Wednesday, February 1, 2012

OWA SP2 and ADFS

I was recently tasked to configure OWA SP2 with ADFS 2.0, a quick scouring of good old web quickly made me realize that I am pretty much on my own. There is a very nice article by Ken at http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html which  works beautifully with exchange 2010 RTM and exchange 2007 but FedUtil complains when it is tried on SP2 OWA web.config file. The technet article at  http://technet.microsoft.com/en-us/library/bb691348.aspx also covers less than half of the story. After exhausting all other options I got in touch with Microsoft support and after working with them for couple of weeks got some pointer and was finally able to complete this configuration and thought to share this with the community. 

Disclaimer: This isn't tested in production nor it is officially endorsed by Microsoft but you are welcome to use it at your own risk. Comments and feedback are more than welcome. 

Purpose

This procedure provides a step by step guide to enable Single Sign On for OWA 2010 SP2 using ADFS 2.0. It is a side by side configuration of a new instance of OWA with ADFS with the default instance continue supporting non-federated authentication. Although not tested , it should be possible with little modification to apply the procedure directly on the default instance. Procedure is for CAS on Windows 2008 R2 server with IIS7.x

Pre-Requisite

  • New IP address assigned to the machine
  • Domain name mapped to the new IP and corresponding SSL certificate
  • Installation account with local administrative rights and Exchange admin rights.
  • Test account with mail box to test the configuration

Step 1: Create New OWA 

  • Using IIS mmc create a new web site in IIS on the Client Access Server and bind it to the new IP address and the SSL certificate
  • Change the Application Pool Identify to LocalSystem and Load User Profile to true
  • Launch Exchange Management Shell and run the cmdlets to create a new OWA and ECP site. Provide the name of the website created in above step for the –WebSiteName parameter
    • New-OWAVirtualDirectory –WebSiteName OWASSO
    • New-ECPVirtualDirectory  –WebSiteName OWASSO
Navigate to the owa Website URL. It should prompt you for username and password and on providing valid credentials you should be logged in

Step 2: Configure OWA and ECP Security Settings

  • Launch Exchange Management Console and select Client Access under Server Configuration , pull up the properties of the newly created OWA and on the Authentication tab of the property dialogbox select Use one or more standard authentication methods option. Make sure that no checkbox is selected under this option
  • Do the same for corresponding ECP 

  • Exchange will warn about missing authentication, ignore this warning and reset IIS using iisreset /noforce
  • From IIS mmc enable Anonymous authentication for owa. Note that for ecp Anonymous authentication should be already enabled. Reset IIS again.


Step 3: Install WIF and C2TWS

Step 4: Enable OWA and ECP for Federation
  • Create a web.config file in the folder mapped to the root of the web site created in earlier step. Contents of the web.config can be empty <configuration> tag
  • Start FedUtil.exe and on the first screen provide the location of the web.config created above and in Application URI field specify the complete URI to the new OWA application created above. Click Next.


  • On the next page Select Use an existing STS and type in the URL of ADFS in the STS WS-Federation meta document location. Click Next. 
  • Accept the default value on the rest of the screens.
  • Open the Web.Config file of the new WebSite and make following changes
    • Comment out <httpmodules> section 
    • Add runAllManagedModulesForAllRequests="true" attribute to <modules> tag; the new tag should read 
      • <modules runallmanagedmodulesforallrequests="true">
    • Add following tags right before <audienceuris>
      • <securitytokenhandlers>
          <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <samlsecuritytokenrequirement maptowindows="true" usewindowstokenservice="true">
          </add>
        </securitytokenhandlers>
    • Uncomment following line and change the optional attribute to true 
      • <claimtype optional="true" type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
    • Add a path attribute to <cookiehandler requiressl="true"/>. Revised node should read.
         <cookieHandler requireSsl="true" path="/"/>
      This allow ecp to use the SSO cookie generated for owa.
  • Run the FedUtil again on the web.config file. This will update the Federation metadata of new SSO enabled website with the additional UPN claim information. Browse the federation meta data at https://SSO OWA FQDN/FederationMetadata/2007-06/FederationMetadata.xml and make sure UPN appears as a mandatory claim type. Where  SSO OWA FQDN in the URL above is the  domain name of new OWA.
  • Configure ‘Claim To Windows Token Service’ and allow Exchange to use it by un-commenting following line in the C2TWS configuration file. 
    • <add value="NT AUTHORITY\SYSTEM" />
  • Change the startup type of C2WTS to automatic and also make it dependent on on CryptSrv service as per this http://support.microsoft.com/kb/2512597. Restart the service.


Step 5: Add OWA as Relying Party in ADFS
Step Assumes that ADFS is installed and configured with AD
  • Add Relying Party Trust in ADFS by using the Add Relying Party Trust wizard in ADFS and using OWA’s Federation Metadata file. In the RP trust wizard on the Select Data Source step, enter the Federation Meta Data URL. Click Next

  • Type in the Display name on the Specify Display Name page and select the default values on rest of the screen. Click Close on the last step. This will open up the Edit Claim Rules dialog box. Click Add Rule and Select Pass Through or Filter an Incoming Claim option in the Claim rule template. Click Next

  • Type in the Claim rule name, and choose UPN as the Incoming claim type. Click Finish and OK to complete the Relying Party Trust configuration


This should complete the configuration. If you now navigate to new OWA URL it should redirect you to ADFS and upon successful authentication you should see your email box. The default OWA should still support the its original authentication setting.