torsdag den 14. juli 2011

Exchange 2010 Service pack 1 Hosting mode and Claims based authentication

I was a happy user of Windows Identity Foundation and ADFS 2.0 against out Exchange 2010 servers, so when messing about with service pack 1 I naturally also tried setting up the c2wts service and configurering claims based authentication up.
That isn't as easy as it sounds so here's a short guide. ( loosely based on information from this document and this guide )

Following this guide will “break” the ECP website. you need to run though all of this again on the Exchange Control Panel website. The difference from OWA to ECP is that you don’t need to “remark out” location.

Also, user controls will fail loading in ECP with an

WebHost failed to process a request.
Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/59085005
Exception: System.ServiceModel.ServiceActivationException: The service '/ecp/RulesEditor/InboxRules.svc' cannot be activated due to an exception during compilation.  The exception message is: Required attribute 'name' not found. (C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ecp\web.config line 1859). ---> System.Configuration.ConfigurationErrorsException: Required attribute 'name' not found. (C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ecp\web.config line 1859)

To fix this, change <binding> to <binding name="ws2007Federation">

Download and install Microsoft Windows Identity Foundation and Windows Identity Foundation SDK on all CAS servers.

First off, the configuration utility gets massively confused over the web.config file, so first open C:\Program Files\Microsoft\Exchange Server\V14\Client Access\Owa\web.config and remark out the <location> tag. ( begin tag is at line 4, end tag is at line 26 )

Open Windows Identity Foundation Federation Utility and point to C:\Program Files\Microsoft\Exchange Server\V14\Client Access\Owa\web.config . Type in the external URL of your OWA site.
Type in metadata url for your ADFS server  ( for instance )
The rest is default.

Open web.config again and un-remark the location tags.
Add WIF modules to configuration –>system.webServer –> modules
  <add type="Microsoft.Exchange.Clients.Owa.Core.OwaModule, Microsoft.Exchange.Clients.Owa" name="OwaModule" />
  <add name="exppw" />
<modules runAllManagedModulesForAllRequests="true">
  <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler"/>
  <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler"/>
  <add type="Microsoft.Exchange.Clients.Owa.Core.OwaModule, Microsoft.Exchange.Clients.Owa" name="OwaModule" />
  <add name="exppw" />

Force users to be authenticated.
configuration-> system.web –> Add the following

  <deny users="?"/>

Enable UPN. configuration –> system.serviceModel –> bindings –> ws2007FederationHttpBinding –> binding –> security –> message –> claimTypeRequirements. Unmark UPN
<add claimType="" isOptional="true" />

Tell WIF to create a Windows Token instead of passing the SAML token to OWA.
microsoft.identityModel –>service->  Add

  <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
    <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true"/>

Tell WIF to redirct users to your STS /ADFS,
microsoft.identityModel –>service-> Add

  <wsFederation passiveRedirectEnabled="true" issuer="" realm="https://test01exc01.test01.local/owa/" requireHttps="true"/>
  <cookieHandler requireSsl="true"/>

Open a Exchange powershell console and run

get-owavirtualdirectory | Set-owavirtualdirectory -FormsAuthentication:$false
get-owavirtualdirectory | Set-OwaVirtualDirectory -WindowsAuthentication $true
iisreset /noforce

Lastly, enable c2wt, by first openinig C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config and umark <add value="NT AUTHORITY\System" />

Open Services and set “Claims to Windows Token Service” service to start automatic (start/restart the service now)

Copy C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\FederationMetadata\2007-06\FederationMetadata.xml to your ADFS server and add owa as an relying Party Trust.
Add the following to Rules.
Pass Through or Filter an Incomming Claim –> UPN
Transform an Incomming Claim –> E-Mail Address –> UPN

Open properties for your new relying part and change –> Advanced SHA-1


Encryption,. remove it ( if the WIF wizard forced you to choose one )

EndPoints –> Add a WS-Federation endpoint


Ingen kommentarer:

Send en kommentar