In this multi-part series, we’re going to look at how to use Active Directory Federation Services (AD FS) to allow Single Sign On (SSO) and pre-authentication to Exchange Server, allowing better interoperability for users sharing a web browser session with on-premises Exchange and Office 365.
We’ll first demonstrate how to do this using techniques that work with multiple versions of Exchange, then demonstrate how to use native features for AD FS integration with later Exchange versions. In part one of this series, we’ll examine the options available in more detail and set up the pre-requisites we need.
Options for AD FS authentication
Exchange Server supports a number of options for publishing web services to clients. In particular, they both support a variety of options when using Microsoft’s Active Directory Federation Services (AD FS) and Web Application Proxy (WAP).
AD FS works closely with Active Directory as an identity provider (IdP) and can verify credentials for many different service providers (SPs), both running on-premises, such as Exchange, or running in the cloud, like Office 365. The version of AD FS we’re working with in this article is ADFS 2012 R2, included with Windows Server 2012 R2.
WAP works with AD FS, and performs a number of roles. Firstly, it allows AD FS to be published to external clients, and when used helps define the perimeter boundary of the network. You’ll typically find it installed within the DMZ / perimeter network. Secondly it can act as a reverse proxy to existing web applications, providing access to web applications via a secure server that has the ability to perform pre authentication where required.
Three options for publishing Exchange in conjunction with AD FS and WAP are available:
1. Use WAP to publish Exchange Server using pre-authentication, but with simply AD FS integration reliant on IIS and Kerberos delegation. This is suited to organizations that don’t want AD FS dependencies for internal clients logging into Outlook on the web (OWA) and the Exchange Admin Center (EAC), but want to enforce pre-auth for external clients.
2. Use WAP to publish Exchange Server 2013 or 2016 using pre-authentication, using built-in Exchange functionality to use AD FS as the IdP for Exchange. Exchange can be published normally using a traditional load balancer, and all OWA and ECP authentication requests will be redirected to the AD FS server or WAP.
3. Use WAP to simply publish Exchange Server HTTPS to the internet, without any pre-authentication, passing through the connection. This is appropriate for services like Exchange ActiveSync or MAPI HTTP.