Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Can ADFS be used to provide authentication services for exchange (2013 sp1), so clients can connect  to exchange using outlook.  All clients will be external  to the exchange forest

Posted on 2014-09-03
7
Medium Priority
?
151 Views
Last Modified: 2016-06-13
I have an exchange 2013 sp1 setup with a single CAS server and MBX server.  I would like to provide access to the mailboxes hosted in this environment to external clients without going down the trusts root and also without creating extra user accounts in the domain where exchange is setup.

I would like to use ADFS 2.1 to authenticate the clients, however is this possible so that users can use outlook to connect to their mailboxes or is it just restricted to Outlook Web App
0
Comment
Question by:Hirenc
6 Comments
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 1336 total points
ID: 40301620
ADFS is only an authentication layer. You still need to authenticate *to* something. Exchange mailboxes are associated to AD objects. That is fundamental to its design. So there is no way to avoid "extra" AD accounts. ADFS doesn't change the core nature of exchange.
0
 
LVL 14

Expert Comment

by:Brad Groux
ID: 40301631
Backing up Cliff's comments (don't assign points please). ADFS just provides a method for authentication, the source needs to still be there.
0
 
LVL 1

Author Comment

by:Hirenc
ID: 40301713
Apologies I may not have made my self clear.  The clients will all have AD accounts in their source domain.  I have one forest where I have my local domain accounts (Int Domain).  I have another domain which is hosting exchange mailboxes.(Hosted domain)  Rather then have all the user accounts duplicated from Int domain to the hosted domain, I want to use a claims based Identitiy mangment system which would be able to authenticate the existing users to the hosted domain.

My long term goal is to be able to offer my clients hosted mailboxes using a sso solution, so that they just need to authenticate once with their own corporate user account.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 60

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 1336 total points
ID: 40301787
Exchange is built on AD as I said before. A mailbox cannot exist without an AD object (in the exchange domain) associated with it. If you've worked with exchange at all, even room mailboxes creates an object.

When you look at office 365, its SSO solution requires ADFS *and* its dirsync tool. Dirsync effective creates duplicate objects on the Azure side where O365 mailboxes are technically associated with.

So you cannot avoid having AD accounts on your exchange domain. And implementing an SSO solution would require a fair amount of manual back-end work. ADFS can certainly by a part of that solution, but it isn't a drop-in fix. Nor does it change the fact that accounts will still need to be provisioned for each mailbox.
0
 
LVL 39

Assisted Solution

by:Mahesh
Mahesh earned 664 total points
ID: 40301942
I think you are looking for Linked Mailboxes

Linked mailboxes are mailboxes that are accessed by users in a separate, trusted forest. Linked mailboxes may be necessary for organizations that deploy Exchange in a resource forest. The resource forest scenario allows an organization to centralize Exchange in a single forest, while allowing access to the Exchange organization with user accounts that are located in one or more trusted forests (called account forests). The user account that accesses the linked mailbox doesn't exist in the forest where Exchange is deployed. Therefore, a disabled user account that exists in the same forest as Exchange is created and associated with the corresponding linked mailbox.

Check below links
http://technet.microsoft.com/en-us/library/jj673532(v=exchg.150).aspx
http://msexchangeteam.in/linked-mailbox-in-exchange-server-2013-part-1-2/

Also you cannot do this without forest \ external domain trust, only adfs will not help, because ADFS service account do not have required permissions on mailbox
http://social.technet.microsoft.com/Forums/exchange/en-US/447c5b10-c04d-4063-be58-f09b0148644d/multiple-forests-no-trust-but-adfs-exchange-resource-forest-or-linked-mailbox-?forum=exchangesvrdeploy
0
 
LVL 1

Author Comment

by:Hirenc
ID: 40309384
Thanks guys for the above.  Accepted I will need to create the exchange mailboxes with associated A/D accounts in the same forest.
What is the best way to set up a single sign on solution between my other domain and the domain with the hosted exchange mailboxes.
My long term goal is to be able to offer clients a SSO solution whereby they can use their corporate A/D credentials to authenticate with their mailboxes hosted at my exchange domain, without using trusts or manually having to manage both set's of credentials.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
In this post, we will learn to set up the Group Naming policy and will see how it is going to impact the Display Name and the Email addresses of the Group.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question