locked
Federation Trust with Exchange 2010 behind Forefront TMG 2010 RRS feed

  • Question

  • Dear all,

    Currently we are going to deploy Exchange 2010 Federation Trust within 2 organizations

    Let assume:
    Organization A
    domain name: aa.com

    Organization B
    domain name: bb.com

    Exchange version: Exchange 2010 SP2 Rollup 3

    Both organizations Exchange CAS servers is running behind the Forefront TMG 2010 (all OWA/ Active Sync/ Outlook Anywhere publishing rules are go through from Forefront TMG) with Single SSL Certificate (Multiple Subject Alternative Name)

    I had did some study, Exchange 2010 federation uses SAML tokens—not user accounts—to authenticate against IIS for EWS calls, TMG doesn’t know how to validate SAML tokens, so the incoming requests can’t be authenticated and passed on to the Exchange Server 2010

    Just want to check, normally how we perform federation trust behind the Forefront TMG 2010 within 2 organization?

    Thanks in advance!

    Tuesday, September 18, 2012 2:02 PM

All replies

  • anyone can help about this?
    Wednesday, September 19, 2012 1:24 AM
  • Hello,

    Do you use multiple web listeners to publish Exchange 2010?

    If not, you can follow these steps to have a try:

    <1> Modify the OWA and ECP virtual directories on Exchange 2010 CAS servers to perform FBA, then modify the web listener on our TMG server to disable pre-authentication.

    <2> Modify the authentication settings for each of the TMG publishing rules for ActiveSync, Outlook anywhere and OWA to set them to no delegation.

    <3>Revise the Users settings from All Authenticated Users to All Users.

    <4>You may also need to verify that the authentication settings of your other Exchange virtual directories are valid; many organizations will allow basic authentication between TMG and their CAS servers, but require NTLM or Windows Integrated from external clients to TMG.

    Thanks,

    Evan


    Evan Liu

    TechNet Community Support

    Wednesday, September 19, 2012 9:44 AM
    Moderator
  • Hi

    You need to have a rule on the TMGs which allows anonymous traffic to these paths for the autodiscover public name:

    /ews/mrsproxy.svc
    /ews/exchange.asmx/wssecurity
    /autodiscover/autodiscover.svc/wssecurity
    /autodiscover/autodiscover.svc

    This rule needs to be above the existing Autodiscover rule so that it is processed first.

    Steve

    Wednesday, September 19, 2012 9:50 AM
  • I have tried the solution you provided, still having same issue when I running command get-federationinformation -domain xxx.local

    [PS] C:\Windows\system32>Get-FederationInformation -verbose

    cmdlet Get-FederationInformation at command pipeline position 1
    Supply values for the following parameters:
    DomainName: xxx.local
    VERBOSE: [06:10:42.091 GMT] Get-FederationInformation : Active Directory session settings for
    'Get-FederationInformation' are: View Entire Forest: 'False', Default Scope: 'xxx,local', Configuration Domain
    Controller: 'DC02.xxx.local', Preferred Global Catalog: 'DC03.xxx.local', Preferred Domain Controllers: '{
    DC03.xxx.local }'
    VERBOSE: [06:10:42.091 GMT] Get-FederationInformation : Runspace context: Executing user:
    xxx.local/Users/Administrator, Executing user organization: , Current organization: , RBAC-enabled: Enabled.
    VERBOSE: [06:10:42.091 GMT] Get-FederationInformation : Beginning processing &
    VERBOSE: [06:10:42.107 GMT] Get-FederationInformation : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient
    Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient
    Scope(s): {}, Exclusive Configuration Scope(s): {} }
    VERBOSE: [06:10:42.107 GMT] Get-FederationInformation : Resolved current organization: .
    VERBOSE: [06:10:42.107 GMT] Get-FederationInformation : Using the following trusted host names: *.outlook.com.
    VERBOSE: [06:11:36.723 GMT] Get-FederationInformation : The discovery process returned the following results:
    Type=Failure;Url=https://autodiscover.xxx.com.my/autodiscover/autodiscover.svc;Exception=Discovery for domain
    xxx.local
    failed.;Details=(Type=Failure;Url=https://autodiscover.xxx.com.my/autodiscover/autodiscover.svc;Exception=Unable to
    connect to the remote server;);
    Type=Failure;Url=https://xxx.com.my/autodiscover/autodiscover.svc;Exception=Discovery for domain xxx.com.my
    failed.;Details=(Type=Failure;Url=https://xxx.com.my/autodiscover/autodiscover.svc;Exception=The underlying
    connection was closed: An unexpected error occurred on a send.;);
    Type=Failure;Url=http://autodiscover.xxx.com.my/autodiscover/autodiscover.xml;Exception=Discovery for domain
    xxx.com.my
    failed.;Details=(Type=Failure;Url=http://autodiscover.xxx.com.my/autodiscover/autodiscover.xml;Exception=The
    operation has timed out;);
    Type=Failure;Url=http://xxx.com.my/autodiscover/autodiscover.xml;Exception=Discovery for domain xxx.com.my
    failed.;Details=(Type=Failure;Url=http://xxx.com.my/autodiscover/autodiscover.xml;Exception=The remote server
    returned an error: (404) Not Found.;);
    .
    Federation information could not be received from the external organization.
        + CategoryInfo          : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException
        + FullyQualifiedErrorId : AA653248,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation



    Thursday, October 4, 2012 8:40 AM
  • Thanks for your reply, when I try to publishing the rules? Can I use back the Web Listener? Or I need to create another Web Listener?

    Thursday, October 4, 2012 8:42 AM
  • Hi

    Does autodiscover work externally for both of these domains?  Can you test it with the ExRCA?

    Steve

    Thursday, October 4, 2012 8:45 AM
  • Thanks for your reply, when I try to publishing the rules? Can I use back the Web Listener? Or I need to create another Web Listener?

    You can use the same listener and IP, by having this rule higher up then the standard Autodiscover or OA rules is so that it gets processed first and the traffic to those specific paths is allowed through without authentication.

    Steve

    Thursday, October 4, 2012 9:13 AM
  • Autodiscover work perfect in ExRCA

    Tuesday, October 9, 2012 3:58 AM
  • Hi, tried and not working... did you tried before it can be use same listener?

    If using separate web listener, we might need use additional certificate right?

    http://ucoutloud.blogspot.com/2011/08/during-recent-rich-co-exist-deploymnet.html

    Tuesday, October 9, 2012 4:01 AM
  • hello Koh

    I'm trying to implement federation trust, and I wanted to know if you've used in microsoft federation gateway.

    thanks

    Monday, June 17, 2013 7:57 AM