How do I configure OWA for SSO?

Note: Before attempting this configuration ensure that all settings and config files that will be modified are backed up independently.

Note: This configuration is only compatible with OWA Exchange 2010

Step 1 – Ensure that Windows Identity Foundation (WIF) is installed on Exchange server

Windows Identity Foundation (WIF) is a Microsoft framework for building identity-aware applications. It is a core component in configuring OWA for Single Sign On and will need to be in place before proceeding.

You can download WIF from Microsoft’s Download Center.

Step 2 – Modify the C2WTShost.exe.config File

1. Run notepad elevated (Run as Administrator) and open C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config
2. Ensure the bolded line is uncommented by removing the <!– and –> tags, adding the values if necessary:
   

   <allowedCallers>
   <clear />
   <add value="NT AUTHORITY\System" />
   </allowedCallers>

3. Save the file
   
   

Step 3 – Enable the C2WTS Service.

1. Open services.msc
2. In the list of services look for Claims to Windows Token Service
3. Right-click on this service and select Properties
4. Ensure the Startup type is set to Automatic
5. Ensure the service is started by clicking Start if it is not greyed out.
   
   

Step 4 – Configure the OWA Application in AuthAnvil SSO

Note: Back up the OWA web.config and ECP web.config by copying them to a safe location before attempting this configuration.

1. Once your configuration is complete, click Save Changes.
2. Click into the Outlook Web application that we just created so we can modify the attribute settings.
3. At the top of the Application Settings click Edit Attribute Maps to open up the attribute editor.
4. Click Create New Map and create an attribute with the following settings:
   1. Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
   2. Value: {Email}

   Note: If your normal OWA login only requires the username and not the full email address, select {Username} for the value of the above attribute.

   This attribute allows AuthAnvil SSO to use the email address on your 2FA account as the login.

5. Click Save Changes to apply this attribute.
   
   

Step 5 – Update the OWA web.config

1. Run notepad elevated (Run as Administrator) and open C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\Web.config
2. At the top of the file, after <configuration> add the following lines:
   

   <!-- SSO -->
   <configSections>
   <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   </configSections>
   <!-- /SSO -->

3. Find the <modules> tag and update it to reflect <modules runAllManagedModulesForAllRequests="true">
4. After the <modules> section but before the entry for OwaModule add the following lines:
   

   <!-- SSO -->
   <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />

   <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
   <!-- /SSO -->

5. Modify (or add) the <authorization> and <authentication> tags below the <system.web> tag to reflect the following lines:
   

   <!-- SSO -->
   <authorization><deny users="?" /></authorization>
   <authentication mode="None" />
   <!-- /SSO -->

   Note: The line <authentication mode=”Windows” /> may already exist in your configuration. If so, only add our authorization tag above and ignore the authentication tag.
6. Get the SSO certificate Thumbprint from the AuthAnvil. AuthAnvil Manager > Single Sign On > Server Settings > Show certificate.
7. Add the following lines right after </runtime> (near the end of the file). Note that the values in red must be entered to match your OWA and AuthAnvil SSO server configuration:

   <!-- SSO -->
   <microsoft.identityModel>
   <service>
   <audienceUris>
   <add value="https://<FQDN>/owa/" />
   </audienceUris>
   <securityTokenHandlers>
   <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
   <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
   </add>
   </securityTokenHandlers>
   <federatedAuthentication>
   <wsFederation passiveRedirectEnabled="true" issuer="https://<SSO FQDN>/sso/federation/passive/wsfed" realm="https://<OWA FQDN>/owa/" requireHttps="true" />
   <cookieHandler requireSsl="true" />
   </federatedAuthentication>
   <applicationService>
   </applicationService>
   <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
   <trustedIssuers>
   <add thumbprint="A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6ABCD" name="uri:authanvil:sso:site1" />
   </trustedIssuers>
   </issuerNameRegistry>
   <certificateValidation certificateValidationMode="None" />
   </service>
   </microsoft.identityModel>
   <!-- /SSO -->

   
   Note: uri:authanvil:sso:site1 represents the Token Issuer Name in the AuthAnvil Manager > Single Sign On > Server Settings.

8. Save the file.
   
   

Step 6 – Update ECP

The Exchange Control Panel (ECP) is the section of Outlook Web that manages user details such as changing a password, setting an Inbox rule, or configuring automatic replies. This panel requires an additional configuration change which is almost identical to the /owa/web.config in Step 5, but this configuration file has a different use so do not copy the owa/web.config into the ecp/web.config folder.

1. Run notepad elevated (Run as Administrator) and open C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ecp\Web.config
2. At the top of the file, after <configuration> add the following lines:
   

   <!-- SSO -->
   <configSections>
   <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   </configSections>
   <!-- /SSO -->

3. Find the <modules> tag and update it to reflect <modules runAllManagedModulesForAllRequests="true">
4. Inside the <modules> section, after the <remove name="ServiceModel" /> line and immediately before <add name="PerformanceConsoleModule" />, add the following lines:
   

   <!-- SSO -->
   <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />

   <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
   <!-- /SSO -->

5. Get the SSO certificate Thumbprint from the AuthAnvil. AuthAnvil Manager > Single Sign On > Server Settings > Show certificate.
6. Add the following lines right after </runtime> (near the end of the file).
   Note that the values in red must be entered to match your OWA and AuthAnvil SSO server configuration:

7. <!-- SSO -->
   <microsoft.identityModel>
   <service>
   <audienceUris>
   <add value="https://<OWA FQDN>/owa/" />
   </audienceUris>
   <securityTokenHandlers>
   <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
   <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
   </add>
   </securityTokenHandlers>
   <federatedAuthentication>
   <wsFederation passiveRedirectEnabled="true" issuer="https://<SSO FQDN>/sso/federation/passive/wsfed" realm="https://<OWA FQDN>/owa/" reply="https://<OWA FQDN>/ecp/" requireHttps="true" />
   <cookieHandler requireSsl="true" />
   </federatedAuthentication>
   <applicationService>
   </applicationService>
   <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
   <trustedIssuers>
   <add thumbprint="A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6ABCD" name="uri:authanvil:sso:site1" />
   </trustedIssuers>
   </issuerNameRegistry>
   <certificateValidation certificateValidationMode="None" />
   </service>
   </microsoft.identityModel>
   <!-- /SSO -->

   Note: uri:authanvil:sso:site1 represents the Token Issuer Name in the AuthAnvil Manager > Single Sign On > Server Settings.

8. Save the file.

Updating the AuthAnvil Database to allow for access to /ecp/

1. Open SQL Management Studio and connect into the AuthAnvil SQL instance
2. Expand Databases > Anvil > Tables
3. Right-click on SSO_ServiceProviderProperty and select Edit Top 200 Rows or Open Table.
4. There should be two Outlook Web App entries. Look for the one that has data in the ProtocolConfiguration column.
5. In the ProtocolConfiguration column there should be some text similar to this:

   {
   "Properties":
   [
   {"Key":"WSFedProtocolVersion","Value":"WS 1.3"},
   {"Key":"SignatureAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256"},
   {"Key":"DigestAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmlenc#sha256"}
   ]
   }
   Note: It will look a little bit different all on one line.

6. First, copy it out into Notepad so you have a backup of the text. Next, we will add one more {Key,Value} pair into these Properties. Copy this with the comma:

   {"Key":"ReplyToOption","Value":"SameDomain"},

   Add that code immediately after:

   {“Properties”:[

   and immediately before:

   {"Key":"WSFedProtocolVersion","Value":"WS 1.3"},

   The end result looks something like this when it's all crammed on one line:

   {"Properties":[{"Key":"ReplyToOption","Value":"SameDomain"},{"Key":"WSFedProtocolVersion","Value":"WS 1.3"},{"Key":"SignatureAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256"},{"Key":"DigestAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmlenc#sha256"}]}

7. Hit Enter to save the configuration, then let’s test it. You might want to run an IISreset on AuthAnvil and restart your browser, but it should just work once you refresh the page.
   
   

Step 7 – Update Exchange

1. Open the Exchange Management Console.
2. Under Server Configuration > Client Access, open the OWA configuration under the Outlook Web App tab.
3. In the Authentication tab and make sure Use forms-based authentication is not checked. Select Use one or more standard authentication methods: and leave the checkboxes blank.
4. Open up Internet Information Services (IIS) Manager.
5. Expand the site where OWA is installed and click on the owa application.
6. Double-click the Authentication icon and verify that Anonymous Authentication is set to Enabled.
   
   

Verifying Functionality

Once the configuration is complete, you should test that everything is working as expected. Log into the SSO portal with a user that is authorized to access OWA and attempt to click on the “Outlook Web” application. You should automatically be redirected to your OWA inbox.

You can test the ECP menu by going into OWA and clicking Options > See All Options. If the Options portal loads with no errors or other authentication, both the OWA and ECP configurations are successful.

Questions?

If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.