Solved

Can ADFS be used to provide authentication services for exchange (2013 sp1), so clients can connect  to exchange using outlook.  All clients will be external  to the exchange forest

Posted on 2014-09-03
7
86 Views
Last Modified: 2016-06-13
I have an exchange 2013 sp1 setup with a single CAS server and MBX server.  I would like to provide access to the mailboxes hosted in this environment to external clients without going down the trusts root and also without creating extra user accounts in the domain where exchange is setup.

I would like to use ADFS 2.1 to authenticate the clients, however is this possible so that users can use outlook to connect to their mailboxes or is it just restricted to Outlook Web App
0
Comment
Question by:Hirenc
7 Comments
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 334 total points
ID: 40301620
ADFS is only an authentication layer. You still need to authenticate *to* something. Exchange mailboxes are associated to AD objects. That is fundamental to its design. So there is no way to avoid "extra" AD accounts. ADFS doesn't change the core nature of exchange.
0
 
LVL 14

Expert Comment

by:Brad Groux
ID: 40301631
Backing up Cliff's comments (don't assign points please). ADFS just provides a method for authentication, the source needs to still be there.
0
 
LVL 1

Author Comment

by:Hirenc
ID: 40301713
Apologies I may not have made my self clear.  The clients will all have AD accounts in their source domain.  I have one forest where I have my local domain accounts (Int Domain).  I have another domain which is hosting exchange mailboxes.(Hosted domain)  Rather then have all the user accounts duplicated from Int domain to the hosted domain, I want to use a claims based Identitiy mangment system which would be able to authenticate the existing users to the hosted domain.

My long term goal is to be able to offer my clients hosted mailboxes using a sso solution, so that they just need to authenticate once with their own corporate user account.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 334 total points
ID: 40301787
Exchange is built on AD as I said before. A mailbox cannot exist without an AD object (in the exchange domain) associated with it. If you've worked with exchange at all, even room mailboxes creates an object.

When you look at office 365, its SSO solution requires ADFS *and* its dirsync tool. Dirsync effective creates duplicate objects on the Azure side where O365 mailboxes are technically associated with.

So you cannot avoid having AD accounts on your exchange domain. And implementing an SSO solution would require a fair amount of manual back-end work. ADFS can certainly by a part of that solution, but it isn't a drop-in fix. Nor does it change the fact that accounts will still need to be provisioned for each mailbox.
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 166 total points
ID: 40301942
I think you are looking for Linked Mailboxes

Linked mailboxes are mailboxes that are accessed by users in a separate, trusted forest. Linked mailboxes may be necessary for organizations that deploy Exchange in a resource forest. The resource forest scenario allows an organization to centralize Exchange in a single forest, while allowing access to the Exchange organization with user accounts that are located in one or more trusted forests (called account forests). The user account that accesses the linked mailbox doesn't exist in the forest where Exchange is deployed. Therefore, a disabled user account that exists in the same forest as Exchange is created and associated with the corresponding linked mailbox.

Check below links
http://technet.microsoft.com/en-us/library/jj673532(v=exchg.150).aspx
http://msexchangeteam.in/linked-mailbox-in-exchange-server-2013-part-1-2/

Also you cannot do this without forest \ external domain trust, only adfs will not help, because ADFS service account do not have required permissions on mailbox
http://social.technet.microsoft.com/Forums/exchange/en-US/447c5b10-c04d-4063-be58-f09b0148644d/multiple-forests-no-trust-but-adfs-exchange-resource-forest-or-linked-mailbox-?forum=exchangesvrdeploy
0
 
LVL 1

Author Comment

by:Hirenc
ID: 40309384
Thanks guys for the above.  Accepted I will need to create the exchange mailboxes with associated A/D accounts in the same forest.
What is the best way to set up a single sign on solution between my other domain and the domain with the hosted exchange mailboxes.
My long term goal is to be able to offer clients a SSO solution whereby they can use their corporate A/D credentials to authenticate with their mailboxes hosted at my exchange domain, without using trusts or manually having to manage both set's of credentials.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question