Microsoft Exchange Integration

The following sections describe how to integrate and configure DigitalPersona STS with an on-premise instance of Microsoft Exchange; and connection to an on-premise DigitalPersona Server.

Prerequisites: The following software applications and components must be installed and properly configured prior to beginning integration:

  • DigitalPersona Server - A DigitalPersona LDS Server must be installed and licensed

  • DigitalPersona LDS Web Management Components and Secure Token Service (STS)

  • Microsoft Exchange Server 2016 or 2019

  • Microsoft AD FS

  • DigitalPersona STS and AD FS must be connected

Configure Microsoft Exchange

  1. Export the signing certificate:

    1. Open the AD FS management console and navigate to AD FS, Service and Certificates.

    2. Find and select the CN=ADFS Signing certificate.

    3. In the context menu, select View Certificate.

    4. Open the Details tab and click Copy to file.

    5. Copy the ADFS signing certificate to the Exchange server and import it to Local Computer \ Trusted Root certification authorities.

  2. Open the Exchange Management Shell and perform the following tasks:

    1. Configure the Exchange organization to use AD FS authentication:

      Copy

      Syntax

      Set-OrganizationConfig -Adfslssuer https://<FederationServiceName>/adfs/ls/ -AdfsAudienceUris "<OwaUrl>","<EacUrl>" -AdfsSignCertificateThumbprint "<ADFS-Signing- Cert-Thumbprint>"
      Copy

      Example

      Set-OrganizationConfig -Adfslssuer https://adfs.contoso.com/adfs/ls/ -AdfsAudienceUris  "https://mail.contoso.com/owa/","https://mail.contoso.com/ecp/" -AdfsSignCertificateThumbprint "88970C64278A15D642934DC2961D9CCA5E28DA6B"

    2. Configure virtual directories for EAC and Outlook on the web for each Exchange Server in your organization:

      Copy

      Syntax

      Set-EcpVirtualDirectory -ldentity <VirtualDirectoryldentity> -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -OAuthAuthentication $false -WindowsAuthentication $false
      Set-OwaVirtualDirectory -ldentity <VirtualDirectoryldentity> -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -OAuthAuthentication $false -WindowsAuthentication $false
      Copy

      Example

      Get-EcpVirtualDirectory I Set-EcpVirtualDirectory -AdfsAuthentication $true - BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -OAuthAuthentication $false -WindowsAuthentication $false
      Get-OwaVirtualDirectory I Set-OwaVirtualDirectory -AdfsAuthentication $true - BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -OAuthAuthentication $false -WindowsAuthentication $false
    3. Note: Microsoft Exchange 2016 does not have the "-OAuthAuthentication" parameter, so just remove it.

  3. Restart IIS.

Configuring AD FS

Create Relying Party Trusts for OWA and EAC

  1. Open the AD FS management console and navigate to AD FS and Relying Party Trusts.

  2. In the Actions panel, select Add Relying Party Trust.

  3. Select Claims aware and then enter data about relying party manually.

  4. Enter the following data for OWA:

    • Display name: OWA

    • Enable support for the WS-Federation Passive protocol: check

    • Relying party WS-Federation Passive protocol URL: https://mail.contoso.com/owa/

    • Relying party trust identifiers: https://mail.contoso.com/owa/

  5. Enter the following data for EAC:

    • Display name: ECP

    • Enable support for the WS-Federation Passive protocol: check

    • Relying party WS-Federation Passive protocol URL: https://mail.contoso.com/ecp/

    • Relying party trust identifiers: https://mail.contoso.com/ecp/

Important: The trailing slash (/) that's used in Outlook on the web and EAC URL values is intentional. It's important that the AD FS relying party trusts and Exchange Audience URI's are identical. They both must contain or omit the trailing slashes in their URLs.

Create Claim Issuance Rules

Note: Both Relying Party Trusts have the same set of rules. Execute the following tasks for each of the Relying Party Trusts.

  1. Select a Relying party Trust.

  2. Click Edit Claim Issuance Policy, then click Add Rule.

  3. Select Send Claims Using a Custom Rule and click Next.

  4. Enter data defining the custom rule as follows:

    • SID:

      Copy 
      c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
      => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSlD;{0}", param = c.Value);

    • UPN:

      Copy 
      c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
      => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

  5. (Optional) Set up DigitalPersona STS as the default claim provider for OWA and EAC by executing the following PS commands:

    Copy 
    Set-AdfsRelyingPartyTrust -TargetName "OWA" -ClaimsProviderName @("DigitalPersona STS") Set-AdfsRelyingPartyTrust -TargetName "ECP" -ClaimsProviderName @("DigitalPersona STS")

  6. Click Finish.

Testing

Navigate to the OWA and EAC websites. When attempting to log in a user, you should be redirected to DigitalPersona STS for authentication and then back to the requested website:

  • https://mail.contoso.com/owa/

  • https://mail.contoso.com/ecp/