Category Archive : Exchange

Exchange Server 2019 Upgrade error 5506

Today I was trying to upgrade Exchange Server 2019 RTM to cumulative update CU 5 stopped with an error. The upgrade went up to Step 10 and errored out with the following error message.

Error:

 The following error was generated when "$error.Clear();
 Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
 if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
 {
 Install-AuthCertificate -DomainController $RoleDomainController
 }
 " was run: "Microsoft.Exchange.Management.Clients.FormsAuthenticationMarkPathUnknownSetError: An unexpected error occurred while modifying the forms authentication settings for path /LM/W3SVC/1. The error returned was 5506.
 at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
 at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
 at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services)
 at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
 at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
 at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)". 

Solution:

To resolve this issue, I opened the Internet Information Services Manager and went to the Default website and right click and bindings option and changed the certificate from the third party one to the self-signed certificate.

Restarted the IIS using the command iisreset from the command prompt.

Restarted the Exchange CU upgrade and the upgrade completed successfully.

After the upgrade, I changed the Default website binding back third party certificate for the https binding.

Hope this would help someone.

Exchange Server Cumulative Update upgrade error

Exchange Server Cumulative Update upgrade error on stopping Windows Management Instrumentation service. The following error shows on stopping this service.

<!-- wp:paragraph -->
<p>Error:</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>The
following error was generated when "$error.Clear(); </p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &amp; $RoleBinPath\ServiceControl.ps1
-Operation:DisableServices -Roles:($RoleRoles.Replace('Role','').Split(','))
-SetupScriptsDirectory:$RoleBinPath;</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &amp; $RoleBinPath\ServiceControl.ps1
-Operation:Stop -Roles:($RoleRoles.Replace('Role','').Split(',')) -IsDatacenter:([bool]$RoleIsDatacenter)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; " was run:
"Microsoft.Exchange.Configuration.Tasks.ServiceDidNotReachStatusException:
Service 'WinMgmt' failed to reach status 'Stopped' on this server.</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception,
ErrorCategory errorCategory, Object target, String helpUrl)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception,
ErrorCategory category, Object target)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Management.Tasks.ManageSetupService.WaitForServiceStatus(ServiceController
serviceController, ServiceControllerStatus status, Unlimited`1 maximumWaitTime,
Boolean ignoreFailures, Boolean sendWatsonReportForHungService)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Management.Tasks.ManageSetupService.StopService(ServiceController
serviceController, Boolean ignoreServiceStopTimeout, Boolean
failIfServiceNotInstalled, Unlimited`1 maximumWaitTime)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Management.Tasks.ManageSetupService.StopService(String
serviceName, Boolean ignoreServiceStopTimeout, Boolean
failIfServiceNotInstalled, Unlimited`1 maximumWaitTime)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Management.Tasks.StopSetupService.InternalProcessRecord()</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Configuration.Tasks.Task.&lt;ProcessRecord&gt;b__91_1()</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String
funcName, Action func, Boolean terminatePipelineIfFailed)".</p>
<!-- /wp:paragraph -->

Resolution

Go to Task Manager and in the Services tab find Windows Management Instrumentation Service and find the Process ID (PID) of this service process. Note down the process ID and come to details on the task Manager and kill the process. Leave the Windows Management Instrumentation Service start state to be disabled and run the Exchange Server Cumulative Update setup again either through Graphical user interface or command line and this time the error won’t come up.

I want to hear from you, if you have any questions or feedback, leave your comments below and I reply you.

Exchange Server Installation Error

Exchange Server Installation Error while running ‘ldifde.exe’ to import the schema file

I received following error on Exchange 2016 setup right after the readiness check of the installation complete.

 Error:
 The following error was generated when "$error.Clear(); 
                 install-ExchangeSchema -LdapFileName ($roleInstallPath + "Setup\Data\"+$RoleSchemaPrefix + "schema0.ldf")
 " was run: "Microsoft.Exchange.Configuration.Tasks.TaskException: There was an error while running 'ldifde.exe' to import the schema file 'C:\Windows\Temp\ExchangeSetup\Setup\Data\PostExchange2003_schema0.ldf'. The error code is: 8224. More details can be found in the error file: 'C:\Users\theman\AppData\Local\Temp\2\ldif.err'
    at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
    at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.ImportSchemaFile(String schemaMasterServer, String schemaFilePath, String macroName, String macroValue, WriteVerboseDelegate writeVerbose)
    at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.InternalProcessRecord()
    at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
    at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)". 

There error turn outs to be a Domain controller was offline and once I bring that domain controller back to online and restart the Exchange 2016 setup the error disappeared this time

How to Properly Install and Configure Exchange Server 2019

Preface

In this article, we are going to immerse the installation of Exchange Server 2019 and configure some of the exchange components such as Virtual Directories, Outlook anywhere, etc. This article will cover how to Install and Configure Exchange Server 2019 using  GUI.

I have already created a three-part article for the Migrating Exchange server 2013 to Exchange Server 2019 Installation and Configuration covered in that. It was installed using the command line interface, and most of the admins prefer the Graphical User Interface method to Install and Configure Exchange Server. Having that in mind, I have created this new article for the Exchange admins using GUI. Even though we have demonstrated the Exchange Server 2019 installation in those article series, configuring the Exchange server in the new Exchange Organization is somewhat different from configuring Exchange Server in an existing organization.

Also, this article will cover a complete configuration for a necessary Exchange Server deployment. This article will assume you have a Domain Controller up and running on your network, and you are going to install the Exchange Server 2019 on the active directory environment. If you are doing this installation on no Domain controller installed on the network or Test network, I would recommend installing a domain controller using my other article before installing the Exchange Server 2019. I also recommend going through this Microsoft link if you want to know all the Active Directory schema changes when you install Exchange Server 2019 on your Active Directory environment. You are advised to go through the complete document before starting the installation that way, and you will not get stuck on any step when you are trying to do Install and Configuring Exchange Server 2019. We are going to do the following tasks on Installing and Configuring Exchange Server 2019.

  1. Install Exchange Server Pre-requisite
  2. Install Exchange Server 2019 using GUI
  3. Create new outbound send connector to send emails to internet email
  4. Configure Virtual Directories
  5. Configure Outlook Anywhere
  6. Set Service Connection Point
  7. Rename default database and move database path
  8. Install Certificate

Pre-requisite to Install and Configure Exchange Server

The Windows Server 2019 has to be prepared and installed with Exchange Server 2019 Pre-requisites installing the Exchange Servers binaries.

The following Windows Server packages need to be installed before installing Exchange 2019 Server

.NET Framework 4.8
Visual C++ Redistributable Package for Visual Studio 2013
Unified Communications Managed API 4.0
Windows feature

Install .NET Framework 4.8

The .Net Framework 4.8 is required to install as a prerequisite software package. The package needs to be downloaded from the link below.

https://go.microsoft.com/fwlink/?linkid=2088631

Exchange Server 2019 Installation and Configuration

Once the offline installer has been downloaded, right-click the package and run it as an administrator to install it on the server.

Check the license agreement checkbox and click install.

Click Finish to complete the installation.

Install Visual C++ Redistributable Package for Visual Studio 2013

The next pre-requisite to install on the server is Visual C++ redistributable package for visual studio 2013. You can download this package from the link below, choose the language that you are planning to install on the server.

https://support.microsoft.com/en-in/help/4032938/update-for-visual-c-2013-redistributable-package

Once the package has been downloaded, right-click the downloaded file and run as administrator.

Accept the license and click Install to install the package.

A screenshot of a cell phone

Description automatically generated

Click close when the install completes.

A screenshot of a cell phone

Description automatically generated

Install Unified Communications Managed API 4.0

The next pre-requisite package we are going to install on the server is Micrsft Unified Communications managed API 4.0 runtime setup. Download the package from the below link.

https://www.microsoft.com/en-us/download/details.aspx?id=34992

Once the package is downloaded, run it as an administrator to begin the installation. Click Next to continue.

A screenshot of a cell phone

Description automatically generated

Click Install to install the package and click Finish when the install is over.

A screenshot of a social media post

Description automatically generated

Exchange Server 2019 Installation and Configuration

Install Windows Feature

The next pre-requisite is Windows Server features installation. Open a Powershell window as administrator and run the following commands once the installation of features is completed do a restart of the Windows Operating System.

Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS 
A screenshot of a cell phone

Description automatically generated

Install and Configure Exchange Server

Exchange Server 2019 Installation and Configuration

Open the Exchange server installation media and double click the setup.exe to start the installation. Select Connect to the Internet and check for update and click Next.

A screenshot of a social media post

Description automatically generated

On the next screen, the installation wizard will try to download the updates If there is any from the Microsoft update server. Click Next to continue.

A screenshot of a social media post

Description automatically generated

Go through the introduction and click next to continue the wizard.

A screenshot of a social media post

Description automatically generated

Accept the license agreement and click next to continue.

A screenshot of a social media post

Description automatically generated

Select Use Recommended Settings and click Next.

A screenshot of a social media post

Description automatically generated

Select the server role, this demonstration for Exchange server Mailbox role, select Mailbox role, and the management tools checkbox will be automatically selected. Also, check Automatically install roles and features and click Next.

Select the Drive where the exchange server to be installed. In most cases, it would be on the Drive other than System Drive. I have left the installation path as-is for this demonstration. But you can choose a drive and path as you want.

Specify an Organization name. In this case, I leave it to default. Click Next.

A screenshot of a social media post

Description automatically generated

If you are planning to use some third party Malware Protection, you can select to disable Malware Protection. If you want to use the Exchange server inbuilt one, select Disable malware protection to No and click Next.

A screenshot of a social media post

Description automatically generated

The install wizard will start Readiness Check, wait for that to complete and check if you have received an error message.

A screenshot of a social media post

Description automatically generated

If there is any error, act on that error and rectify that and then restart the Exchange Server Installation. If you have followed these installation steps, most probably, you won’t have any error. Click Install to start the installation.

A screenshot of a social media post

Description automatically generated

Exchange Server 2019 Installation and Configuration

The Setup will start, and you can monitor the progress along the way, it would take some time to complete. Be patient and wait for the setup to complete.

A screenshot of a social media post

Description automatically generated

The Setup is in progress and may take some more time to complete.

A screenshot of a social media post

Description automatically generated

Exchange Server Setup is complete, select launch Exchange Administration Center, and click Finish.

A screenshot of a social media post

Description automatically generated

Exchange Admin Center or Exchange Control panel is the web console where is Exchange Server is configured or managed. This console can be accessed initially with the web URL https://localhost/ecp

The login screen is shown in the image below, where the administrator can log in to get the full admin access console with username as domain\username and password.

A screenshot of a cell phone

Description automatically generated

Create A Send Connector

The fresh exchange server installation will not have a connector send email to an internet email address. We need to create one to do so. Here are the how-to steps to create a send connector using the Exchange admin center. Login to Exchange Admin Center and goto MailflowàSend Connector. Click Add or + sign on top of the icons.

A screenshot of a social media post

Description automatically generated

The New Send Connector wizard will open. Type a descriptive name and select Internet as type.

A screenshot of a cell phone

Description automatically generated

As we are going to send emails to internet users straight from the exchange server, we are going to select an MX record associated with the recipient domain and click Next.

A screenshot of a social media post

Description automatically generated

Add address space, click + sign on the address space commands.

A screenshot of a cell phone

Description automatically generated

Type * in the FQDN column and click save.

A screenshot of a cell phone

Description automatically generated

Once the address space has been saved, click next.

A screenshot of a cell phone

Description automatically generated

On the Source Server, click + sign to add the only server we just installed.

A screenshot of a cell phone

Description automatically generated

Add the Exchange Server and click OK

A screenshot of a cell phone

Description automatically generated

We have completed Creating Send connector, click Finish to close the wizard.

A screenshot of a cell phone

Description automatically generated

Configure Virtual Directories

Exchange Server 2019 Installation and Configuration

We are going to configure virtual directories such as OWA, ActiveSync, and so on with the internal and external URLs using Exchange Management Shel. You can navigate to StartàMicrosoft Exchange Server from the Menu and right-click the Exchange Management shell and choose to run as Administrator to open elevated Shell to configure Virtual Directories.

A screenshot of a video game

Description automatically generated

The following script will set the virtual directories of each feature. We need to specify the Server_Name and FQDN variables relevant to our Exchange Server name and external domain name.

 $Server_name = "ex"
 $FQDN = "mail.mrigotechno.club"
 Get-OWAVirtualDirectory -Server $Server_name | Set-OWAVirtualDirectory -InternalURL "https://$($FQDN)/owa" -ExternalURL "https://$($FQDN)/owa"
 Get-ECPVirtualDirectory -Server $Server_name | Set-ECPVirtualDirectory -InternalURL "https://$($FQDN)/ecp" -ExternalURL   "https://$($FQDN)/ecp"
 Get-OABVirtualDirectory -Server $Server_name | Set-OABVirtualDirectory -InternalURL "https://$($FQDN)/oab" -ExternalURL   "https://$($FQDN)/oab"
 Get-ActiveSyncVirtualDirectory -Server $Server_name | Set-ActiveSyncVirtualDirectory -InternalURL "https://$($FQDN)/Microsoft-Server-ActiveSync" -ExternalURL "https://$($FQDN)/Microsoft-Server-ActiveSync"
 Get-WebServicesVirtualDirectory -Server $Server_name | Set-WebServicesVirtualDirectory -InternalURL "https://$($FQDN)/EWS/Exchange.asmx" -ExternalURL "https://$($FQDN)/EWS/Exchange.asmx"
 Get-MapiVirtualDirectory -Server $Server_name | Set-MapiVirtualDirectory -InternalURL "https://$($FQDN)/mapi" -ExternalURL https://$($FQDN)/mapi 

You would see the Exchange Management Shell as shown in the below out after you copy and paste the script to the EMS.

Exchange Server 2019 Installation and Configuration

Configure Outlook Anywhere

To Outlook Clients access from internal and external networks, we need to configure Outlook anywhere from the Servers/Outlook Anywhere settings with the exchange hostname(FQDN) such as mail.comain.com. You can navigate to Outlook Anywhere settings, as shown in the steps on the image.

Exchange Server 2019 Installation and Configuration

Click OK to the Warning to Negotiate client authentication.

Exchange Server 2019 Installation and Configuration

Set Service Connection Point

Exchange Server 2019 Installation and Configuration

The next step is to set the Autodiscover internal URI for internal outlook clients to get the Autodiscover details from the active directory. The Autodiscover internal URI will set the Service Connection Point(SCP) on the Active Directory.

Set-ClientAccessService -Identity ex -AutodiscoverServiceInternalURI  https://mail.mrigotechno.club/Autodiscover/Autodiscover.xml
Exchange Server 2019 Installation and Configuration

Rename default database and move database path

Move mailbox database path to separate disk for database and transactional log files to recover the database quickly in case of disk failure. I have mentioned C: drive where you can substitute with a relevant drive letter with the command below.

Get-MailboxDatabase -Server ex | Set-MailboxDatabase -Name MBX-DB-2019
Move-DatabasePath -Identity MBX-DB-2019 -EdbFilePath C:\ExchangeDatabases\MBX-DB-2019\MBX-DB-2019.EDB -LogFolderPath C:\ExchangeDatabases\MBX-DB-2019_Log
Exchange Server 2019 Installation and Configuration

Install Certificate

We are going to create a Certificate Signing Request(CSR) on the Exchange Admin Center and install the certificate for the services like IIS, SMTP, and so on. Login to Exchange Admin Center and go to ServersàCertificate to create certificate signing request (CSR) file to generate a certificate from third-party Certification Authority (CA) like Verisign or GoDaddy.

The Certificate Signing certificate must be created by clicking the + sign on the Certificate tab.  Select “Create a request for a certificate from a Certification Authority” and click Next.

Exchange Server 2019 Installation and Configuration

Type a friendly name of the certificate and click Next.

Exchange Server 2019 Installation and Configuration

We are going to request a Subject Alternative Name (SAN) certificate, so leave the default and click Next.

Exchange Server 2019 Installation and Configuration

The request has to be saved on the Exchange server, click browse and select the only exchange server and click ok.

Exchange Server 2019 Installation and Configuration

The exchange server has been selected click Next.

Exchange Server 2019 Installation and Configuration

We skip this page, and we are going to create a request with some names where we can specify names on the list. Click Next.

Exchange Server 2019 Installation and Configuration

Select only the FQDN that we used on the virtual directories and Outlook Anywhere. As you know, we provided the name mail.mrigotechno.club, alongside we need to add the name for Autodiscover, the subject name will be Autodiscover.mrigotechno.club, remove other local hostnames.

Exchange Server 2019 Installation and Configuration

The local hostnames are removed and added only FQDN And autodiscover hostnames, click Next.

Exchange Server 2019 Installation and Configuration

Type information about your organization and click Next.

Exchange Server 2019 Installation and Configuration

Save the request in a file, type the UNC path, and click Next.

Exchange Server 2019 Installation and Configuration

The Certificate Request has been created and using the CSR file, and we need to generate a Certificate from a third-party certification authority. Once certificates are received, come back to the Certificate tab on the Exchange Admin Center and select the request entry and click Complete to apply the Certificate.

Exchange Server 2019 Installation and Configuration

Type the UNC path of the certificate received from the CA and click ok.

Exchange Server 2019 Installation and Configuration

The next step is to assign services to the certificate, open the certificate entry on the EAC, and check the hostnames.

Exchange Server 2019 Installation and Configuration

Go to Services on the same window select the services you want this certificate to use IIS and SMTP are selected generally, but if you wish to use IMAP and POP to use the certificate or these services are enabled, select them and click Save.

Exchange Server 2019 Installation and Configuration

Click Yes to the confirmation message, and you would see valid in the Certificate Status.

Exchange Server 2019 Installation and Configuration

Conclusion

In this article, we have discussed how to Install Exchange Server 2019 using Graphical User Interface and configured the server using the Exchange Admin Center and Exchange Management Shell. In my other three-part article, I have demonstrated how to migrate Exchange Server 2013 to Exchange Server 2019. I have added the link to those articles below. If you are interested in knowing how to install Exchange Server using the Command line, that article covers the installation process. You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I’m so happy to answer your questions.

Migrating Exchange Server 2013 to 2019 Part 1
Migrating Exchange Server 2013 to 2019 Part 2
Migrating Exchange Server 2013 to 2019 Part 3

how to setup claims-based authentication for Exchange Server OWA and ECP URLs on the ADFS server installed on Windows server 2016.

How to Properly Setup Claims Authentication Using ADFS In Exchange Server

Preface

This document will guide you through the steps to provide Microsoft Exchange Claims Based Authentication Using ADFS to the Outlook on the Web (OWA) and Exchange Admin Center (EAC) of Exchange 2016 Server. The ADFS server configured in this tutorial is deployed on top of Windows Server 2016.  Click here to go to the Microsoft website for How to Web Deploy from Visual Studio

How Claims Authentication Using ADFS with Exchange Server Works

In a big picture, the user request token from ADFS (here ADFS is used as Identity Provider) and once it receives the request, the security token provider must authenticate the user. The user claims will be verified with the account store, and in this example, it is Active Directory. The token will be sent to the user after the user is authenticated with the security token service provided by ADFS. The user now has a token to send it to the Exchange Server. The Exchange server checks the token signature and verifies the token issuer which is ADFS. Once the token signature checked and claims verified Exchange server would authenticate the user. The configuration of this process outlined in the tutorial comprises the installation and configuration of the ADFS server and setting up Exchange Server to authenticate using claims-based authentication with the help of federated authentication.

Step by Step

The following steps are involved in implementing Exchange Server claims-based authentication using ADFS. We assume Exchange Server already installed and authenticating using Forms-based authentication for the active directory users. If you are doing it on the test network, please install and configure Exchange Server 2016 before following this step by step document. This document can also be used to implement for Exchange Server 2013 or Exchange Server 2019. As I already mentioned, the ADFS server installed for this demonstration is Windows Server 2016. The Steps are given in the following points.

  1. Install ADFS Server role on Windows Server 2016
  2. Create Group Managed Service Account (gMSA)
  3. Configure Federation Service
  4. Add Relying Party Trust on AD FS Management Console
  5. Add Relying Party Trust for OWA
  6. Add Relying Party Trust for ECP
  7. Add Claim Issuance Policies for OWA Trust
  8. Add Claim Issuance Policies for ECP Trust
  9. Export Token Signing Certificate from AD FS server to Import it to Exchange Server
  10. Import the Token-Signing Certificate to Exchange Server
  11. Configure Exchange Organization to authenticate using ADFS
  12. Configure ECP and OWA virtual directories with ADFS Authentication
  13. Test OWA and ECP claims based authentication

Install ADFS Server role on Windows Server 2016

We are going to install the Active Directory Federation Services role on Windows Server 2016. To begin with, start Server Manager windows and click Add roles and features, and Add Roles, and Features Wizard will begin, and we can go through this wizard to complete the Active Directory Federation Services role installation.

A screenshot of a cell phone

Description automatically generated

The Add Roles and Features wizard requirements and description outlined in the “Before you begin page” if you have not selected Skip this page by default checkbox before you would see this page; otherwise, the wizard would start from the installation type selection page. Click Next to continue.

Exchange Server Claims Authentication Using ADFS

A screenshot of a social media post

Description automatically generated

In this wizard, we are going to use the role-based installation to add this role, so select Role-based or Feature-based Installation to begin with and click Next to continue.

A screenshot of a social media post

Description automatically generated

Make sure the local server in the server pool and select it and click Next.

A screenshot of a social media post

Description automatically generated

On the select roles page, select Active Directory Federation Services, and click Next.

On the Select Features page, leave the selection and no additional selection needed on this page and click next to continue.

A screenshot of a social media post

Description automatically generated

On the page with the title, AD FS shows the details of AD FS server roles and goes through this page for a better understanding of the role AD FS and Click Next when you have completed reading.

A screenshot of a cell phone

Description automatically generated

The confirmation page shows the role that we have selected, and this is the end of Add Roles and Features Wizard and click Install to start the installation of AD FS role services.

A screenshot of a social media post

Description automatically generated

Once the AD FS role services installation completed you would have an option to configure the AD FS role, but wait a moment before starting the configuration we need a prerequisite when we configure it, we need group managed service account (gMSA) to assign as service account so that next step will be creating gMSA account, so go to your domain controller and start the steps provided next. Click close to end the wizard, but remember you always have an option to start the configuration of AD FS from the Server Manager notification drop down, so we are good to close the wizard for now.

A screenshot of a social media post

Description automatically generated

Create Group Managed Service Account (gMSA)

Exchange Server Claims Authentication Using ADFS

We need a group managed service account as the service account for AD FS service. This gMSA account has to be created on the Domain Controller and start an elevated Windows PowerShell window to create the one. The elevated PowerShell prompt can be launched at the Start button and select Windows PowerShell and select run as an administrator, as in the screen below.

A screenshot of a computer

Description automatically generated

Domain Controllers (DC) require a root key to begin generating gMSA passwords. The domain controllers will wait up to 10 hours from the time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA. To immediate effectiveness, run the command below

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

A GUID will be shown on the successful completion of the command above. The next command to run is to create the gMSA account using the New-ADServiceAccount, modify the command to match your service account name and DNS Host Name for the AD FS server on your environment. You would see the command will go to the next prompt without any information, and no information means the command completed successfully.

New-ADServiceAccount -Name adfs-gMSA -DnsHostName adfs.mrigotechno.club -ServicePrincipalNames http/adfs.mrigotechno.club

The output of the commands will be something like below screen.

A screenshot of a cell phone

Description automatically generated

Configure Federation Service

Exchange Server Claims Authentication Using ADFS

Now we have come back to Server Manager to start the configuration of the AD FS role that we left off in the previous AD FS role installation step. Go to Notification and select Configure Federation Services o the Server to begin the AD FS configuration wizard.

A screenshot of a cell phone

Description automatically generated

It is a new installation of the AD FS server role and only server in that AD FS farm, so select the “Create the first federation server in the federation server farm” radio button to create the server farm with this server as the first federation server. Click Next to continue.

A screenshot of a social media post

Description automatically generated

The AD FS runs on Active Directory, to connect to the active directory we need to use an Administrator account, the logged-on user will be selected by default considering as an administrator on the Active Directory domain, if the account is correct to go to next otherwise click change and select the one with administrative access. Click Next to continue.

A screenshot of a cell phone

Description automatically generated

The next page is to import the certificate to the AD FS certificate store; I already have a public CA certificate, which is a wildcard certificate of my domain and has it ins pfx format. If you don’t have a certificate generated yet,  recommend a third-party CA certificate with the single hostname or SAN or wildcard certificate, whichever is chosen and ready with the certificate in pfx format, so that can be imported as mentioned in the step below. Once the pfx file is ready, click Import to import the certificate.

A screenshot of a cell phone

Description automatically generated

Browse to certificate file location and select the certificate file and click open.

A screenshot of a social media post

Description automatically generated

If the pfx certificate has a password assigned to it, you would be prompted for the password, type the password and click OK.

A screenshot of a social media post

Description automatically generated

Once the certificate has been imported, in the box in the middle with Federation service name type the AD FS external server name. In my scenario, it is adfs.mrigotechno.club. Also, on the next box with the Federation Service Display Name type, a name describes the name of the organization or something similar. This name will be shown at the sign-in page.

A screenshot of a cell phone

Description automatically generated

On the next Specify Service Account page, select the service account that we created previously.

A screenshot of a social media post

Description automatically generated

We are using Windows Internal Database for this demo configuration, and if you have SQL server installed on your network and want to use that you can select the second option, for this demonstration, I select Create a database on this server using Windows Internal Database radio button. Click Next to continue.

A screenshot of a cell phone

Description automatically generated

Review the options selected and click next to continue.

A screenshot of a social media post

Description automatically generated

If the configuration is correct till this moment, you will get a green tick mark with “All prerequisite checks passed successfully. Click ‘Configure’ to begin the installation.”

A screenshot of a social media post

Description automatically generated

Once the Configuration is successful, you would see a green tick with “This server was successfully configured” message. Click ‘close’ to close the wizard.

A screenshot of a cell phone

Description automatically generated

Add Relying Party Trust on AD FS Management Console

Exchange Server Claims Authentication Using ADFS

We have completed the installation and configuration of Active Directory Federation Services role. The next step is to add relying party trust for OWA and ECP URL.

Add Relying Party Trust for OWA

Go to Server Manager, on the Tools menu select Active Directory Federation Service. The ADFS Management console will be opened and where we can add Relying Party trust.

A screenshot of a social media post

Description automatically generated

On the AD FS Console, either right-click Relying Party Trusts and select Add Relying Party Trust or select Relying Party Trusts and on the action pane click Add Relying Party Trust.

A screenshot of a social media post

Description automatically generated

On the Welcome page, select Claims aware radio button and click start.

A screenshot of a social media post

Description automatically generated

On the next page, select “Enter data about the relying party manually” and click Next.

A screenshot of a social media post

Description automatically generated

Type a Display Name and description as you want. This first relying party trust is for the outlook on the web, so I typed Display name as “OWA” for this demonstration. Click Next to continue.

A screenshot of a cell phone

Description automatically generated

On the Configure Certificate page, leave the default and click Next.

A screenshot of a cell phone

Description automatically generated

On Configure URL, select “Enable support for the WS-Federation Passive Protocol” and type the OWA external URL as per your Exchange Server OWA external URL. Click Next.

A screenshot of a cell phone

Description automatically generated

Make sure the OWA URL has added a “Relying party trust identifiers” in the configure Identifiers page and click Next.

A screenshot of a cell phone

Description automatically generated

On the Choose an access control policy, choose a policy that relevant to you for this demonstration purpose. I choose to Permit everyone. Click Next to continue.

A screenshot of a social media post

Description automatically generated

On the ready to add trust page, click Next to add trust.

Click Close to end the Add Relying Party Trust wizard.

Add Relying Party Trust for ECP

Exchange Server Claims Authentication Using ADFS

We are going to go through the same step that we had gone through for Add Relying Party Trust for OWA, but with the purpose of the ECP URL instead of the OWA URL this time, the steps are the same as above.

On the AD FS Console, either right-click Relying Party Trusts and select Add Relying Party.

A screenshot of a social media post

Description automatically generated

On the Welcome page, select Claims aware radio button and click start.

On the next page, select “Enter data about the relying party manually” and click Next.

Type a Display Name and description as you want. This second relying party trust is for Exchange Admin Center, so I typed Display name as “ECP” for this demonstration. Click Next to continue.

On the Configure Certificate page, leave the default and click Next.

A screenshot of a cell phone

Description automatically generated

On Configure URL, select “Enable support for the WS-Federation Passive Protocol” and type the ECP external URL as per your Exchange Server ECP external URL. Click Next.

Make sure the ECP URL is added a “Relying party trust identifiers” in the configure Identifiers page and click Next.

On the Choose an access control policy, choose a policy that relevant to you for this demonstration purpose. I choose to Permit everyone. Click Next to continue.

On the ready to add trust page, click Next to add trust.

Click Close to end the Add Relying Party Trust wizard.

Add Claim Issuance Policies for OWA Trust

Exchange Server Claims Authentication Using ADFS

On the Relying Party Trusts middle pane, select OWA trust, and click Edit Claim Issuance Policy to add rules.

A screenshot of a social media post

Description automatically generated

We are going to add two issuance policy rules for OWA Policy. On the Issuance, Transform rules click add Rules to start the wizard.

A screenshot of a cell phone

Description automatically generated

On the Claim rule template drop-down, select “Send Claims Using a Custom Rule” and click Next.

A screenshot of a social media post

Description automatically generated

Type a claim rule name, this rule is for Active Directory SID identifier, so I have named it AD-SID-ID. On the custom rule area, type following rule

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value); 

Click Finish to End rule wizard.

Next, we are going to add one more rule for UPN. Click Add Rule.

On the Claim rule template drop-down, select “Send Claims Using a Custom Rule” and click Next.

A screenshot of a cell phone

Description automatically generated

On the Claim Rule Name, type a name for the Claim Rule, this rule is for Active Directory UPN, so I have typed name as AD-UPN. On Claim Rule Area copy and paste the following rule

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value); 

Click Finish to end the Rule wizard.

On the Edit Claim Issuance Policy window, click OK

.

Add Claim Issuance Policies for ECP Trust

Exchange Server Claims Authentication Using ADFS

We are going to replicate the steps that we did for OWA Relying Party Trust to ECP Relying Party Trust, so we are going to duplicate the steps above.

On the Relying Party Trusts middle pane, select OWA trust, and click Edit Claim Issuance Policy to add rules.

We are going to add two issuance policy rules for ECP Policy. On the Issuance, Transform rules click add Rules to start the wizard.

On the Claim rule template drop-down, select “Send Claims Using a Custom Rule” and click Next.

Claims Based Authentication Using ADFS

Type a claim rule name, this rule is for Active Directory SID identifier, so I have named it AD-SID-ID. On the custom rule area, type following rule

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value); 

Click Finish to End rule wizard.

Claims Based Authentication Using ADFS

Next, we are going to add one more rule for Active Directory UPN. Click Add Rule.

Claims Based Authentication Using ADFS

On the Claim rule template drop-down, select “Send Claims Using a Custom Rule” and click Next.

Claims Based Authentication Using ADFS

On the Claim Rule Name, type a name for the Claim Rule, this rule is for Active Directory UPN, so I have typed name as AD-UPN. On Claim Rule Area copy and paste the following rule

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

Click Finish to end the Rule wizard.

Claims Based Authentication Using ADFS

On the Edit Claim Issuance Policy window, click OK.

Claims Based Authentication Using ADFS

Export Token Signing Certificate from AD FS server to Import it to Exchange Server

Exchange Server Claims Authentication Using ADFS

Go to AF FS Management Console and select certificates under Service. On the middle (Certificates) pane, select the subject CN=ADFS Signing; and on the action pane, click View Certificate.

Claims Based Authentication Using ADFS

Select the Details tab and click Copy to File in the bottom.

Claims Based Authentication Using ADFS

Click Next on the certificate export wizard welcome screen.

Claims Based Authentication Using ADFS

Select the Details tab and click Copy to File in the bottom.

Claims Based Authentication Using ADFS

Click Next on the certificate export wizard welcome screen.

Claims Based Authentication Using ADFS

On the export file format, choose the Base-64 encoded X.509 (.CER) file format, Click Next.

Claims Based Authentication Using ADFS

Click Browse and select a certificate file path and a name with .CER extension. Click Next to continue.

Claims Based Authentication Using ADFS

Click Finish to complete the certificate export wizard. Copy the exported file to Exchange Server to Import.

Claims Based Authentication Using ADFS

Import the Token-Signing Certificate to Exchange Server

Exchange Server Claims Authentication Using ADFS

Go to StartàRun and type MMC and click OK

Claims Based Authentication Using ADFS

On the Microsoft Management Console(MMC), click the file menu, and Add Remove snap-in.

Claims Based Authentication Using ADFS

On the Add or Remove snap-ins select Certificate snap-in from the available snap-ins and click add.

Claims Based Authentication Using ADFS

On the Certificate snap-in wizard select Computer Account and click Next

Claims Based Authentication Using ADFS

Select Local Computer on the manage snap-in computer page and click Finish to end the snap-in wizard.

Claims Based Authentication Using ADFS

As the Certificate snap-in selected, click OK to open the Certificates Console.

Claims Based Authentication Using ADFS

Right-Click Certificates on Console Root/Trusted Root Certification Authority/Certificates, and click “Import” under All Tasks.

Claims Based Authentication Using ADFS

Click Next on the Certificate Import Wizard welcome screen. Click Next to continue

Claims Based Authentication Using ADFS

Select the token-signing.cer file that we exported from the AD FS server and copied to the Exchange server. Click Next to continue.

Claims Based Authentication Using ADFS

Click Finish on Certificate Importing wizard.

Claims Based Authentication Using ADFS

Click the OK button on the “The import was Successful” popup message.

Claims Based Authentication Using ADFS

Configure Exchange Organization to authenticate using ADFS

Exchange Server Claims Authentication Using ADFS

On AD FS server launch PowerShell prompt and type the following command to get the token signing certificate thumbprint

Get-AdfsCertificate –CertificateType token-signing
Claims Based Authentication Using ADFS

Start Exchange Management Shell on Exchange server, from StartàExchange Server 2016, right-click Exchange Management Shell, and click Run as Administrator to start elevated EMS.

Claims Based Authentication Using ADFS

Construct the set-organizationconfig command with 1. ADFS Issuer Uri 2. ADFS Audience Uris (OWA and ECP Uris) and 3. AD FS sign certificate thumbprint (In the previous step, we took thump print of ADFS Signing certificate).

Set-OrganizationConfig -AdfsIssuer https://adfs.mrigotechno.club/adfs/ls/ -AdfsAudienceUris "https://mail.mrigotechno.club/owa/","https://mail.mrigotechno.club/ecp/" -AdfsSignCertificateThumbprint "7DD2C39F75C73FE716C7E54F45238C7ABBBD095F"
Claims Based Authentication Using ADFS

Configure ECP and OWA virtual directories with ADFS Authentication

Run Set-ECPVirtualDirectory command on Exchange management shell to set ECP authentication. The -identity on the command is “ServerName\ecp (Default Web site)” type your server name. Also, except Adfs authentication, set all other authentication to false (make it off).

Set-EcpVirtualDirectory -Identity "MGEX1\ecp (Default Web Site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Claims Based Authentication Using ADFS

Run Set-OwaVirtualDirectory command on Exchange management shell to set OWA authentication. The -identity on the command is “ServerName\owa (Default Web site)” type your server name. Also, except Adfs authentication, set all other authentication to false.

Set-OwaVirtualDirectory -Identity "MGEX1\owa (Default Web Site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Claims Based Authentication Using ADFS

Once the OWA and ECP virtual directories configured, restart Internet Information Services.

Claims Based Authentication Using ADFS

Test OWA and ECP claims based authentication

Open a browser window and type Exchange Admin Center(ECP), or Outlook on the web (OWA) URL

Claims Based Authentication Using ADFS

The browser will redirect to the Federation services login page, type the username and password.

Claims Based Authentication Using ADFS

After authentication with AD FS, the URL will redirect back to ECP

Claims Based Authentication Using ADFS

Conclusion

In this article, we have gone through how to setup claims-based authentication for Exchange Server OWA and ECP URLs on the ADFS server installed on Windows server 2016. We have covered how to install and configure Active Directory Federation service (AD FS), configured Relying party trusts, and Claim issuance rules for OWA and ECP URLs. We configured Exchange organization to authenticate to AD FS and configured ECP and OWA virtual directories and then demonstrated AD FS authentication by login to ECP site.

I hope this article gives all the details to set up an Exchange environment to implement claims-based authentication for Exchange Server OWA and ECP using AD FS. You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I’m so happy to answer your questions.

How to Migrate Exchange Server 2013 to 2019 Part-3

Read More

How to Migrate Exchange Server 2013 to 2019 Part-2

Read More

How to Migrate Exchange Server 2013 to 2019 Part-1

Read More