Configure Outlook Web App to Work with Active Directory Federation Services

  • Article

Applies to: Exchange Server 2010

You can use the EMC or the Shell to configure Outlook Web App authentication to work with Active Directory Federation Services (ADFS). ADFS extends the ability to use single sign-on functionality that's available in a single security or enterprise boundary to Internet-facing applications. By using single sign-on, your customers, partners, and suppliers can have a streamlined user experience when they access Web-based applications, such as Outlook Web App.

The timed logoff in ADFS, also known as session expiration, doesn't interoperate with Outlook Web App. You must turn off timed logoff in ADFS to use ADFS with Outlook Web App.

ADFS supports Windows NT token-based applications and claims-aware applications. Outlook Web App is a Windows NT token-based application. When you configure ADFS for Outlook Web App, make sure you follow the instructions for a token-based application.

To use ADFS with Outlook Web App, you must configure Outlook Web App to accept anonymous access.

Warning

Outlook Web App shouldn't be configured to accept anonymous access unless it's being accessed through a connection that requires authentication, such as through ADFS. Because configuring Outlook Web App to accept anonymous access is a potential security risk, when you configure Outlook Web App and Internet Information Services (IIS) to accept anonymous access, you'll receive warnings that you've turned off all authentication methods.

After you've disabled all forms of authentication on an Outlook Web App virtual directory by using the EMC or the Shell, you must use IIS Manager to enable anonymous access on that virtual directory in IIS.

To learn more about ADFS and how to prepare an ADFS deployment for Outlook Web App, see Active Directory Federation Services and Deploying Federated Applications.

Looking for other management tasks related to Outlook Web App security? Check out Managing Outlook Web App Security.

Use the EMC to configure Outlook Web App to have no authentication method

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Outlook Web App virtual directories" entry in the Client Access Permissions topic.

  1. In the console tree, navigate to Server Configuration > Client Access.

  2. Click the server that hosts the Outlook Web App virtual directory.

    Note

    To enable Outlook Web App to accept anonymous access, you must disable all forms of authentication.

  3. On the Outlook Web App tab, open the properties of the virtual directory that you want to configure to use anonymous access, and then click the Authentication tab.

  4. Select Use one or more of standard authentication methods.

  5. Don't select an authentication method. If any authentication method is selected, click the check box to clear it.

  6. Click OK.

  7. You'll receive a warning that you haven't chosen an authentication method and that directs you to use the Shell to set an authentication method. Click OK to close the warning.

  8. Restart IIS by opening a Command Prompt window and typing the command iisreset/noforce.

Use the Shell to configure Outlook Web App to have no authentication method

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Outlook Web App mailbox policies" entry in the Client Access Permissions topic.

Open the Shell on the Client Access server that's hosting the Outlook Web App virtual directories that you have to configure and use the following examples to disable active authentication.

Note

To enable Outlook Web App to accept anonymous access, you must disable all forms of authentication.

  1. This example disables forms-based authentication on the /owa virtual directory and the site named Default Web Site.

    Set-owavirtualdirectory -identity "owa (default web site)" -FormsAuthentication:$false

  2. This examples disables all forms of standard authentication on the /owa virtual directory and the site named Default Web Site.

    Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -WindowsAuthentication $false
Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -BasicAuthentication $false
Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -DigestAuthentication $false

  3. When the last active authentication method has been disabled, you'll receive a warning that no authentication method is specified for the virtual directory and telling you to use the Set-OwaVirtualDirectory cmdlet to specify an authentication method. Ignore this warning.

  4. Restart IIS by opening a Command Prompt window and typing the command iisreset/noforce.

For more information about syntax and parameters, see Set-OwaVirtualDirectory.

Use IIS Manager to enable anonymous access on a virtual directory

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "IIS Manager" entry in the Client Access Permissions topic.

  1. Open IIS Manager.
  2. Navigate to the Web site and virtual directory for which you disabled all authentication methods in the previous steps. In a default configuration, this directory will be at Web Sites\Default Web site\owa.
  3. Open the properties of the virtual directory, and then click the Directory Security tab.
  4. Under Authentication and Access Control, click Edit.
  5. Select Enable Anonymous Access.
  6. Click OK two times to save your changes. You may receive an Inheritance Override warning. Click OK to close the warning.
  7. Restart IIS by opening a Command Prompt window and typing the command iisreset/noforce.