?
Solved

Can ADFS be used to provide authentication services for exchange (2013 sp1), so clients can connect  to exchange using outlook.  All clients will be external  to the exchange forest

Posted on 2014-09-03
7
Medium Priority
?
110 Views
Last Modified: 2016-06-13
I have an exchange 2013 sp1 setup with a single CAS server and MBX server.  I would like to provide access to the mailboxes hosted in this environment to external clients without going down the trusts root and also without creating extra user accounts in the domain where exchange is setup.

I would like to use ADFS 2.1 to authenticate the clients, however is this possible so that users can use outlook to connect to their mailboxes or is it just restricted to Outlook Web App
0
Comment
Question by:Hirenc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1336 total points
ID: 40301620
ADFS is only an authentication layer. You still need to authenticate *to* something. Exchange mailboxes are associated to AD objects. That is fundamental to its design. So there is no way to avoid "extra" AD accounts. ADFS doesn't change the core nature of exchange.
0
 
LVL 14

Expert Comment

by:Brad Groux
ID: 40301631
Backing up Cliff's comments (don't assign points please). ADFS just provides a method for authentication, the source needs to still be there.
0
 
LVL 1

Author Comment

by:Hirenc
ID: 40301713
Apologies I may not have made my self clear.  The clients will all have AD accounts in their source domain.  I have one forest where I have my local domain accounts (Int Domain).  I have another domain which is hosting exchange mailboxes.(Hosted domain)  Rather then have all the user accounts duplicated from Int domain to the hosted domain, I want to use a claims based Identitiy mangment system which would be able to authenticate the existing users to the hosted domain.

My long term goal is to be able to offer my clients hosted mailboxes using a sso solution, so that they just need to authenticate once with their own corporate user account.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 1336 total points
ID: 40301787
Exchange is built on AD as I said before. A mailbox cannot exist without an AD object (in the exchange domain) associated with it. If you've worked with exchange at all, even room mailboxes creates an object.

When you look at office 365, its SSO solution requires ADFS *and* its dirsync tool. Dirsync effective creates duplicate objects on the Azure side where O365 mailboxes are technically associated with.

So you cannot avoid having AD accounts on your exchange domain. And implementing an SSO solution would require a fair amount of manual back-end work. ADFS can certainly by a part of that solution, but it isn't a drop-in fix. Nor does it change the fact that accounts will still need to be provisioned for each mailbox.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 664 total points
ID: 40301942
I think you are looking for Linked Mailboxes

Linked mailboxes are mailboxes that are accessed by users in a separate, trusted forest. Linked mailboxes may be necessary for organizations that deploy Exchange in a resource forest. The resource forest scenario allows an organization to centralize Exchange in a single forest, while allowing access to the Exchange organization with user accounts that are located in one or more trusted forests (called account forests). The user account that accesses the linked mailbox doesn't exist in the forest where Exchange is deployed. Therefore, a disabled user account that exists in the same forest as Exchange is created and associated with the corresponding linked mailbox.

Check below links
http://technet.microsoft.com/en-us/library/jj673532(v=exchg.150).aspx
http://msexchangeteam.in/linked-mailbox-in-exchange-server-2013-part-1-2/

Also you cannot do this without forest \ external domain trust, only adfs will not help, because ADFS service account do not have required permissions on mailbox
http://social.technet.microsoft.com/Forums/exchange/en-US/447c5b10-c04d-4063-be58-f09b0148644d/multiple-forests-no-trust-but-adfs-exchange-resource-forest-or-linked-mailbox-?forum=exchangesvrdeploy
0
 
LVL 1

Author Comment

by:Hirenc
ID: 40309384
Thanks guys for the above.  Accepted I will need to create the exchange mailboxes with associated A/D accounts in the same forest.
What is the best way to set up a single sign on solution between my other domain and the domain with the hosted exchange mailboxes.
My long term goal is to be able to offer clients a SSO solution whereby they can use their corporate A/D credentials to authenticate with their mailboxes hosted at my exchange domain, without using trusts or manually having to manage both set's of credentials.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question