OWA/ECP ADFS AND Forms Authentication?

Hi, looking at the deployment/authentication options for a new Exchange 2013 SP1 CU8 deployment. We have ADFS3 deployed on our edge, and this is working very well. We want to know if it is possible to mix ADFS AND Forms Authentication on OWA and ECP please? We would like internal users to be presented with the 'default' Forms Login page, but external access via the ADFS Proxy will be Multifactor, and will then delegate the credentials to the back-end Exchange servers. The 'config' articles on Technet do not state if it is possible to have both. We want to keep the internal/external namespace the same too.

Thanks for any

April 14th, 2015 6:44am
Multifactor is enforced by the claims rule engine, the page can stay the same and you will get a different experience based on the claims. Check the examples in this article: http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx
Free Windows Admin Tool Kit Click here and download it now
April 14th, 2015 3:58pm

Thank you, but this may answer it from a technical level, but I really need to know if it works in the 'real world' and is a supported deployment? Even better if someone has deployed in this way and can comment.

Thanks again

April 15th, 2015 2:59am

Hi Phil,
 
Frankly, I haven't seen the above deployment by now. But you can try to create two web site, one for internal users, and another for external users, then you can set different authentication for them. Note that please do a test in your lab before deploying in a product environment.

For your reference:

https://technet.microsoft.com/en-us/library/dn635116%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

Hope my clarification can be helpful to you.

Best re

Free Windows Admin Tool Kit Click here and download it now
April 15th, 2015 11:14pm

Thanks. I am going to test options out in a lab today now, and will feed back here with results.

Thanks

Phil

April 16th, 2015 3:36am

Okay, it wasnt too complicated really. Because the CAS Servers are being configured to ONLY use ADFS for Authentication to OWA/ECP, then it was simply a case of configuring the ADFS Server to 'split' authentication between Intranet and Extranet - where the Extranet is being forced to user multi factor authentication. This way the Intranet users get their simple Forms based authentication screen, and the external users have the same but the addition of the MFactor part... Sorted now. 

Thanks for your feedback. I may mark this as the answer so others can see what is possible.

Phil

Free Windows Admin Tool Kit Click here and download it now
April 16th, 2015 7:40am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics