How do I configure my on premises Exchange 2016 to use ADFS in preparation for using the SurePassID ADFS Adapter

Setting up Exchange 2016 to use an external Identity Provider (IdP) like Active Directory Federation Services (ADFS) involves several steps. The process includes configuring your Exchange 2016 environment, setting up ADFS, and then integrating them.

Setting Up ADFS

  1. Install ADFS: Install ADFS on a Windows Server in your environment. This typically involves adding the ADFS role through the Server Manager and configuring it.

  2. Configure ADFS: Set up a Federation Service, define a Federation Service Name, and configure the required certificates.

  3. Create Relying Party Trust: In the ADFS Management console, add a new Relying Party Trust for your Exchange 2016 server. This involves specifying identifiers, endpoints, and choosing a policy for issuance of security tokens.

  4. Configure Claim Rules: Define claim rules for the relying party trust. These rules determine what user data is sent to Exchange 2016 in the token.

Setting Up Exchange 2016

  1. Install Exchange 2016: If not already done, install and configure your Exchange 2016 server.

  2. Configure Virtual Directories: Ensure that your Exchange virtual directories (like OWA and ECP) are correctly configured and accessible.

  3. SSL Certificate: Make sure you have a valid SSL certificate installed on your Exchange server for secure communications.

Integration

  1. Configure Authentication: On the Exchange server, configure OWA and ECP (or any other services you want federated) to use the ADFS server for authentication. This is typically done through PowerShell commands. For example:

Set-EcpVirtualDirectory -Identity "ECP (Default Web Site)" -FormsAuthentication $false -WindowsAuthentication $true     Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -FormsAuthentication $false -WindowsAuthentication $true    

  1. Update DNS Records: Ensure that your DNS records are correctly pointing to your Exchange server and ADFS server as needed.

  2. Test Authentication: Test the setup by accessing OWA or ECP and ensuring that you are redirected to your ADFS login page.

  3. Troubleshoot: If there are issues, check logs in both Exchange and ADFS. Common issues often relate to incorrect configuration or network problems.

Considerations

  • Certificates: Ensure that all certificates used are valid and trusted by all parties in the federation.

  • Network Configuration: Proper network configuration, including firewalls and DNS, is crucial.

  • High Availability: For production environments, ensure that you have high availability set up for both Exchange and ADFS.

  • Security: Regularly update and patch your Exchange and ADFS servers to protect against vulnerabilities.

Documentation and Support

  • Microsoft Documentation: Refer to Microsoft's official documentation for detailed and updated instructions.

  • Community Forums: Utilize forums like TechNet for community support.

  • Professional Help: If you're not comfortable with these configurations, consider hiring a professional with experience in Exchange and ADFS.

Remember, the exact steps can vary based on your specific environment, version of ADFS, and other integrated systems. Always backup your configurations before making significant changes.

Once you have your Exchange 2016 working with ADFS, you can then proceed to the installation of our ADFS adapter for turning on 2FA with Exchange.