Documentation
Introduction

Use this guide to enable 2-Factor Authentication and Single Sign-on (SSO) via claims-based authentication and WS-Federation to Outlook Web Access (OWA) 2010.

See Outlook Web Access (OWA) 2013 SP1 & 2016 Integration Guide for integration with OWA 2013 SP1 and OWA 2016 

Prerequisites

1. Have OWA 2010 installed on a server

2. Create a New Realm for the OWA 2010 integration in the SecureAuth IdP Web Admin

3. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access this application must be defined
  • Registration Methods – the 2-Factor Authentication methods that will be used to access this page (if any) must be defined
Configuration Steps
Windows Identity Federation (WIF)

Windows Identity Foundation (WIF) is a Microsoft framework used to build identity-aware applications and is a core component in this integration

WIF must be installed on the OWA Exchange 2010 server and the SecureAuth IdP server

1. Download WIF from Microsoft's Download Center

Update CTWTShost.exe.config File Ensuring "SYSTEM" Access

2. On the OWA Exchange Server, run Notepad as Administrator, and open C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config

3. Ensure that the following lines of code is uncommented by removing the <!-- and --> tags and adding the values if necessary (as shown in image)

<allowedCallers>
    <clear />
    <add value="NT AUTHORITY\System" />
  </allowedCallers>

4. Save the file

Enable Claims to Windows Token Services (C2WTS)

5. To enable the Claims to Window Token Services (C2WTS), open services.msc

6. Find Claims to Windows Token Service in the list provided, right-click, and click Properties

7. Set the Startup type to Automatic

8. Click Start to start the service

Set Claims to Windows Token Services (C2WTS) to Start after Cryptographic Services Service

Per Microsoft, ensure that Cryptographic Services Service is guaranteed to start before C2WTS initiates by explicitly adding the following dependency in the service definition

9. Open the Command Prompt window

10. Type sc config c2wts depend= CryptSvc

11. Find the Claims to Windows Token Service in the Services console (click Start, Run, then services.msc)

12. Open the Properties for the service

13. Ensure that Cryptographic Services is listed in the Dependencies tab

14. Click OK

SecureAuth IdP Configuration Steps
Data

 

1. In the Profile Fields section, ensure that mail is appropriately mapped to the SecureAuth IdP Email 1 Property

2. Map the userPrincipalName to the Email 2 Property

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Post Authentication

 

3. Select WS-Federation Assertion from the Authenticated User Redirect dropdown in the Post Authentication section

4. An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and realm number in the address bar (Authorized/WSFedProvider.aspx)

5. A customized post authentication page can be uploaded, but it is not required

User ID Mapping

 

6. Select the SecureAuth IdP Property that corresponds to the directory field that contains the mail attribute (Email 1)

7. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format dropdown (default)

8. Select False from the Encode to Base64 dropdown

SAML Assertion / WS Federation

 

9. Set the WSFed Reply To/SAML Target URL to the Fully Qualified Domain Name (FQDN) of the OWA Exchange server followed by /owa/, e.g. https://owa.company.com/owa/

10. Set the WSFed/SAML Issuer to the FQDN of the SecureAuth IdP appliance, followed by the realm number of the realm created for this integration, e.g. https://secureauth.company.com/secureauth2

11. Configure the session length in SAML Valid Hours by entering a numeric value – e.g. 8 for eight hours per session

No configuration is required for the SAML Consumer URL, SAML Recipient, or SAML Audience fields

 

12. Leave the Signing Cert Serial Number as the default value, unless there is a third-party certificate being used for the SAML assertion

If using a third-party certificate, click Select Certificate and choose the appropriate certificate

SAML Attributes / WS Federation

 

13. Set the Name of Attribute 1 to UPN

14. Set the Namespace (1.1) to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

15. Select Email 2 (or the field that contains the userPrincipalName) from the Value dropdown

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Forms Auth / SSO Token


16. Click View and Configure FormsAuth keys / SSO token to configure the token/cookie settings and to configure this realm for SSO

These are optional configurations

 To configure this realm's token/cookie settings, follow these steps:
Forms Authentication


1. If SSL is required to view the token, select True from the Require SSL dropdown

2. Choose whether SecureAuth IdP will deliver the token in a cookie to the user's browser or device:

  • UseCookies enables SecureAuth IdP to always deliver a cookie
  • UseUri disables SecureAuth IdP to deliver a cookie, and instead deliver the token in a query string
  • AutoDetect enables SecureAuth IdP to deliver a cookie if the user's settings allow it
  • UseDeviceProfile enables SecureAuth IdP to deliver a cookie if the browser's settings allow it, no matter the user's settings

3. Set the Sliding Expiration to True if the cookie remains valid as long as the user is interacting with the page

4. Set the Timeout length to determine for how many minutes a cookie is valid

No configuration is required for the Name, Login URL, or Domain fields

Machine Key

5. No changes are required in the Validation field, unless the default value does not match the company's requirement

If a different value is required, select it from the dropdown

6. No changes are required in the Decryption field, unless the default value does not match the company's requirement

If a different value is required, select it from the dropdown

No configuration is required for the Validation Key or Decryption Key fields

Authentication Cookies

 

7. Enable the cookie to be Persistent by selecting True - Expires after Timeout from the dropdown

Selecting False - Session Cookie enables the cookie to be valid as long as the session is open, and will expire once the browser is closed or the session expires

No configuration is required for the Pre-Auth Cookie, Post-Auth Cookie, or the Clean Up Pre-Auth Cookie fields

Click Save once the configurations have been completed and before leaving the Forms Auth / SSO Token page to avoid losing changes

To configure this realm for SSO, refer to SecureAuth IdP Single Sign-on Configuration

To configure this realm for Windows Desktop SSO, refer to Windows Desktop SSO Configuration Guide

OWA Integration Configuration Steps

Download the OWA.web.config file to use for guidance when following the steps in this section to configure the Owa Web.config file on the OWA Exchange Server

Update OWA web.config

1. On the OWA Exchange Server, run Notepad as Administrator, and open C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\Web.config

2. At the top of the file, after <configuration>, add the following lines:

  <!-- SecureAuth -->
  <configSections>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
  <!-- /SecureAuth -->

3. Change the <modules> tag to <modules runAllManagedModulesForAllRequests="true">

4. Within the <modules> section, but before the OwaModule entry, add the following lines:

  <!-- SecureAuth -->
  <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
  <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
  <!-- /SecureAuth -->

5. Modify (or add) the <authorization> and <authentication> tags to reflect the following lines:

  <!-- SecureAuth -->
  <authorization><deny users="?" /></authorization>
  <authentication mode="None" />
  <!-- /SecureAuth -->

Leave <authentication mode="Windows" /> alone if it is present, and disregard the <authentication mode="None" /> in the code above

6. Retrieve the Certificate Thumbprint from the Assertion Signing Certificate in the SecureAuth IdP Web Admin

Open the certificate, click on the Details tab, scroll to the bottom, and find the Thumbprint item

Copy this value, paste into Notepad, and remove all spaces and change all letters to UPPERCASE

7. Add the following lines right after </runtime> (near the end of the file)

Replace <OWA-FQDN> with the actual FQDN of the OWA Exchange server (this will match the WSFed Reply To value in the SecureAuth IdP Web Admin) (two instances)

Replace <SecureAuthIdPFQDN> with the actual FQDN of the SecureAuth IdP appliance; and <X> with the realm number of the OWA-integrated realm, e.g. https://secureauth.company.com/secureauth2 (two instances)

This must match exactly with the WSFed Issuer value in the SecureAuth IdP Web Admin

Replace <CERT THUMBPRINT> with the actual thumbprint value acquired in step 6 (one instance)

  <!-- SecureAuth -->
  <microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="https://<OWA-FQDN>/owa/" />
      </audienceUris>
      <securityTokenHandlers>
        <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
          <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
        </add>
      </securityTokenHandlers>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://<SecureAuthIdPFQDN</secureauth<X>" realm="https://<OWA-FQDN>/owa/" requireHttps="true" />
        <cookieHandler requireSsl="true" path="/"/>
      </federatedAuthentication>
      <applicationService>
      </applicationService>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="<CERT THUMBPRINT>" name="https://<SecureAuthIdPFQDN</secureauth<X>" />
        </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode="None" />
    </service>
  </microsoft.identityModel>
  <!-- /SecureAuth -->
 

8. Save the file

Update Exchange through EMC

 

9. Open the Exchange Management Console

10. Under Server Configuration, find Client Access, and open the owa properties under the Outlook Web App tab

11. In the Authentication tab, ensure that Use forms-based authentication is not checked

12. Select Use one or more standard authentication methods, and leave all boxes unchecked

 

13. Open the Internet Information Services (IIS) Manager

14. Expand the site on which OWA is installed, and click on the owa application

15. Double-click the Authentication icon, and verify that Anonymous Authentication is Enabled

16. Restart IIS by using the noforce flag

From the command line, this could be iisreset /noforce

ECP Integration Configuration Steps

Download the ECP.web.config file to use for guidance when following the steps in this section to configure the ECP Web.config file on the OWA Exchange Server

Update ECP web.config

1. On the OWA Exchange Server, run Notepad as Administrator, and open C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ECP\Web.config

2. At the top of the file, after <configuration>, add the following lines:

  <!-- SecureAuth -->
  <configSections>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
  <!-- /SecureAuth -->

3. Change the <modules> tag to <modules runAllManagedModulesForAllRequests="true">

4. Within the <modules> section, but before the OwaModule entry, add the following lines:

  <!-- SecureAuth -->
  <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
  <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
  <!-- /SecureAuth -->

5. Retrieve the Certificate Thumbprint from the Assertion Signing Certificate in the SecureAuth IdP Web Admin

Open the certificate, click on the Details tab, scroll to the bottom, and find the Thumbprint item

Copy this value, paste into Notepad, and remove all spaces and change all letters to UPPERCASE

6. Add the following lines right after </runtime> (near the end of the file)

Replace <OWA-FQDN> with the actual FQDN of the OWA Exchange server (two instances)

Replace <SecureAuthIdPFQDN> with the actual FQDN of the SecureAuth IdP appliance; and <X> with the realm number of the OWA-integrated realm, e.g. https://secureauth.company.com/secureauth2 (two instances)

This must match exactly with the WSFed Issuer value in the SecureAuth IdP Web Admin

Replace <CERT THUMBPRINT> with the actual thumbprint value acquired in step 5 (one instance)

<!-- SecureAuth -->
 <microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="https://<OWA-FQDN>/owa/" />
      </audienceUris>
      <securityTokenHandlers>
        <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
          <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
        </add>
      </securityTokenHandlers>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://<SecureAuthIdPFQDN>/secureauth<X>" realm="https://<OWA-FQDN>/owa/" reply="https://mail.companyname.com/ecp/" requireHttps="true" />
        <cookieHandler requireSsl="true" path="/"/>
      </federatedAuthentication>
      <applicationService>
      </applicationService>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="<CERT THUMBPRINT" name="https://<SecureAuthIdPFQDN>/secureauth<X>" />
        </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode="None" />
    </service>
  </microsoft.identityModel>
  <!-- /SecureAuth -->

Ensure that both OWA and ECP web.config files have the line <cookieHandler requireSsl="true" path="/"/>

This is required for the FedAuth cookie to be shared between web applications

7. Save the file

Machine Key Matching

8. Ensure that the Machine Key configurations match for OWA and ECP

IIS Manager > OWA > Machine Keys

IIS Manager > ECP > Machine Keys

Update Exchange through EMC

 

9. Open the Exchange Management Console

10. Under Server Configuration, find Client Access, and open the ecp properties under the Exchange Control Panel tab

11. In the Authentication tab, ensure that Use forms-based authentication is not checked

12. Select Use one or more standard authentication methods, and leave all boxes unchecked

 

13. Open the Internet Information Services (IIS) Manager

14. Expand the site on which ECP is installed, and click on the ecp application

15. Double-click the Authentication icon, and verify that Anonymous Authentication is Enabled

(OPTIONAL) Scripts and Theme Folder Permissions

This configuration step is required if experiencing a theme rendering issue after being authenticated into OWA and selecting Options(ECP)

1. Add the following code as a web.config file to the folder with the highest version of the Cumulative Update

e.g.: \Exchange Server\Vxx\ClientAccess\ecp\xx.x.xxx.xxx\web.config

<?xml version="1.0"?>
<configuration>
    <location path="Themes">
        <system.web>
            <authorization>
                <!--<allow users="*"/>-->
                <allow users="?"/>
            </authorization>
        </system.web>
    </location>
	    <location path="Scripts">
        <system.web>
            <authorization>
                <!--<allow users="*"/>-->
                <allow users="?"/>
            </authorization>
        </system.web>
    </location>
</configuration>
URL Rewrites (Optional)
URL Rewrites

These are optional configurations and not required for the integration

 URL Rewrite to Resolve Trailing Slash Issues
URL Rewrite to Resolve Trailing Slash Issues

Both the OWA and ECP applications will have issues if a trailing slash is missing

To avoid these issues, use URL Rewrite

 

1. Download and install URL Rewrite for IIS

2. Open IIS, browse to Default Web Site, and select URL Rewrite

3. Click Add Rule(s) under Actions

4. Set the Name to Trailing Slash Fix

5. Select Matches the Pattern from the Requested URL dropdown

6. Set the Pattern to (.*[^/])$

7. Expand the Conditions section

8. Select Match Any from the Logical Grouping dropdown

9. Click Add to include Condition 1

 Condition 1 Configuration Steps

10. Set the Condition Input to {URL}

11. Select Matches the Pattern from the Check if input string dropdown

12. Set the Pattern to ^/owa$

13. Click OK

14. Click Add to include Condition 2

 Condition 2 Configuration Steps

15. Set the Condition Input to {URL}

16. Select Matches the Pattern from the Check if input string dropdown

17. Set the Pattern to ^/ecp$

18. Click OK

19. Expand the Action section

20. Select Redirect from the Action Type dropdown

21. Set the Redirect URL to {R:1}/

22. Select Permanent (301) from the Redirect Type dropdown

23. Click Apply in the upper right-hand corner, under Actions

 URL Rewrite to Resolve Logout Issues
URL Rewrite to Resolve Logout Issues

To avoid logout issues, use URL Rewrite (available here) on the OWA web server to redirect users appropriately

1. Open IIS, browse to Default Web Site, and select URL Rewrite

2. Click Add Rule(s) under Actions, and select Blank Rule

3. Two (2) Logout Redirect Rules are necessary

Logout Redirect Rule 1

 

4. Set the Name to Redirect Logout Rule 1

5. Select Matches the Pattern from the Requested URL dropdown

6. Select Regular Expressions from the Using dropdown

7. Set the Pattern to ^owa/logoff\.owa$

8. Expand the Action section

9. Select Redirect from the Action Type dropdown

10. Set the Redirect URL to the FQDN of the SecureAuth IdP appliance, followed by the OWA 2013 SP1 realm number, and /wsfedsignout.aspx

For example, https://secureauth.company.com/secureauth2/wsfedsignout.aspx

11. Select Permanent (301) from the Redirect Type dropdown

12. Click Apply in the upper right-hand corner, under Actions

Second Logout Redirect Rule

 

13. Set the Name to Redirect Logout Rule 2

14. Select Matches the Pattern from the Requested URL dropdown

15. Select Regular Expressions from the Using dropdown

16. Set the Pattern to ^owa/auth/logoff\.aspx$

17. Expand the Action section

18. Select Redirect from the Action Type dropdown

19. Set the Redirect URL to the FQDN of the SecureAuth IdP appliance, followed by the OWA 2013 SP1 realm number, and /wsfedsignout.aspx

For example,https://secureauth.company.com/secureauth2/wsfedsignout.aspx

20. Select Permanent (301) from the Redirect Type dropdown

21. Click Apply in the upper right-hand corner, under Actions

 Alternate URL Rewrite Setup Method
Alternate URL Rewrite Setup Method

1. Download and install URL Rewrite for IIS

2. Open the Internet Information Server Manger

3. In the Connections list, expand the IIS Server Name, and then expand Sites

4. Right-click on Default Web Site, and select Explore

5. Copy the Path from the explorer window

6. Open Notepad, running in the Administrator context (Run as Administrator)

7. Select File, then Open

8. Change the extension to All Files: (*.*)

9. Paste the Path into the File name and click Open

10. Select the web.config file and click Open again

11. The contents of the web.config file should look similar to the following:

Default web.config
<configuration>
  <location inheritInChildApplications="false">
    <system.webServer>
      <modules>
        <add name="OwaUrlModule" type="Microsoft.Exchange.HttpProxy.OwaUrlModule,Microsoft.Exchange.OwaUrlModule,Version=15.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35"
preCondition="" />
      </modules>
    </system.webServer>
    <system.web>
      <machineKey validationKey="AutoGenerate,IsolateApps" />
      <compilation defaultLanguage="c#" debug="false">
        <assemblies>
          <add assembly="Microsoft.Exchange.OwaUrlModule, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        </assemblies>
      </compilation>
    </system.web>
  </location>
    <system.webServer>
       <tracing>   
		<traceFailedRequests>
                <add path="*">
                 <traceAreas>
                        <add provider="ASP" verbosity="Verbose" />
                        <add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
                        <add provider="ISAPI Extension" verbosity="Verbose" />
                        <add povider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI" verbosity="Verbose" />
                   </traceAreas>
                  <failureDefinitions timeTaken="00:00:00" statusCodes="301-307, 500-599" />
                </add>
     </traceFailedRequests>
        </tracing>
    </system.webServer>
</configuration>

12. Edit the below content with the following value changes:

Replace <SecureAuthIdPFQDN/SecureAuthIdPRealm#> with the FQDN of the SecureAuth IdP appliance, followed by the OWA integration realm number, e.g. secureauth.company.com/secureauth2 (two instances)

Replace <EXCHANGE.YOURCOMPANY.COM> with the FQDN of the OWA Exchange Server, e.g. exchange.company.com (two instances)

<rewrite>
            <rules>
                <clear />
                <rule name="Trailing Slash Fix" stopProcessing="true">
                    <match url="(.*[^/])$" />
					<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{URL}" pattern="^/owa$" />
                        <add input="{URL}" pattern="^/ecp$" />
					</conditions>
                    <action type="Redirect" url="{R:1}/" />
                </rule>
                <rule name="Redirect Logout Requests" stopProcessing="true">
                    <match url="^owa/logoff\.owa$" />                   
					<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                	<action type="Redirect" url="https:// <SecureAuthIdPFQDN/SecureAuthIdPRealm#>/wsfedsignout.aspx" />
                </rule>
                <rule name="Redirect Logout Requests II" stopProcessing="true">
                    <match url="^owa/auth/logoff\.aspx$" />
					<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="Redirect" url="https://<SecureAuthIdPFQDN/SecureAuthIdPRealm#>/wsfedsignout.aspx" />
                </rule>
                <rule name="Redir to OWA" enabled="false" stopProcessing="true">
                    <match url="(.*)" />
					<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                    	<add input="{HTTP_HOST}" pattern="<EXCHANGE.YOURCOMPANY.COM>" />
					</conditions>
                    <action type="Redirect" url="https:// <EXCHANGE.YOURCOMPANY.COM>/{R:1}" />
                </rule>
            </rules>
        </rewrite>

13. Insert the edited content into the Default Web Site's web.config file after </tracing> and before </System.WebServer>

Sample of Complete Default Web Site Web.Config
******************** Sample web.config ****************************************

<configuration>
  <location inheritInChildApplications="false">
    <system.webServer>
      <modules>
        <add name="OwaUrlModule" type="Microsoft.Exchange.HttpProxy.OwaUrlModule,Microsoft.Exchange.OwaUrlModule,Version=15.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35" preCondition="" />
      </modules>
    </system.webServer>
    <system.web>
      <machineKey validationKey="AutoGenerate,IsolateApps" />
      <compilation defaultLanguage="c#" debug="false">
        <assemblies>
          <add assembly="Microsoft.Exchange.OwaUrlModule, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        </assemblies>
      </compilation>
    </system.web>
  </location>
    <system.webServer>
        <tracing>
            <traceFailedRequests>
                <add path="*">
                    <traceAreas>
                        <add provider="ASP" verbosity="Verbose" />
                        <add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
                        <add provider="ISAPI Extension" verbosity="Verbose" />
                        <add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI" verbosity="Verbose" />
                    </traceAreas>
                    <failureDefinitions timeTaken="00:00:00" statusCodes="301-307, 500-599" />
                </add>
            </traceFailedRequests>
        </tracing>
        <rewrite>
            <rules>
                <clear />
                <rule name="Trailing Slash Fix" stopProcessing="true">
                    <match url="(.*[^/])$" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{URL}" pattern="^/owa$" />
                        <add input="{URL}" pattern="^/ecp$" />
                    </conditions>
                    <action type="Redirect" url="{R:1}/" />
                </rule>
                <rule name="Redirect Logout Requests" stopProcessing="true">
                    <match url="^owa/logoff\.owa$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="Redirect" url="https://secureauth.company.com/secureauth2/wsfedsignout.aspx" />
                </rule>
                <rule name="Redirect Logout Requests II" stopProcessing="true">
                    <match url="^owa/auth/logoff\.aspx$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="Redirect" url="https://secureauth.company.com/secureauth2/wsfedsignout.aspx" />
                </rule>
                <rule name="Redir to OWA" enabled="false" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTP_HOST}" pattern="exchange.company.com" />
                    </conditions>
                    <action type="Redirect" url="https://exchange.company.com/{R:1}" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>
******************** End Sample web.config ****************************************
Optional Configuration
Add Federation SignOut Functionality to OWA SignOut

 

1. Edit OWA's web.config and add the following line under <assemblies> and after the comment block

<add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

 

2. Edit logoff.aspx (found in ~\ClientAccess\Owa\auth\) to include Microsoft.IdentityModel.Web

<%@ Import namespace="Microsoft.IdentityModel.Web"%>

3. Add a call Federation Sign out module to clear FedAuth cookie on logout, immediately under the <body class="owaLgnBdy<%=IsRtl ? " rtl" : ""%> line

<% FederatedAuthentication.SessionAuthenticationModule.SignOut(); %>

If there are broken images links on the logout page, then follow these configurations to add all users to view the images

 Click here to expand...

 

1. Create a web.config file in the currently used theme folder

To find the currently used theme folder, view the source of the logoff.aspx in the browser

Inspect the element on the right-click menu in most browsers

Something like the image shown will appear in the browser

2. Note the src="" string – in the OWA folder (~\ClientAccess\Owa\), a folder that relates to the same path in the src="" value will be present

3. Navigate to that folder and create with Notepad a web.config file with the following content

<configuration>
	<location path="logon.css">
		<system.web>
			<authorization>
				<allow users="*" />
			</authorization>
		</system.web>
	</location>
	<location path="owafont.css">...</location>
	<location path="lgntopl.gif">...</location>
	<location path="lgntopr.gif">...</location>
	<location path="lgnexlogo.gif">...</location>
	<location path="lgnbotl.gif">...</location>
	<location path="lgnbotr.gif">...</location>
</configuration>
	

4. Save the file

Known Issues

OWA Options Not Displaying Properly

OWA Options is actually a link to the ECP; and due to the nature of the integration with SecureAuth IdP, the user may be authenticated to access the options, but not authorized to display the assets required. To resolve the issue, follow these steps:

1. Using Windows File Explorer, navigate to %Microsoft Exchange Install Directory%\Exchange Server\V14\ClientAccess\ecp

2. Find the latest asset folder, which should follow the naming convention of 14.x.xxx.xx, and should be the highest revision

3. Inside of the latest asset folder, enter the themes folder and open the web.config file with Notepad running as Administrator

4. Add the following near the end of the file, immediately above the </configuration> tag, and save the file

<location path="Default">
        <system.web>
            <authorization>
                <allow users="?"/>
            </authorization>
        </system.web>
    </location>

5. Navigate back to the root of the asset folder and open the scripts folder

6. Open the web.config file located in the scripts folder with Notepad running as Administrator, and add the following near the top of the file immediately under the <configuration> tag, and save the file:

<system.web>
	<authorization>
                <allow users="?"/>
         </authorization>
</system.web>
Tips & Warnings

1. To utilize Windows Desktop SSO, WindowsSSO.aspx will need to be set as the default document and coded to retain the referral string

If Windows Desktop SSO will be redirecting external users to another realm, the secureauth.aspx.vb page in that realm will need code that strips out the "?403;https://<SecureAuthIdPFQDN>/secureauth<X>"

2. When setting URLs in 6.6 and 8.5, it is essential to be consistent and not leave off something as simple as a trailing slash "/"

3. If pasted the Certificate Thumbprint into the thumbprint="" section (between the quotation marks), there may be issues if the placeholder content from the code is simply replaced by the copied thumbprint value

It is recommended to delete the enter placeholder content, including the quotation marks, and retype the Certificate Thumbprint value with new quotation marks

In the Event Viewer, an Error 1003, MS Exchange Front End HTTP Proxy - ID4175 will appear if this is the issue and solution

See here for more information