Today I was trying to upgrade Exchange Server 2019 RTM to
cumulative update CU 5 stopped with an error. The upgrade went up to Step 10
and errored out with the following error message.
Error:
The following error was generated when "$error.Clear();
Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
{
Install-AuthCertificate -DomainController $RoleDomainController
}
" was run: "Microsoft.Exchange.Management.Clients.FormsAuthenticationMarkPathUnknownSetError: An unexpected error occurred while modifying the forms authentication settings for path /LM/W3SVC/1. The error returned was 5506.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services)
at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
Solution:
To resolve this issue, I opened the Internet Information Services Manager and went to the Default website and right click and bindings option and changed the certificate from the third party one to the self-signed certificate.
Restarted the IIS using the command iisreset from the
command prompt.
Restarted the Exchange CU upgrade and the upgrade completed
successfully.
After the upgrade, I changed the Default website binding
back third party certificate for the https binding.
Exchange
Server Cumulative Update upgrade error on stopping Windows Management
Instrumentation service. The following error shows on stopping this service.
<!-- wp:paragraph -->
<p>Error:</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p>The
following error was generated when "$error.Clear(); </p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p> & $RoleBinPath\ServiceControl.ps1
-Operation:DisableServices -Roles:($RoleRoles.Replace('Role','').Split(','))
-SetupScriptsDirectory:$RoleBinPath;</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p> & $RoleBinPath\ServiceControl.ps1
-Operation:Stop -Roles:($RoleRoles.Replace('Role','').Split(',')) -IsDatacenter:([bool]$RoleIsDatacenter)</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p> " was run:
"Microsoft.Exchange.Configuration.Tasks.ServiceDidNotReachStatusException:
Service 'WinMgmt' failed to reach status 'Stopped' on this server.</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p> at
Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception,
ErrorCategory errorCategory, Object target, String helpUrl)</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p> at
Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception,
ErrorCategory category, Object target)</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p> at
Microsoft.Exchange.Management.Tasks.ManageSetupService.WaitForServiceStatus(ServiceController
serviceController, ServiceControllerStatus status, Unlimited`1 maximumWaitTime,
Boolean ignoreFailures, Boolean sendWatsonReportForHungService)</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p> at
Microsoft.Exchange.Management.Tasks.ManageSetupService.StopService(ServiceController
serviceController, Boolean ignoreServiceStopTimeout, Boolean
failIfServiceNotInstalled, Unlimited`1 maximumWaitTime)</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p> at
Microsoft.Exchange.Management.Tasks.ManageSetupService.StopService(String
serviceName, Boolean ignoreServiceStopTimeout, Boolean
failIfServiceNotInstalled, Unlimited`1 maximumWaitTime)</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p> at
Microsoft.Exchange.Management.Tasks.StopSetupService.InternalProcessRecord()</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p> at
Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p> at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String
funcName, Action func, Boolean terminatePipelineIfFailed)".</p>
<!-- /wp:paragraph -->
Resolution
Go to Task Manager and in the Services tab find Windows Management Instrumentation Service and find the Process ID (PID) of this service process. Note down the process ID and come to details on the task Manager and kill the process. Leave the Windows Management Instrumentation Service start state to be disabled and run the Exchange Server Cumulative Update setup again either through Graphical user interface or command line and this time the error won’t come up.
I want to
hear from you, if you have any questions or feedback, leave your comments below
and I reply you.
Exchange Server Installation Error while running
‘ldifde.exe’ to import the schema file
I received following error on Exchange 2016 setup right
after the readiness check of the installation complete.
Error:
The following error was generated when "$error.Clear();
install-ExchangeSchema -LdapFileName ($roleInstallPath + "Setup\Data\"+$RoleSchemaPrefix + "schema0.ldf")
" was run: "Microsoft.Exchange.Configuration.Tasks.TaskException: There was an error while running 'ldifde.exe' to import the schema file 'C:\Windows\Temp\ExchangeSetup\Setup\Data\PostExchange2003_schema0.ldf'. The error code is: 8224. More details can be found in the error file: 'C:\Users\theman\AppData\Local\Temp\2\ldif.err'
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.ImportSchemaFile(String schemaMasterServer, String schemaFilePath, String macroName, String macroValue, WriteVerboseDelegate writeVerbose)
at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
There error turn outs to be a Domain controller was offline
and once I bring that domain controller back to online and restart the Exchange
2016 setup the error disappeared this time
In this article, we are going to immerse the installation of Exchange Server 2019 and configure some of the exchange components such as Virtual Directories, Outlook anywhere, etc. This article will cover how to Install and Configure Exchange Server 2019 using GUI.
I have already created a three-part article for the Migrating Exchange server 2013 to Exchange Server 2019 Installation and Configuration covered in that. It was installed using the command line interface, and most of the admins prefer the Graphical User Interface method to Install and Configure Exchange Server. Having that in mind, I have created this new article for the Exchange admins using GUI. Even though we have demonstrated the Exchange Server 2019 installation in those article series, configuring the Exchange server in the new Exchange Organization is somewhat different from configuring Exchange Server in an existing organization.
Also, this article will cover a complete configuration for a necessary Exchange Server deployment. This article will assume you have a Domain Controller up and running on your network, and you are going to install the Exchange Server 2019 on the active directory environment. If you are doing this installation on no Domain controller installed on the network or Test network, I would recommend installing a domain controller using my other article before installing the Exchange Server 2019. I also recommend going through this Microsoft link if you want to know all the Active Directory schema changes when you install Exchange Server 2019 on your Active Directory environment. You are advised to go through the complete document before starting the installation that way, and you will not get stuck on any step when you are trying to do Install and Configuring Exchange Server 2019. We are going to do the following tasks on Installing and Configuring Exchange Server 2019.
Install Exchange Server Pre-requisite
Install Exchange Server 2019 using GUI
Create new outbound send connector to send emails to internet email
Configure Virtual Directories
Configure Outlook Anywhere
Set Service Connection Point
Rename default database and move database path
Install Certificate
Pre-requisite to Install and Configure Exchange Server
The Windows Server 2019 has to be prepared and installed with Exchange Server 2019 Pre-requisites installing the Exchange Servers binaries.
The following Windows Server packages need to be installed
before installing Exchange 2019 Server
.NET Framework 4.8 Visual C++ Redistributable Package for Visual Studio 2013 Unified Communications Managed API 4.0 Windows feature
Install .NET Framework 4.8
The .Net Framework 4.8 is required to install as a prerequisite software package. The package needs to be downloaded from the link below.
Exchange Server 2019 Installation and Configuration
Once the offline installer has been downloaded, right-click the package and run it as an administrator to install it on the server.
Check the license agreement checkbox and click install.
Click Finish to complete the installation.
Install Visual C++ Redistributable Package for Visual Studio 2013
The next pre-requisite to install on the server is Visual
C++ redistributable package for visual studio 2013. You can download this
package from the link below, choose the language that you are planning to install
on the server.
Once the package has been downloaded, right-click the downloaded
file and run as administrator.
Accept the license and click Install to install the package.
Click close when the install completes.
Install Unified Communications Managed API 4.0
The next pre-requisite package we are going to install on
the server is Micrsft Unified Communications managed API 4.0 runtime setup.
Download the package from the below link.
Once the package is downloaded, run it as an administrator
to begin the installation. Click Next to continue.
Click Install to install the package and click Finish when
the install is over.
Exchange Server 2019 Installation and Configuration
Install Windows Feature
The next pre-requisite is Windows Server features installation. Open a Powershell window as administrator and run the following commands once the installation of features is completed do a restart of the Windows Operating System.
Exchange Server 2019 Installation and Configuration
Open the Exchange server installation media and double click the setup.exe to start the installation. Select Connect to the Internet and check for update and click Next.
On the next screen, the installation wizard will try to
download the updates If there is any from the Microsoft update server. Click
Next to continue.
Go through the introduction and click next to continue the
wizard.
Accept the license agreement and click next to continue.
Select Use Recommended Settings and click Next.
Select the server role, this demonstration for Exchange
server Mailbox role, select Mailbox role, and the management tools checkbox
will be automatically selected. Also, check Automatically install roles and
features and click Next.
Select the Drive where the exchange server to be installed.
In most cases, it would be on the Drive other than System Drive. I have left
the installation path as-is for this demonstration. But you can choose a drive
and path as you want.
Specify an Organization name. In this case, I leave it to
default. Click Next.
If you are planning to use some third party Malware Protection, you can select to disable Malware Protection. If you want to use the Exchange server inbuilt one, select Disable malware protection to No and click Next.
The install wizard will start Readiness Check, wait for that
to complete and check if you have received an error message.
If there is any error, act on that error and rectify that
and then restart the Exchange Server Installation. If you have followed these
installation steps, most probably, you won’t have any error. Click Install to
start the installation.
Exchange Server 2019 Installation and Configuration
The Setup will start, and you can monitor the progress along the way, it would take some time to complete. Be patient and wait for the setup to complete.
The Setup is in progress and may take some more time to
complete.
Exchange Server Setup is complete, select launch Exchange
Administration Center, and click Finish.
Exchange Admin Center or Exchange Control panel is the web
console where is Exchange Server is configured or managed. This console can be
accessed initially with the web URL https://localhost/ecp
The login screen is shown in the image below, where the
administrator can log in to get the full admin access console with username as
domain\username and password.
Create A
Send Connector
The fresh exchange server installation will not have a
connector send email to an internet email address. We need to create one to do
so. Here are the how-to steps to create a send connector using the Exchange
admin center. Login to Exchange Admin Center and goto MailflowàSend Connector. Click
Add or + sign on top of the icons.
The New Send Connector wizard will open. Type a descriptive
name and select Internet as type.
As we are going to send emails to internet users straight
from the exchange server, we are going to select an MX record associated with the
recipient domain and click Next.
Add address space, click + sign on the address space
commands.
Type * in the FQDN column and click save.
Once the address space has been saved, click next.
On the Source Server, click + sign to add the only server we
just installed.
Add the Exchange Server and click OK
We have completed Creating Send connector, click Finish to
close the wizard.
Configure
Virtual Directories
Exchange Server 2019 Installation and Configuration
We are going to configure virtual directories such as OWA, ActiveSync, and so on with the internal and external URLs using Exchange Management Shel. You can navigate to StartàMicrosoft Exchange Server from the Menu and right-click the Exchange Management shell and choose to run as Administrator to open elevated Shell to configure Virtual Directories.
The following script will set the virtual directories of
each feature. We need to specify the Server_Name and FQDN variables relevant to
our Exchange Server name and external domain name.
You would see the Exchange Management Shell as shown in the
below out after you copy and paste the script to the EMS.
Configure
Outlook Anywhere
To Outlook Clients access from internal and external
networks, we need to configure Outlook anywhere from the Servers/Outlook
Anywhere settings with the exchange hostname(FQDN) such as mail.comain.com. You
can navigate to Outlook Anywhere settings, as shown in the steps on the image.
Click OK to the Warning to Negotiate client authentication.
Set
Service Connection Point
Exchange Server 2019 Installation and Configuration
The next step is to set the Autodiscover internal URI for internal outlook clients to get the Autodiscover details from the active directory. The Autodiscover internal URI will set the Service Connection Point(SCP) on the Active Directory.
Set-ClientAccessService -Identity ex -AutodiscoverServiceInternalURI https://mail.mrigotechno.club/Autodiscover/Autodiscover.xml
Rename default database and move database path
Move mailbox database path to separate disk for database and
transactional log files to recover the database quickly in case of disk
failure. I have mentioned C: drive where you can substitute with a relevant drive
letter with the command below.
We are going to create a Certificate Signing Request(CSR) on
the Exchange Admin Center and install the certificate for the services like
IIS, SMTP, and so on. Login to Exchange Admin Center and go to ServersàCertificate to create
certificate signing request (CSR) file to generate a certificate from
third-party Certification Authority (CA) like Verisign or GoDaddy.
The Certificate Signing certificate must be created by
clicking the + sign on the Certificate tab.
Select “Create a request for a certificate from a Certification
Authority” and click Next.
Type a friendly name of the certificate and click Next.
We are going to request a Subject Alternative Name (SAN)
certificate, so leave the default and click Next.
The request has to be saved on the Exchange server, click
browse and select the only exchange server and click ok.
The exchange server has been selected click Next.
We skip this page, and we are going to create a request with
some names where we can specify names on the list. Click Next.
Select only the FQDN that we used on the virtual directories
and Outlook Anywhere. As you know, we provided the name mail.mrigotechno.club,
alongside we need to add the name for Autodiscover, the subject name will be
Autodiscover.mrigotechno.club, remove other local hostnames.
The local hostnames are removed and added only FQDN And
autodiscover hostnames, click Next.
Type information about your organization and click Next.
Save the request in a file, type the UNC path, and click
Next.
The Certificate Request has been created and using the CSR
file, and we need to generate a Certificate from a third-party certification
authority. Once certificates are received, come back to the Certificate tab on
the Exchange Admin Center and select the request entry and click Complete to
apply the Certificate.
Type the UNC path of the certificate received from the CA
and click ok.
The next step is to assign services to the certificate, open
the certificate entry on the EAC, and check the hostnames.
Go to Services on the same window select the services you
want this certificate to use IIS and SMTP are selected generally, but if you
wish to use IMAP and POP to use the certificate or these services are enabled,
select them and click Save.
Click Yes to the confirmation message, and you would see
valid in the Certificate Status.
Conclusion
In this article, we have discussed how to Install Exchange
Server 2019 using Graphical User Interface and configured the server using the
Exchange Admin Center and Exchange Management Shell. In my other three-part
article, I have demonstrated how to migrate Exchange Server 2013 to Exchange
Server 2019. I have added the link to those articles below. If you are
interested in knowing how to install Exchange Server using the Command line,
that article covers the installation process. You may have some questions or
feedback to share with me, please click the comments below and share your
thoughts. I’m so happy to answer your questions.
This document will guide you through the steps to provide Microsoft Exchange Claims Based Authentication Using ADFS to the Outlook on the Web (OWA) and Exchange Admin Center (EAC) of Exchange 2016 Server. The ADFS server configured in this tutorial is deployed on top of Windows Server 2016. Click here to go to the Microsoft website for How to Web Deploy from Visual Studio
How Claims Authentication Using ADFS with Exchange Server Works
In a big picture, the user request token from ADFS (here ADFS is used as Identity Provider) and once it receives the request, the security token provider must authenticate the user. The user claims will be verified with the account store, and in this example, it is Active Directory. The token will be sent to the user after the user is authenticated with the security token service provided by ADFS. The user now has a token to send it to the Exchange Server. The Exchange server checks the token signature and verifies the token issuer which is ADFS. Once the token signature checked and claims verified Exchange server would authenticate the user. The configuration of this process outlined in the tutorial comprises the installation and configuration of the ADFS server and setting up Exchange Server to authenticate using claims-based authentication with the help of federated authentication.
Step by Step
The
following steps are involved in implementing Exchange Server claims-based
authentication using ADFS. We assume Exchange Server already installed and
authenticating using Forms-based authentication for the active directory users.
If you are doing it on the test network, please install and configure Exchange
Server 2016 before following this step by step document. This document can also
be used to implement for Exchange Server 2013 or Exchange Server 2019. As I
already mentioned, the ADFS server installed for this demonstration is Windows
Server 2016. The Steps are given in the following points.
Install ADFS Server role on Windows
Server 2016
Create Group Managed Service Account
(gMSA)
Configure Federation Service
Add Relying Party Trust on AD FS
Management Console
Add Relying Party Trust for OWA
Add Relying Party Trust for ECP
Add Claim Issuance Policies for OWA
Trust
Add Claim Issuance Policies for ECP
Trust
Export Token Signing Certificate
from AD FS server to Import it to Exchange Server
Import the Token-Signing Certificate
to Exchange Server
Configure Exchange Organization to
authenticate using ADFS
Configure ECP and OWA virtual
directories with ADFS Authentication
Test OWA and ECP claims based
authentication
Install ADFS Server role on Windows
Server 2016
We are going to install the Active Directory Federation Services role on
Windows Server 2016. To begin with, start Server Manager windows and click Add
roles and features, and Add Roles, and Features Wizard will begin, and we can
go through this wizard to complete the Active Directory Federation Services
role installation.
The Add Roles and Features wizard requirements and description outlined in the “Before you begin page” if you have not selected Skip this page by default checkbox before you would see this page; otherwise, the wizard would start from the installation type selection page. Click Next to continue.
Exchange Server Claims Authentication Using ADFS
In this wizard, we are going to use the role-based
installation to add this role, so select Role-based or Feature-based
Installation to begin with and click Next to continue.
Make sure the local server in the server pool and select it
and click Next.
On the
select roles page, select Active Directory Federation Services, and click Next.
On the
Select Features page, leave the selection and no additional selection needed on
this page and click next to continue.
On the page
with the title, AD FS shows the details of AD FS server roles and goes through
this page for a better understanding of the role AD FS and Click Next when you
have completed reading.
The
confirmation page shows the role that we have selected, and this is the end of
Add Roles and Features Wizard and click Install to start the installation of AD
FS role services.
Once the AD
FS role services installation completed you would have an option to configure
the AD FS role, but wait a moment before starting the configuration we need a
prerequisite when we configure it, we need group managed service account (gMSA)
to assign as service account so that next step will be creating gMSA account,
so go to your domain controller and start the steps provided next. Click close
to end the wizard, but remember you always have an option to start the
configuration of AD FS from the Server Manager notification drop down, so we
are good to close the wizard for now.
We need a group managed service account as the service account for AD FS service. This gMSA account has to be created on the Domain Controller and start an elevated Windows PowerShell window to create the one. The elevated PowerShell prompt can be launched at the Start button and select Windows PowerShell and select run as an administrator, as in the screen below.
Domain Controllers (DC) require a root key to begin
generating gMSA passwords. The domain controllers will wait up to 10 hours from
the time of creation to allow all domain controllers to converge their AD
replication before allowing the creation of a gMSA. To immediate effectiveness,
run the command below
A GUID will
be shown on the successful completion of the command above. The next command to
run is to create the gMSA account using the New-ADServiceAccount, modify the
command to match your service account name and DNS Host Name for the AD FS
server on your environment. You would see the command will go to the next
prompt without any information, and no information means the command completed
successfully.
The output
of the commands will be something like below screen.
Configure Federation Service
Exchange Server Claims Authentication Using ADFS
Now we have come back to Server Manager to start the configuration of the AD FS role that we left off in the previous AD FS role installation step. Go to Notification and select Configure Federation Services o the Server to begin the AD FS configuration wizard.
It is a new
installation of the AD FS server role and only server in that AD FS farm, so
select the “Create the first federation server in the federation server farm”
radio button to create the server farm with this server as the first federation
server. Click Next to continue.
The AD FS
runs on Active Directory, to connect to the active directory we need to use an
Administrator account, the logged-on user will be selected by default
considering as an administrator on the Active Directory domain, if the account
is correct to go to next otherwise click change and select the one with
administrative access. Click Next to continue.
The next
page is to import the certificate to the AD FS certificate store; I already
have a public CA certificate, which is a wildcard certificate of my domain and
has it ins pfx format. If you don’t have a certificate generated yet, recommend a third-party CA certificate with
the single hostname or SAN or wildcard certificate, whichever is chosen and
ready with the certificate in pfx format, so that can be imported as mentioned
in the step below. Once the pfx file is ready, click Import to import the
certificate.
Browse to
certificate file location and select the certificate file and click open.
If the pfx
certificate has a password assigned to it, you would be prompted for the
password, type the password and click OK.
Once the
certificate has been imported, in the box in the middle with Federation service
name type the AD FS external server name. In my scenario, it is
adfs.mrigotechno.club. Also, on the next box with the Federation Service
Display Name type, a name describes the name of the organization or something
similar. This name will be shown at the sign-in page.
On the next
Specify Service Account page, select the service account that we created
previously.
We are
using Windows Internal Database for this demo configuration, and if you have
SQL server installed on your network and want to use that you can select the
second option, for this demonstration, I select Create a database on this
server using Windows Internal Database radio button. Click Next to continue.
Review the
options selected and click next to continue.
If the
configuration is correct till this moment, you will get a green tick mark with
“All prerequisite checks passed successfully. Click ‘Configure’ to begin the
installation.”
Once the
Configuration is successful, you would see a green tick with “This server was
successfully configured” message. Click ‘close’ to close the wizard.
Add Relying Party Trust on AD FS Management
Console
Exchange Server Claims Authentication Using ADFS
We have completed the installation and configuration of Active Directory Federation Services role. The next step is to add relying party trust for OWA and ECP URL.
Add Relying Party Trust for OWA
Go to
Server Manager, on the Tools menu select Active Directory Federation Service.
The ADFS Management console will be opened and where we can add Relying Party
trust.
On the AD
FS Console, either right-click Relying Party Trusts and select Add Relying
Party Trust or select Relying Party Trusts and on the action pane click Add
Relying Party Trust.
On the Welcome
page, select Claims aware radio button and click start.
On the next
page, select “Enter data about the relying party manually” and click Next.
Type a
Display Name and description as you want. This first relying party trust is for
the outlook on the web, so I typed Display name as “OWA” for this
demonstration. Click Next to continue.
On the Configure
Certificate page, leave the default and click Next.
On
Configure URL, select “Enable support for the WS-Federation Passive Protocol”
and type the OWA external URL as per your Exchange Server OWA external URL.
Click Next.
Make sure
the OWA URL has added a “Relying party trust identifiers” in the configure
Identifiers page and click Next.
On the Choose
an access control policy, choose a policy that relevant to you for this
demonstration purpose. I choose to Permit everyone. Click Next to continue.
On the
ready to add trust page, click Next to add trust.
Click Close
to end the Add Relying Party Trust wizard.
Add Relying Party Trust for ECP
Exchange Server Claims Authentication Using ADFS
We are
going to go through the same step that we had gone through for Add Relying Party
Trust for OWA, but with the purpose of the ECP URL instead of the OWA URL this
time, the steps are the same as above.
On the AD
FS Console, either right-click Relying Party Trusts and select Add Relying
Party.
On the
Welcome page, select Claims aware radio button and click start.
On the next
page, select “Enter data about the relying party manually” and click Next.
Type a
Display Name and description as you want. This second relying party trust is
for Exchange Admin Center, so I typed Display name as “ECP” for this
demonstration. Click Next to continue.
On the Configure
Certificate page, leave the default and click Next.
On
Configure URL, select “Enable support for the WS-Federation Passive Protocol”
and type the ECP external URL as per your Exchange Server ECP external URL.
Click Next.
Make sure
the ECP URL is added a “Relying party trust identifiers” in the configure
Identifiers page and click Next.
On the Choose
an access control policy, choose a policy that relevant to you for this
demonstration purpose. I choose to Permit everyone. Click Next to continue.
On the
ready to add trust page, click Next to add trust.
Click Close
to end the Add Relying Party Trust wizard.
Add Claim Issuance Policies for OWA Trust
Exchange Server Claims Authentication Using ADFS
On the
Relying Party Trusts middle pane, select OWA trust, and click Edit Claim
Issuance Policy to add rules.
We are
going to add two issuance policy rules for OWA Policy. On the Issuance,
Transform rules click add Rules to start the wizard.
On the
Claim rule template drop-down, select “Send Claims Using a Custom Rule” and
click Next.
Type a
claim rule name, this rule is for Active Directory SID identifier, so I have
named it AD-SID-ID. On the custom rule area, type following rule
Next, we
are going to add one more rule for UPN. Click Add Rule.
On the
Claim rule template drop-down, select “Send Claims Using a Custom Rule” and
click Next.
On the Claim
Rule Name, type a name for the Claim Rule, this rule is for Active Directory
UPN, so I have typed name as AD-UPN. On Claim Rule Area copy and paste the
following rule
Next, we
are going to add one more rule for Active Directory UPN. Click Add Rule.
On the
Claim rule template drop-down, select “Send Claims Using a Custom Rule” and
click Next.
On the
Claim Rule Name, type a name for the Claim Rule, this rule is for Active
Directory UPN, so I have typed name as AD-UPN. On Claim Rule Area copy and
paste the following rule
On the Edit
Claim Issuance Policy window, click OK.
Export Token Signing Certificate from AD FS server to Import it to Exchange Server
Exchange Server Claims Authentication Using ADFS
Go to AF FS Management Console and select certificates under Service. On the middle (Certificates) pane, select the subject CN=ADFS Signing; and on the action pane, click View Certificate.
Select the Details tab and click Copy to File in the bottom.
Click Next on the certificate export wizard welcome screen.
Select the
Details tab and click Copy to File in the bottom.
Click Next
on the certificate export wizard welcome screen.
On the
export file format, choose the Base-64 encoded X.509 (.CER) file format, Click
Next.
Click
Browse and select a certificate file path and a name with .CER extension. Click
Next to continue.
Click
Finish to complete the certificate export wizard. Copy the exported file to
Exchange Server to Import.
Import the Token-Signing Certificate to Exchange Server
Exchange Server Claims Authentication Using ADFS
Go to StartàRun and type MMC and click OK
On the
Microsoft Management Console(MMC), click the file menu, and Add Remove snap-in.
On the Add
or Remove snap-ins select Certificate snap-in from the available snap-ins and
click add.
On the
Certificate snap-in wizard select Computer Account and click Next
Select
Local Computer on the manage snap-in computer page and click Finish to end the
snap-in wizard.
As the
Certificate snap-in selected, click OK to open the Certificates Console.
Right-Click
Certificates on Console Root/Trusted Root Certification Authority/Certificates,
and click “Import” under All Tasks.
Click Next
on the Certificate Import Wizard welcome screen. Click Next to continue
Select the
token-signing.cer file that we exported from the AD FS server and copied to the
Exchange server. Click Next to continue.
Click
Finish on Certificate Importing wizard.
Click the OK
button on the “The import was Successful” popup message.
Configure Exchange Organization to authenticate using ADFS
Exchange Server Claims Authentication Using ADFS
On AD FS
server launch PowerShell prompt and type the following command to get the token
signing certificate thumbprint
Start
Exchange Management Shell on Exchange server, from StartàExchange Server 2016, right-click
Exchange Management Shell, and click Run as Administrator to start elevated
EMS.
Construct
the set-organizationconfig command with 1. ADFS Issuer Uri 2. ADFS Audience
Uris (OWA and ECP Uris) and 3. AD FS sign certificate thumbprint (In the
previous step, we took thump print of ADFS Signing certificate).
Configure ECP and OWA virtual directories with
ADFS Authentication
Run
Set-ECPVirtualDirectory command on Exchange management shell to set ECP
authentication. The -identity on the command is “ServerName\ecp (Default
Web site)” type your server name. Also, except Adfs authentication, set
all other authentication to false (make it off).
Run
Set-OwaVirtualDirectory command on Exchange management shell to set OWA authentication.
The -identity on the command is “ServerName\owa (Default Web site)”
type your server name. Also, except Adfs authentication, set all other
authentication to false.
Once the OWA
and ECP virtual directories configured, restart Internet Information Services.
Test OWA and ECP claims based authentication
Open a
browser window and type Exchange Admin Center(ECP), or Outlook on the web (OWA)
URL
The browser
will redirect to the Federation services login page, type the username and
password.
After
authentication with AD FS, the URL will redirect back to ECP
Conclusion
In this
article, we have gone through how to setup claims-based authentication for
Exchange Server OWA and ECP URLs on the ADFS server installed on Windows server
2016. We have covered how to install and configure Active Directory Federation
service (AD FS), configured Relying party trusts, and Claim issuance rules for OWA
and ECP URLs. We configured Exchange organization to authenticate to AD FS and
configured ECP and OWA virtual directories and then demonstrated AD FS
authentication by login to ECP site.
I hope this article gives all the details to set up an
Exchange environment to implement claims-based authentication for Exchange
Server OWA and ECP using AD FS. You may have some questions or feedback to
share with me, please click the comments below and share your thoughts. I’m so
happy to answer your questions.