MicroStrategy ONE

Configuring Exchange to Work with ADFS

To use ADFS as your service provider for Microsoft Exchange 2007 logins, you must configure ADFS to connect to Exchange and provide authentication for your Active Directory users.

The following steps contain only the information required to configure or use Microsoft ADFS and Microsoft Exchange 2007 with MicroStrategy Identity. See the Microsoft documentation for the latest information.

Configure your ADFS server and copy your ADFS SSL certificate to your Microsoft Exchange 2007 server.

The users in your MicroStrategy Identity Network must be added by synchronizing with Microsoft Active Directory.

MicroStrategy Identity users' Microsoft Active Directory passwords must be the same as their Exchange passwords.

To Configure your Microsoft Exchange Web Application to Work with ADFS

  1. Download and install the Windows Identity Foundation (WIF) for your system from the Microsoft website.
  2. Verify that the Claims to Windows Token service is included in the system's list of services.
  3. Download and install the WIF SDK from the Microsoft website.
  4. To create a new Outlook Web Access (OWA) configuration, create a directory for this configuration, such as C:\inetpub\wwwroot.
  5. Create a new web.config file that contains a default configuration.
  6. Establish a trust relationship between Microsoft Exchange and ADFS:
    1. Navigate to the installation folder you chose for the WIF SDK and open the Federation Utility wizard. The wizard is located in C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\ by default.
    2. Specify the location of the web.config file. For example, the file location is C:\inetpub\wwwroot\web.config by default.
    3. Specify your ADFS server as the Security Token Service (STS). To do this, type the URL for your ADFS server.
  7. Test the connection between Microsoft Exchange and ADFS. To do this, access the Microsoft Exchange Webmail URL. The browser redirects to the ADFS server for authentication.
  8. To disable forms-based authentication in the OWA, open the Microsoft Exchange Management Console.
  9. In the OWA Properties, make sure that the authentication type is set to User One or More Standard Authentication Methods.
  10. To configure anonymous authentication for OWA on Internet Information Services (IIS), open the IIS system for the Microsoft Exchange Server.
  11. In the Authentication options, make sure that Anonymous Authentication is enabled.
  12. Restart IIS to apply the changes.
  13. To configure the Claims to Windows Token Service, from the WIF installation directory, create a backup file for c2wtshost.exe.config.
  14. Open the c2wtshost.exe.config file using a text editor, such as Notepad.
  15. Below the <allowedCallers> tag, uncomment the following line of code from this file:
    <add value="NT AUTHORITY\System" />
  16. Save your changes and close the text editor.
  17. View the available services for the computer in one of the following ways:
    • From the Windows Start menu, type Services in the search field. In the search results, click Services.
    • From the Windows Start menu, select Run. Type services.msc in the field, and then click OK.
  18. Right-click Claims to Windows Token Service, and then select Properties. The Claims to Windows Token Service Properties dialog box opens.
  19. On the General tab, from the Startup type drop-down list, select Automatic.
  20. From the Service status area, ensure that the status is Started. If the service is not started, click Start.
  21. Click OK.
  22. Navigate to the location of your OWA web.config file, which is stored in C:\inetpub\wwwroot\web.config by default.
  23. Open the web.config file using a text editor, such as Notepad.

  24. Below the <microsoft.identityModel> tag, search for the <securityTokenHandlers> tag and apply the following modification:

    Copy 
    <securityTokenHandlers> 
    <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel,

    Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> 
    <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" /> 
    </add></securityTokenHandlers>
  25. Below the <federatedAuthentication> tag, define the homeRealm as https://identity.com/.
  26. Add a Claims Provider Trust relationship in ADFS. For steps to configure the trust relationship, see Importing Your MicroStrategy Identity Server Data into ADFS
  27. To add a Relying Trust Party in ADFS, open ADFS, then add a relying party trust.
  28. Select the Import Data About the Relying Party Published Online or on a Local Network option as the data source.
  29. In the Federation metadata address field, type the URL for your OWA website.
  30. To configure the URL that MicroStrategy Identity uses to communicate with Microsoft Exchange, do the following:
    1. Log into MicroStrategy Identity Manager:
    2. Under Web Application Login, click Add Apps next to the ADFS configuration that controls your Microsoft Exchange instance.
    3. From the Select Application drop-down list, select Exchange.
    4. You can change the image that is displayed on the login page. Next the image preview, click Import an Icon. Select an image to display, then click Open.
    5. In the Enter Display Name field, type a name to display on the login page. The name can be up to 30 characters.
    6. In the Application Login URL field, type the URL to log in to Microsoft Exchange.
    7. Click Done.

Related Topics

Specifying Active Directory Federation Services (ADFS) as Your Service Provider

Configuring ADFS on a Server

Configuring SharePoint to Work with ADFS

Signing in to MicroStrategy Identity-Enabled Web Applications from a Centralized Website

Categorizing MicroStrategy Badge Resources