locked
multiple forests, no trust but adfs, exchange resource forest or linked mailbox ? RRS feed

  • Question

  • Hi !

    to cut long story short is that scenario possible with either Exchange 2010 or Exchange 2013?

    - AD users forests like:
     abc.local
     xyz.local
    - one resource AD forest with exchange
     exchange.local
    - no classic domain trusts between forests.
    - no O365.

    Q:
    - is it possible to use ADFS to have users in AD users forest mailboxes in exchange.local forest ?
    - is it possible to for users to access OWA / Outlook MAPI / Outlook RPC over https like it would Exchange in own forests with ADFS as binding element ? (Outlook SSO/ Autodiscover)



    Monday, October 7, 2013 11:54 PM

Answers

  • ADFS is an authentication mechanism.  If the account your entering into ADFS doesn't have permissions on the mailbox, then it doesn't do anything for you.  You can't grant rights on a mailbox in one forest to the other forest without the mailbox forest trusting the user forest.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Proposed as answer by cara chen Tuesday, October 8, 2013 5:46 AM
    • Marked as answer by cara chen Tuesday, October 15, 2013 6:04 AM
    Tuesday, October 8, 2013 1:46 AM
  • Office 365 accomplishes this by synchronizing accounts, so I guess you could do that.  You'd have to create a full set of synchronized accounts in the domain with the Exchange server in it.  Creating a trust would be much easier and cheaper, I would think.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Marked as answer by cara chen Tuesday, October 15, 2013 6:04 AM
    Tuesday, October 8, 2013 4:18 PM

All replies

  • ADFS is an authentication mechanism.  If the account your entering into ADFS doesn't have permissions on the mailbox, then it doesn't do anything for you.  You can't grant rights on a mailbox in one forest to the other forest without the mailbox forest trusting the user forest.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Proposed as answer by cara chen Tuesday, October 8, 2013 5:46 AM
    • Marked as answer by cara chen Tuesday, October 15, 2013 6:04 AM
    Tuesday, October 8, 2013 1:46 AM
  • What about O365 ? isnt it using ADFS to auth users from external AD without a forest trust ? I found many howtos about SSO with O365 but I cannot find something that describes how to setup something similar in own environement. Unfortunatly I have zero exp with O365.

    Or maybe I am missing something ?

    Regards

    BZ

    Tuesday, October 8, 2013 8:29 AM
  • Office 365 accomplishes this by synchronizing accounts, so I guess you could do that.  You'd have to create a full set of synchronized accounts in the domain with the Exchange server in it.  Creating a trust would be much easier and cheaper, I would think.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Marked as answer by cara chen Tuesday, October 15, 2013 6:04 AM
    Tuesday, October 8, 2013 4:18 PM
  • Hi Ed, I don't think you have answered BZ question. Agreed some though needs to be given to how the accounts are provisioned and maintained in the resource forest as a long term strategy, however that aside can ADFS be used as the authentication mechanism for Exchange 2013 in a resource forest?

    Very little information seems to be available on this subject and to date our firm has been unsuccessful in getting this working within a LAB environment.

    Regards Dan  

    Wednesday, November 27, 2013 11:48 PM
  • Office 365 requires the use of their directory synchronization tool for domain federation and AD FS.  It works through you creating remote mailbox objects in the account forest and directory synchronization then creating the mailbox users in the target forest.  The domain settings tell it whether to authenticate locally or with the source account using AD FS.

    For this kind of scenario, you'd be best off posting your question in the Hosting forum.  http://social.technet.microsoft.com/Forums/en-US/exchange2010hosters/threads


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Thursday, November 28, 2013 7:29 AM