Solved

Can ADFS be used to provide authentication services for exchange (2013 sp1), so clients can connect  to exchange using outlook.  All clients will be external  to the exchange forest

Posted on 2014-09-03
7
61 Views
Last Modified: 2016-06-13
I have an exchange 2013 sp1 setup with a single CAS server and MBX server.  I would like to provide access to the mailboxes hosted in this environment to external clients without going down the trusts root and also without creating extra user accounts in the domain where exchange is setup.

I would like to use ADFS 2.1 to authenticate the clients, however is this possible so that users can use outlook to connect to their mailboxes or is it just restricted to Outlook Web App
0
Comment
Question by:Hirenc
7 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 334 total points
Comment Utility
ADFS is only an authentication layer. You still need to authenticate *to* something. Exchange mailboxes are associated to AD objects. That is fundamental to its design. So there is no way to avoid "extra" AD accounts. ADFS doesn't change the core nature of exchange.
0
 
LVL 14

Expert Comment

by:Brad Groux
Comment Utility
Backing up Cliff's comments (don't assign points please). ADFS just provides a method for authentication, the source needs to still be there.
0
 
LVL 1

Author Comment

by:Hirenc
Comment Utility
Apologies I may not have made my self clear.  The clients will all have AD accounts in their source domain.  I have one forest where I have my local domain accounts (Int Domain).  I have another domain which is hosting exchange mailboxes.(Hosted domain)  Rather then have all the user accounts duplicated from Int domain to the hosted domain, I want to use a claims based Identitiy mangment system which would be able to authenticate the existing users to the hosted domain.

My long term goal is to be able to offer my clients hosted mailboxes using a sso solution, so that they just need to authenticate once with their own corporate user account.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 334 total points
Comment Utility
Exchange is built on AD as I said before. A mailbox cannot exist without an AD object (in the exchange domain) associated with it. If you've worked with exchange at all, even room mailboxes creates an object.

When you look at office 365, its SSO solution requires ADFS *and* its dirsync tool. Dirsync effective creates duplicate objects on the Azure side where O365 mailboxes are technically associated with.

So you cannot avoid having AD accounts on your exchange domain. And implementing an SSO solution would require a fair amount of manual back-end work. ADFS can certainly by a part of that solution, but it isn't a drop-in fix. Nor does it change the fact that accounts will still need to be provisioned for each mailbox.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 166 total points
Comment Utility
I think you are looking for Linked Mailboxes

Linked mailboxes are mailboxes that are accessed by users in a separate, trusted forest. Linked mailboxes may be necessary for organizations that deploy Exchange in a resource forest. The resource forest scenario allows an organization to centralize Exchange in a single forest, while allowing access to the Exchange organization with user accounts that are located in one or more trusted forests (called account forests). The user account that accesses the linked mailbox doesn't exist in the forest where Exchange is deployed. Therefore, a disabled user account that exists in the same forest as Exchange is created and associated with the corresponding linked mailbox.

Check below links
http://technet.microsoft.com/en-us/library/jj673532(v=exchg.150).aspx
http://msexchangeteam.in/linked-mailbox-in-exchange-server-2013-part-1-2/

Also you cannot do this without forest \ external domain trust, only adfs will not help, because ADFS service account do not have required permissions on mailbox
http://social.technet.microsoft.com/Forums/exchange/en-US/447c5b10-c04d-4063-be58-f09b0148644d/multiple-forests-no-trust-but-adfs-exchange-resource-forest-or-linked-mailbox-?forum=exchangesvrdeploy
0
 
LVL 1

Author Comment

by:Hirenc
Comment Utility
Thanks guys for the above.  Accepted I will need to create the exchange mailboxes with associated A/D accounts in the same forest.
What is the best way to set up a single sign on solution between my other domain and the domain with the hosted exchange mailboxes.
My long term goal is to be able to offer clients a SSO solution whereby they can use their corporate A/D credentials to authenticate with their mailboxes hosted at my exchange domain, without using trusts or manually having to manage both set's of credentials.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now