?
Solved

Multiple Active Directories accessing Exchange 2010 at a central site with no trusts

Posted on 2012-03-21
3
Medium Priority
?
700 Views
Last Modified: 2012-06-27
I have Exchange 2010 in a Windows 2008 R2 Native domain that hosts mailboxes for multiple companies.  All of these companies are accessing email using Outlook Anywhere without any issue.

The companies are in their own Active Directories that do NOT have Exchange enabled in them.  There are also no VPNs and no TRUSTS to/from these Active Directories, and we do not want to go in this direction.

We do not have Exchange 2010 installed in hosted mode because the tools make managing it a nightmare.  We are segmenting GALs with the Exchange 2010 SP1 Address Book Policies.  It works great!

We are manually having users sync their passwords using CHANGE-PASSWORD in Outlook 2010 OWA.  However, we would like to get an automatic SSO if possible using Active Directory Federated Services or Forefront Identity Manager.

We already employ FIM to import user objects when a new company joins the party.  We are having a very difficult time getting the PCMS module of FIM working, which is supposed to keep the AD's user object passwords in sync.

Does anyone know if ADFS is a better way to sync passwords between 2 untrusted / un-connected AD's?  Or should we stay with FIM and just get it working?  I've been researching ADFS and it seems like it may be easier and better at keeping passwords in sync.

We have no issues with opening ports / allowing access between DCs for FIM/ADFS, we just don't want to deal with trusts and seeing other directories in the dropdowns at all of these sites.

Any insight is appreciated.
0
Comment
Question by:jkeegan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 42

Expert Comment

by:Adam Brown
ID: 37750066
ADFS won't sync passwords for you at all. It's just a different authentication system that allows you to pass and accept Tokens or Objects from a trusted provider that has already authorized a user for access. There is no password passed across an ADFS link. The ADFS server on one side of an ADFS trust authenticates a user against the AD in their environment, and if successful passes identifying information to the ADFS server on the other side (SID, UPN, etc). The trust setup between ADFS servers is used to prevent unauthorized access. It also is only useable on Web based applications that support SAML authentication. OWA doesn't support it natively.

FIM is the only system that will allow you to sync passwords between AD environments. Unfortunately, I've never been able to get that working.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 37750232
This article has a well detailed way to do OWA using ADFS:

http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html

If this could be expanded to support Outlook Anywhere, this might be just about the greatest thing....

As for FIM, we have it working great for IMPORTING, almost no work at all.  But no PCMS. :(
0
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 37750257
I stand corrected on OWA and ADFS :D But it won't work with Outlook Anywhere because ADFS requires a Web Browser for user login and authentication. Outlook Anywhere uses HTTPS but only to Encapsulate RPC calls. There's no existing function to allow Outlook to pass a login to ADFS. Perhaps in the future, but after digging around a bit, MS says that ADFS will only work with OWA. http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/a43553da-d50c-4671-bf67-2a18a095c05e/
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses
Course of the Month11 days, 22 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question