Solved

Can ADFS be used to provide authentication services for exchange (2013 sp1), so clients can connect  to exchange using outlook.  All clients will be external  to the exchange forest

Posted on 2014-09-03
7
98 Views
Last Modified: 2016-06-13
I have an exchange 2013 sp1 setup with a single CAS server and MBX server.  I would like to provide access to the mailboxes hosted in this environment to external clients without going down the trusts root and also without creating extra user accounts in the domain where exchange is setup.

I would like to use ADFS 2.1 to authenticate the clients, however is this possible so that users can use outlook to connect to their mailboxes or is it just restricted to Outlook Web App
0
Comment
Question by:Hirenc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 334 total points
ID: 40301620
ADFS is only an authentication layer. You still need to authenticate *to* something. Exchange mailboxes are associated to AD objects. That is fundamental to its design. So there is no way to avoid "extra" AD accounts. ADFS doesn't change the core nature of exchange.
0
 
LVL 14

Expert Comment

by:Brad Groux
ID: 40301631
Backing up Cliff's comments (don't assign points please). ADFS just provides a method for authentication, the source needs to still be there.
0
 
LVL 1

Author Comment

by:Hirenc
ID: 40301713
Apologies I may not have made my self clear.  The clients will all have AD accounts in their source domain.  I have one forest where I have my local domain accounts (Int Domain).  I have another domain which is hosting exchange mailboxes.(Hosted domain)  Rather then have all the user accounts duplicated from Int domain to the hosted domain, I want to use a claims based Identitiy mangment system which would be able to authenticate the existing users to the hosted domain.

My long term goal is to be able to offer my clients hosted mailboxes using a sso solution, so that they just need to authenticate once with their own corporate user account.
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 334 total points
ID: 40301787
Exchange is built on AD as I said before. A mailbox cannot exist without an AD object (in the exchange domain) associated with it. If you've worked with exchange at all, even room mailboxes creates an object.

When you look at office 365, its SSO solution requires ADFS *and* its dirsync tool. Dirsync effective creates duplicate objects on the Azure side where O365 mailboxes are technically associated with.

So you cannot avoid having AD accounts on your exchange domain. And implementing an SSO solution would require a fair amount of manual back-end work. ADFS can certainly by a part of that solution, but it isn't a drop-in fix. Nor does it change the fact that accounts will still need to be provisioned for each mailbox.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 166 total points
ID: 40301942
I think you are looking for Linked Mailboxes

Linked mailboxes are mailboxes that are accessed by users in a separate, trusted forest. Linked mailboxes may be necessary for organizations that deploy Exchange in a resource forest. The resource forest scenario allows an organization to centralize Exchange in a single forest, while allowing access to the Exchange organization with user accounts that are located in one or more trusted forests (called account forests). The user account that accesses the linked mailbox doesn't exist in the forest where Exchange is deployed. Therefore, a disabled user account that exists in the same forest as Exchange is created and associated with the corresponding linked mailbox.

Check below links
http://technet.microsoft.com/en-us/library/jj673532(v=exchg.150).aspx
http://msexchangeteam.in/linked-mailbox-in-exchange-server-2013-part-1-2/

Also you cannot do this without forest \ external domain trust, only adfs will not help, because ADFS service account do not have required permissions on mailbox
http://social.technet.microsoft.com/Forums/exchange/en-US/447c5b10-c04d-4063-be58-f09b0148644d/multiple-forests-no-trust-but-adfs-exchange-resource-forest-or-linked-mailbox-?forum=exchangesvrdeploy
0
 
LVL 1

Author Comment

by:Hirenc
ID: 40309384
Thanks guys for the above.  Accepted I will need to create the exchange mailboxes with associated A/D accounts in the same forest.
What is the best way to set up a single sign on solution between my other domain and the domain with the hosted exchange mailboxes.
My long term goal is to be able to offer clients a SSO solution whereby they can use their corporate A/D credentials to authenticate with their mailboxes hosted at my exchange domain, without using trusts or manually having to manage both set's of credentials.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question