As most organizations move to Office 365, there is normally a period of co-existence. During this time, organizations may choose to take advantage of Azure MFA prior to the completion of a mailbox migration. In these cases, organizations may want to incorporate Azure MFA for their current on-premises Exchange OWA environment.
This can be accomplished by publishing the on-premises OWA as an enterprise application in Azure.
Example Environment Specifics Used Below:
- On-premises App Proxy:
- AAP01
- AAP02 (having a second is recommended)
- Exchange CAS:
- CAS01
- CAS02
- CAS Array:
- CAS-Array-ASA
- Active Directory Forest:
- local
- External namespace:
- com
Using Alternate Service Account (ASA)
- This option assumes you have already setup an ASA for Exchange using: https://docs.microsoft.com/en-us/exchange/architecture/client-access/kerberos-auth-for-load-balanced-client-access?view=exchserver-2019
- In on-premises AD, set an SPN of ‘http/mail.root.local’ on CAS-Array-ASA
- Open a command prompt with admin rights
- Run: setspn -A http/mail.root.local CAS-Array-ASA
- Confirm the setting took effect by running: setspn -L CAS-Array-ASA
- In on-premises AD, set KCD (Kerberos Constrained Delegation) on AAP01 and AAP02 to CAS-Array-ASA, ‘http/CAS-Array-ASA.root.local’
- Open AD Users and Computers
- Search for AAP01 and go to its properties
- On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
- Select ‘Use any authentication protocol’
- Click the Add button, then the ‘Users or Computers’ button
- Search for ‘CAS-Array-ASA’
- Scroll down and select the ‘http’ service before clicking the OK button
- Click OK to close the properties for AAP01
- Search for AAP02 and go to its properties
- On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
- Select ‘Use any authentication protocol’
- Click the Add button, then the ‘Users or Computers’ button
- Search for ‘CAS-Array-ASA’
- Scroll down and select the ‘http’ service before clicking the OK button
- Click OK to close the properties for AAP02
- Example:
- In Azure AD, under Application Proxy, create a new Connector Group named something like ‘On-PremOWAConnector’
- Add AAP01 and AAP02 to the newly created ‘On-PremOWAConnector’ Connector Group
- In Azure AD, create a new Enterprise Application
- Use the following settings:
- Example name: On-premises OWA
- Internal URL: https://mail.root.local/owa
- External URL: https://mail-mydomain.msappproxy.net/owa
- Pre Authentication: Azure Active Directory
- Connector Group: On-premOWAConnector (or whatever it was named earlier)
- Backend Application Timeout: Default
- Use HTTP-Only Cookie: No
- Translate URLs in Headers: No
- Translate URLs in Application Body: No
- Example:
- Under the settings of the new Enterprise Application set the following:
- Users and Groups
- Add the users and/or groups that should be able to use this application
- Single sign-on
- Single Sign-on Mode: Integrated Windows Authentication
- Internal Application SPN: http/CAS-Array-ASA.root.local
- Delegated Login Identity: User principal name
- Example:
- Users and Groups
- Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA
- With the Enterprise Application confirmed working, the chosen redirection method for https://mail.mydomain.com and https://mail.mydomain.com/owa can be updated to route traffic to https://mail-mydomain.msappproxy.net/owa
Using a Single Enterprise Application with a Single CAS
- In on-premises AD, set an SPN of ‘http/CAS01.root.local’ on CAS01
- Open a command prompt with admin rights
- Run: setspn -A http/CAS01.root.local CAS01
- Confirm the setting took effect by running: setspn -L CAS01
- In on-premises AD, set KCD (Kerberos Constrained Delegation) on AAP01 to CAS01, ‘http/CAS01.root.local’
- Open AD Users and Computers
- Search for AAP01 and go to its properties
- On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
- Select ‘Use any authentication protocol’
- Click the Add button, then the ‘Users or Computers’ button
- Click OK to close the properties for AAP01
- Search for ‘CAS01’
- Scroll down and select the ‘http’ service before clicking the OK button
- Search for AAP02 and go to its properties
- On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
- Select ‘Use any authentication protocol’
- Click the Add button, then the ‘Users or Computers’ button
- Search for ‘CAS01’
- Scroll down and select the ‘http’ service before clicking the OK button
- Click OK to close the properties for AAP02
- Example:
- In Azure AD, under Application Proxy, create a new Connector Group named something like ‘On-premOWAConnector’
- Add APP01 and AAP02 to the newly created ‘On-premOWAConnector’ Connector Group
- In Azure AD, create a new Enterprise Application
- Use the following settings:
- Example name: On-premises OWA
- Internal URL: https://cas01.root.local/owa
- External URL: https://mail-mydomain.msappproxy.net/owa
- Pre Authentication: Azure Active Directory
- Connector Group: On-premOWAConnector (or whatever it was named earlier)
- Backend Application Timeout: Default
- Use HTTP-Only Cookie: No
- Translate URLs in Headers: No
- Translate URLs in Application Body: No
- Example:
- Under the settings of the new Enterprise Application set the following:
- Users and Groups
- Add the users and/or groups that should have access
- Single sign-on
- Single Sign-on Mode: Integrated Windows Authentication
- Internal Application SPN: http/cas01.root.local
- Delegated Login Identity: User principal name
- Example:
- Users and Groups
- Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA
- With the Enterprise Application confirmed working, the chosen redirection method for https://mail.mydomain.com and https://mail.mydomain.com/owa can be updated to route traffic to https://mail-mydomain.msappproxy.net/owa
Note: In this scenario, should CAS01 become unavailable, OWA via https://mail.mydomain.com and https://mail.mydomain.com/owa will also become unavailable and the redirection will need to be updated
Using 2 Enterprise Applications and 2 CAS
- In on-premises AD, set an SPN of ‘http/CAS01.root.local’ on CAS01 and an SPN of ‘http/CAS02.root.local’ on CAS02
- Open a command prompt with admin rights
- Run: setspn -A http/CAS01.root.local CAS01
- Confirm the setting took effect by running: setspn -L CAS01
- Run: setspn -A http/CAS02.root.local CAS02
- Confirm the setting took effect by running: setspn -L CAS02
- In on-premises AD, set KCD (Kerberos Constrained Delegation) on AAP01 to CAS01, ‘http/CAS01.root.local’ and set KCD on AAP02 to CAS02, ‘http/CAS02.root.local’
- Open AD Users and Computers
- Search for AAP01 and go to its properties
- On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
- Select ‘Use any authentication protocol’
- Click the Add button, then the ‘Users or Computers’ button
- Search for ‘CAS01’
- Scroll down and select the ‘http’ service before clicking the OK button
- Click the Add button again
- Click the ‘Users or Computers’ button and search for ‘CAS02’
- Scroll down and select the ‘http’ service before clicking the OK button
- Click OK to close the properties for AAP01
- Search for AAP02 and go to its properties
- On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
- Select ‘Use any authentication protocol’
- Click the Add button, then the ‘Users or Computers’ button
- Search for ‘CAS01’
- Scroll down and select the ‘http’ service before clicking the OK button
- Click the Add button again
- Click the ‘Users or Computers’ button and search for ‘CAS02’
- Scroll down and select the ‘http’ service before clicking the OK button
- Click OK to close the properties for AAP02
- Example:
- In Azure AD, under Application Proxy, create a new Connector Group named something like ‘On-PremOWAConnector’
- Add AAP01 and AAP02 to the newly created ‘On-PremOWAConnector’ Connector Group
- In Azure AD, create a new Enterprise Application
- Use the following settings:
- Example name: On-premises OWA 1
- Internal URL: https://CAS01.root.local/owa
- External URL: https://mail1-mydomain.msappproxy.net/owa
- Pre Authentication: Azure Active Directory
- Connector Group: On-premOWAConnector (or whatever it was named earlier)
- Backend Application Timeout: Default
- Use HTTP-Only Cookie: No
- Translate URLs in Headers: No
- Translate URLs in Application Body: No
- Example:
- Under the settings of the new Enterprise Application set the following:
- Users and Groups
- Add the users and/or groups that should be able to use this application
- Single sign-on
- Single Sign-on Mode: Integrated Windows Authentication
- Internal Application SPN: http/CAS01.root.local
- Delegated Login Identity: User principal name
- Example:
- Users and Groups
8. Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA
9. In Azure AD, create a new Enterprise Application10. Use the following settings:
10. Use for the following settings:
- Internal URL: https://CAS02.root.local/owa
- External URL: https://mail2-mydomain.msappproxy.net/owa
- Pre Authentication: Azure Active Directory
- Connector Group: OWA (or whatever it was named earlier)
- Backend Application Timeout: Default
- Use HTTP-Only Cookie: No
- Translate URLs in Headers: No
- Translate URLs in Application Body: No
- Example:
11. Under the settings of the new Enterprise Application set the following:
- Users and Groups
- Add the users and/or groups that should be able to use this application
- Single sign-on
- Single Sign-on Mode: Integrated Windows Authentication
- Internal Application SPN: http/CAS02.root.local
- Delegated Login Identity: User principal name
- Example:
- Users and Groups
12. Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA.
13. With both Enterprise Applications confirmed working, the chosen redirection method for https://mail.mydomain.com and https://mail.mydomain.com/owa can be updated to route traffic to https://mail1-mydomain.msappproxy.net/owa and https://mail2-mydomain.msappproxy.net/owa in a ‘round robin’ fashion
Note: In this scenario, should CAS01 or CAS02 become unavailable, the affected server will need to be removed as a possible URL redirection on the load-balancing solution.