Exchange for ADFS Authentication

Your Exchange needs a copy of the ADFS Signing certificate, this certificate is a ‘self signed’ certificate created on the ADFS server itself, you can find it here;

By Default this certificate only lasts a year, and will need to be manually imported onto Exchange, you can change the certificate duration by suing the following PowerShell and changing the Day value, (in this example to three years).

Exporting the ADFS Signing Certificate

With the certificate selected, navigation to the ‘Details‘ tab > Copy to File > Follow the instructions, (accept the defaults).

Importing the ADFS Signing Certificate Into Exchange

Physically copy the exported certificate to the Exchange server, and double click it > Install Certificate > Local Machine > Next > Place Into the Following Store > Trusted Root Certification Authorities > Next > Finish.

Now the certificate has been imported you need to get its thumbprint, open and Exchange Administration Console, and issue the following command. locate the ADFS certificate and copy its thumbprint to the clipboard.

[box]

Set-Location Cert:\LocalMachine\My; Get-ChildItem | Format-List FriendlyName,Subject,Thumbprint

[/box]

 

Set that certificate as the ADFS certificate for your mail organisation with the following command;

[box]

Set-OrganizationConfig -AdfsIssuer https://{ADFS-FQDN}/adfs/ls/ -AdfsAudienceUris "{OWA-URL}","{ECP-URL}" -AdfsSignCertificateThumbprint "{Thumbprint}"

[/box]

Finally you need to set the OWA and ECP virtual directories to accept ADFS authentication, then restart the IIS services, to make the changes take effect.

[box]

Set-EcpVirtualDirectory -Identity "EX-SERVER\ecp (Default Web Site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false


Set-OwaVirtualDirectory -Identity "EX-SERVER\owa (Default Web Site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false  -WindowsAuthentication $false

net stop was /y

net start w3svc

[/box]

 

In 

In PART TWO we will publish Outlook Anywhere, Active Sync, EWS, OAB, MAPI and Autodiscover.

Related Articles, References, Credits, or External Links

NA

OWA 2016 – Change Login From Domain\Username to Username

KB ID 0001254 

Problem

Out of the box, if you want to log into Outlook Web App, you need to use the Domain\Username format, like so;

Seeing as how Microsoft are making a big song and dance about using UPN’s to log into Office 365, I thought they might have changed from the NT4 way of doing things, but hey what do I know?

As we all know users are stupid, Domain\Username is up there with string theory and quantum mechanics. So how do you change the format to simply Username?

Solution

Log into the Exchange eAdmin Center > Servers > Virtual Directories > Locate OWA > Edit.

Authentication Tab > Use Forms Based Authentication > User name only >Browse > Select your domain > OK > OK.

Now on the server that’s hosting the OWA Website you need to Restart IIS.

[box]iisreset /noforce[/box]

Now your users can authenticate with just their username.

Exchange Admin Center Logon Note

This will also change the login method for the Exchange Admin Center website (ECP). because by default it has this set in it’s properties;

Related Articles, References, Credits, or External Links

 

Outlook Web App 2013 – Offline Mode

 

KB ID 0000727 

Problem

A great new feature of OWA 2013 is the ability to run in ‘Offline mode’. This runs in the same manner as Microsoft Outlook’s ‘Cached Mode’ which has been built into full Outlook since version 2003.

There are a few caveats before you can get it to work;

Requirements for OWA Offline Mode

1. A compatible browser (Internet Explorer 10, Chrome 18, or Safari 5.1). source
2. You have to be connecting to OWA being hosted on an Exchange 2013 CAS server.
3. Your mailbox needs to be hosted on an Exchange 2013 Mailbox server.

Capabilities of OWA Offline Mode

1. While you are in offline mode, you can open OWA, read and reply to emails, send new emails, respond to meeting requests, view your calendar, view and edit your contacts.

Note: Obviously all sent and updated data will not be sent to recipients, or changes reflected in Exchange until you are no longer in offline mode.

2. The system will only cache data for the past month and calendar entries for the next twelve months.

3. Contact information for recently used recipients will also be cached.

Disadvantages of OWA Offline Mode

1. A prolonged period in cached mode can cause scheduled events in your calendar to stop working. (Its only designed for users to be sporadically disconnected).

2. You cannot access Archived folders.

3. With the exception of the Inbox, Sent Items, Calendar, and Drafts items folder, only folders you have accessed will be cached.

Solution

1. Whilst online and connected to OWA > Settings > Use mail offline.

2. For security reasons you will be asked if you are on a public computer > Prompted to add the URL to favorites (or bookmarks depending on the browser).

Note: DO NOT use this feature on a shared or public computer, the cache is accessible from other user accounts on the machine.

3. In this example I’m using IE10 > Just for ease I’m enabling the Favorites bar to see the shortcut.

4. Depending on the size of the mailbox and speed of connection, it may take a while to syncronise. Whilst offline OWA will display the time it last connected to Exchange, and while you are working offline if you send any mail it will keep a track of pending options for next time you are online.

Internet Explorer 10 Caches and Databases

The whole system works because the supported browsers have the ability to cache information locally, to see where that’s being set in IE10, Internet Options > General > Browsing Data > Settings > Caches and Databases.

Related Articles, References, Credits, or External Links

NA

To use Outlook Web App, Browser Settings Must Allow Scripts To Run

KB ID 0000862 

Problem

Seen (usually on a server) when trying to connect to either Outlook Web App, or The Exchange Admin Center.

To use Microsoft Outlook Web App, browser settings must allow scripts to run. For information about how to allow scripts, consult the Help for your browser. If your browser doesn’t support scripts, you can download Microsoft Internet Explorer for access to Outlook Web App.

Solution

You have two options, the first is more sensible (and more secure) so that would be my preference.

Option 1

1. From Internet Explorer Options > Security > Trusted Sites > Add the URL of OWA or ECP > Close > Apply > OK.

Option 2

1. From Internet Explorer Options > Security > Internet > Custom Level > Allow Scriptlets > Enable > OK > Apply > OK.

 

Related Articles, References, Credits, or External Links

NA

Exchange 2010 – Blank OWA Page?

KB ID 0000429

Problem

When trying to access Outlook Web App (or Outlook Web Access for those used to earlier versions of Exchange), you see a blank white page and nothing else.

The certificate and IIS works but no OWA.

Solution

This is usually due to an exchange pre-requisite that is missing, or one of them is not working.

1. Launch the Exchange Management Shell, (Start > All Programs > Microsoft Exchange Server 2010 > Exchange Management Shell).

2. Issue the following command.

[box]Import-Module ServerManager[/box]

3. Issue the following command.

[box]Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart[/box]

4. Issue the following command.

[box]Set-Service NetTcpPortSharing -StartupType Automatic[/box]

5. Retry OWA.

 

Related Articles, References, Credits, or External Links

Exchange – OWA and ECP Websites Blank After Logon

Exchange 2010 – Working with Certificates

KB ID 0000453

Problem

Exchange 2010 installs with it’s own (self signed) certificate. To stay free of security errors and warnings, the best bet is to purchase a “publicly signed” digital certificate and use that.

The following process uses the Exchange Management console to create a CSR (Certificate Signing Request). Then what to do with the certificate, when it has been sent back to you.

Solution

Certificate Vendors

Buy Your Exchange Certificates Here!

 

Related Articles, References, Credits, or External Links

NA

Exchange – Redirect OWA (HTTP to HTTPS)

KB ID 0000697 

Problem

Out of the box, Exchange (quite rightly) secures Outlook Web Access so that you have to access it via https. The problem is some of your users are used to accessing websites via http, (or simply typing a URL in their browser, without typing any prefix, so it defaults to http).

If you try and access OWA via http://server.domain.com/owa..

There are a number of ways to get round this, the simplest is to redirect that error message (above) back to the correct OWA URL.

WARNING: DO NOT do this on a Microsoft SBS Server. (For SBS you need to create the custom error messages on the OWA Virtual Directory (directly)). This procedure assumes you have a stand alone Exchange CAS server with no other web services or virtual directories being served from its IIS.

Solution

1. Open IIS Manager and drill down to the Default Web Site > Error Pages.

2. Add > Status code = 403.4 > Select “Respond with a 302 Request” > Type in the correct (https) URL for your OWA site > OK.

3. Then restart the website (or reboot the server).

Note: DONT attempt to test this in the Exchange server itself! That will always show the original error, you need to test it from a client machine.

Related Articles, References, Credits, or External Links

NA