locked
Setup ADFS with WAP and OWA RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    We have been given a task of getting owa (on-premises)  authentication with adfs and wap. The main idea behind this project is to remove ISA and introduce WAP. So far we have create 2 wap and 2 adfs servers. We are using Non claim aware and windows authentication for OWA. When user try to access OWA from external world, a VIP is assigned to the URL which hit the load balancer(f5) and then comes to wap which then sends to ADFS and then user authenticates to OWA using DC. We have also created one ASA for exchange and what we do is set the SPN for that ASA and change the auth mode to windows auth. Once we do this users are able to authenticate. We have complete this testing so far. Now the actual question is we also need to setup the kerberos delegation for the exchange servers(which I am not sure if already done). Since we have multiple exchange servers do we need to set up the kerberos delegation to all of them? I need to understand how it works and what do we need to do next when we are migrating complete exchange owa to auth using ADFS. Can someone pls provide a nice article on this which explain how do we move the cluster of exchange servers together since I am confused about how do we complete exchange OWA to auth using ADFS.

    Regards Puneet Pandey MCITP

    Tuesday, October 4, 2016 2:17 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    Sounds like you're almost there.. you've created the SPN for the ASA account which is presumably the load-balanced URL? Have you delegated the ASA account to the WAP computer account(s) in AD Users and Computers? You should then see the load-balanced URL added for delegation, e.g. http/owa.mydomain.com

    http://blog.auth360.net

    Tuesday, October 4, 2016 5:23 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Once you have set up the WAP computer accounts for delegation, you just have to create the actual publication rule on the WAP GUI. That's it.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, October 19, 2016 12:06 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Sounds like you're almost there.. you've created the SPN for the ASA account which is presumably the load-balanced URL? Have you delegated the ASA account to the WAP computer account(s) in AD Users and Computers? You should then see the load-balanced URL added for delegation, e.g. http/owa.mydomain.com

    http://blog.auth360.net

    Tuesday, October 4, 2016 5:23 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi

    Thanks for your reply.

    Yes we have setup the delegation for both the WAP Servers. Now when we will be switching to the production cutover. I believe if we have 5 exchange owa servers we need to move all of them to ADFS together we cannot do it one by one.

    Do we need to perform any other step if the delegation has been done on both the WAP servers?

    Kindly confirm if we have a possibility to move the exchange one by one?

    Regards Puneet Pandey MCITP

    Wednesday, October 5, 2016 2:38 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Once you have set up the WAP computer accounts for delegation, you just have to create the actual publication rule on the WAP GUI. That's it.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, October 19, 2016 12:06 AM