locked
WAP and ADFS 3.0. Basic implementation error. RRS feed

  • General discussion

  • What I'm trying:

    I want to publish Exchange 2007 OWA through WAP.

    Existing network architecture:

    I have a firewall that separates Internet from DMZ and DMZ from internal network.

    External domain: domain.com

    DMZ domain: DMZ.local (not used in this setup)

    Internal domain: LAN.local

    What I've setup so far:

    Exchange 2007 OWA working for many years (previously published with ISA Server 2006).

    AD FS Server. Machine name: sts.lan.local, AD FS FQDN: ADFS.lan.local. IP address: 172.16.1.100 (internal network).

    WAP Server. Machine name: wap.lan.local. IP address: 10.10.0.1. Despite being in the DMZ it is joined to the internal domain.

    Client machine: Machine name: client.lan.local. IP address: 172.16.1.2 (internal network).


    Testing done:

    I've successfully published applications with WAP using pass through.

    I've published OWA but can only access it from internal network if I modify the client machine host's file to add an entry that points adfs.lan.local to the IP address of WAP server: 10.10.0.1. If I don't have this entry errors 511 & 364 are thrown. From outside the network nothing works as I obviously can't resolve adfs.lan.local (which is where WAP is redirecting the request).

    And now my questions:

    I've seen in many tutorials and guides that everybody has the same internal and external domain name. But since this is not my case, what can I do to publish OWA with my existing network architecture?

    Wednesday, March 30, 2016 10:55 AM

All replies

  • Nobody?
    Monday, April 4, 2016 3:28 PM
  • Just to make sure I understand, here you are not using the ADFS server at all. You are just publishing a pass through app through the WAP.

    Let's take an example, assuming you are using FBA on OWA.

    FQDN1 = URL that the users are using internally to access to OWA (if they do...)

    FQDN2 = URL that the users are using to access OWA when they are connected to the Internet

    FQDN1 doesn't need to be the same as FQDN2.

    But if FQDN1 = FQDN2, make sure you have a split brain DNS for this record.

    Note that internal users are not supposed to use the FQDN2 to access OWA internally since they will be redirected


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, April 5, 2016 2:02 PM
  • First of all, thanks for your answer.

    And now the clarification:

    I have reviewed my post and I can see it's not clear what I've done and what I try to accomplish.

    Pass through is not an issue. It works as intended. Is the next step that's a problem for me: using adfs.

    If my internal and external domains doesn't match (.local vs .com) how do I publish OWA since using ADFS will redirect the requests to adfs fqdn (internal)? Is mandatory to get a public dns name for my internal adfs?

    Thanks in advance.


    • Edited by Emilio GM Wednesday, April 6, 2016 9:36 AM
    Wednesday, April 6, 2016 9:36 AM
  • "how do I publish OWA since using ADFS will redirect the requests to adfs fqdn (internal)? "

    Well internal users are not using ADFS nor WAP. So it is not suppose to change anything internally. Your internal user are using OWA directly, not through WAP.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, April 6, 2016 2:04 PM
  • My fault. The question should be: How do I publish OWA for external users since using WAP with ADFS will redirect the extern requests to the ADFS fqdn (internal)?

    It is, I want WAP act as a reverse proxy for external users to validate to OWA using ADFS.

    Has it any sense? If not, what would be my options to publish OWA externally and get ride of ISA server (at the moment acting as a reverse proxy for OWA) without having a pop up asking for credentials but a form (not using form-based authentication)?

    Thanks

    Wednesday, April 6, 2016 2:24 PM
  • Oh, I see. Just to confirm. You do not want pass-through then... You want pre-authentication on ADFS?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, April 6, 2016 3:47 PM
  • Right. I want pre-authentication on ADFS.
    Thursday, April 7, 2016 7:21 AM
  • Well, if it was Exchange 2013, you could just do this: https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx

    In your case, because you are still Exchange 2007, you'll have to go the hard way :) Creating a Non-Claims-Aware Relying Party Trust. Well it isn't that hard but it has a couple of pre-req.

    1. The WAPs need to be domain joined. In the same domain as your OWA server (unless your DCs are already Windows Server 2012)
    2. Configure the WAPs to enable Kerberos contraint delegation for the ServicePrincipalName of your OWA server. So if the users are accessing OWA internally with the URL https://owa.contoso.com the SPN you will add is most likely HOST/owa.contoso.com into the following tab of each WAPs computer accounts:



      Restart your WAPs.
    3. Create and publish a Non Claims Aware RP in AD and publish it in WAP: https://technet.microsoft.com/en-us/library/dn508281.aspx

    Tell us how it goes...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, April 8, 2016 8:59 PM
  • Thank you for your time.

    I had done everything you explained before asking anything here. In fact my question in the first post was:

    I've seen in many tutorials and guides that everybody has the same internal and external domain name. But since this is not my case, what can I do to publish OWA with my existing network architecture?

    And that was indeed my problem. Everything worked after I made this final step: registering a public dns name for ADFS (with internal domain made public) and pointing it to the IP address of the WAP server.

    Now another problem has arisen:

    I have two CAS balanced: CA1 and CA2, and the balanced IP is CA.

    I have delegated kerberos to CA1 and CA2, but since CA is not an object of AD I can't delegate to CA.

    So, if I publish OWA pointing to any of the "real" servers (CA1, CA2) everything works as expected. But if I try to point to CA (in order to "take advantage of" NLB) it generates an error sequence (12027 & 13019).

    After some search I've came to the "solution": create a SPN to CA with the account used as identity for the Application Pool MSExchangeOWAAppPool with:

    SetSPN -S http/CA domain\account

    But here is the problem, the account must be a domain account. Currently the identity for this App Pool is Local System. When I try to use a newly created domain account OWA fails. I've added this newly created domain account to local administrators and IIS_WPG groups of CA1 and CA2 with no success.

    Any clue of which permissions this account needs?

    Thanks

    Thursday, April 21, 2016 9:58 AM