Does Portal Guard Support The Outlook Web App
Does PortalGuard support federation with Outlook Web App?
Problem definition: You are considering purchasing PortalGuard/You already have purchased PortalGuard and you are wondering if PortalGuard can federate with the Outlook Client or the Outlook Web App (or both)
PortalGuard does support federation with the Outlook Web App to allow Single Sign-On or enforce Two-Factor Authentication through PortalGuard. PortalGuard has been certified to function with Outlook Web App up to version Exchange 2013 Cumulative Update 8 (CU8).
The requirements for the PortalGuard server are as follows:
• All end-users must be able to reach the PortalGuard website (e.g. port 443 for HTTPS) over the network. End-users will be redirected to the PortalGuard server(s) to authenticate when accessing OWA.
• PG_IdP.dll is version 22.214.171.124 or higher. This file can be found in the <PGROOT>\bin folder. NOTE: Please contact PortalGuard support if you do not have at least this version to determine the best upgrade method.
The requirements for the Exchange Server are as follows:
• Must be running Exchange 2013, SP1 (aka CU4) or higher
NOTE: You can determine the Exchange version using the following Exchange Management Shell command: get-exchangeserver |ft name,admindisplay*
The result’s “Build” value for Exchange 2013 can be looked up here. The Build Number for CU4 is “847.32”.
On the PortalGuard server
Create/Edit SAML Configurations
1) Follow the steps in the Identity Provider / SSO section of Chapter 5. This will help you:
If you already have SAML SSO to other websites through PortalGuard, then you have already completed these steps.
2) Launch the Identity Provider Configuration Utility (IdP_Config.exe).
3) In the “SAML Websites” list, click the “Create” button.
4) Open the “WS-Fed” tab and in the Templates section, click the “OWA 2013” button.
NOTE: If you do not see this button, then you are not running the proper version of PortalGuard and will need to contact Technical Support to upgrade your server.
5) On the popup dialog that appears, enter the OWA CAS server URL “base” that users enter to access OWA. This must include the protocol, but must not include any additional URL path.
https://owa.acme.com/owa OR owa.acme.com
6) OK the “successfully applied template” popup and save the configuration.
7) Back in the “SAML Websites” tab, click the “Create” button again.
8) Open the “WS-Fed” tab and in the Templates section, click the “OWA 2013 (ECP)” button.
9) On the popup dialog that appears, enter the same OWA CAS server URL “base” you entered in the previous step.
10) OK the “successfully applied template” popup and save the configuration.
11) Click the “Apply To Identity Provider” button in the main IdP_Config dialog and perform the “Sync” on the dialog that follows to make the changes available to end-users.
Determine Signing Certificate Thumbprint
Exchange requires the hex-encoded Thumbprint value from your PortalGuard IdP’s signing certificate. This can be accessed by double-clicking the public PGIdP.cer file created in step 1a above and scrolling down to the “Thumbprint” field on the Details tab:
For Exchange, the thumbprint value must be all CAPITAL LETTERS and only contain character values 0-9 and A-F inclusive. If copied from the certificate details above, then all spaces must be removed and all letters must be capitalized (Tip: The “Ctrl-Shift-U” hotkey in Notepad++ will capitalize the highlighted text).
NOTE: There is a known issue within the Microsoft certificate display snap-in that includes “invisible” Unicode characters at the beginning and end of the “Thumbprint” value (see this link for further details). It is suggested that you paste the copied value in a text editor, then re-type the entire value manually on the line below and use this manually edited line in the steps below.
On the OWA Client Access Server(s)
NOTE: The steps below must be performed on each Exchange front-end/Client Access Servers (Trust PortalGuard IdP Signing Certificate
NOTE: The following Exchange shell commands reference ADFS but PortalGuard’s federation with OWA 2013 does NOT require ADFS to be running in your environment. PortalGuard simply leverages the same configuration steps and back-end .NET modules. Do NOT setup a new ADFS server as it is not needed.
1) Copy the PGIdP.cer file from the PortalGuard server to the Windows Desktop on CAS instance.
2) Launch an Exchange Management Shell as an administrator
3) Run “mmc” from the shell.
4) In the Microsoft Management Console, choose the File -> Add/Remove Snap-in… menu item:
5) In the left-hand list, choose Certificates, click the Add > button, then choose Computer account, Local computer then click the Finish button.
6) Click OK to view the local machine’s certificate store. In the left-hand tree, find the Trusted People container, right-click it, then choose the All Tasks -> Import… menu item.
7) Browse to the PGIdP.cer file, accept all other defaults, then use the Finish button to add the PortalGuard’s IdP signing certificate to this machine.
Configure OWA Authentication Types
8) Paste the following two lines into a text editor:
Set-OrganizationConfig -AdfsIssuer "https://YOUR.PORTALGUARD.SERVER/sso/go.ashx" -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint "YOUR-PGIDP-SIGNINGCERT-THUMBPRINT"
9) Edit the text by replacing both instances of YOUR.OWA.SERVER with the server name by which users access OWA, e.g. owa.acme.com.
10) On the 2nd line, replace YOUR.PORTALGUARD.SERVER with the server name by which users can access PortalGuard, e.g. portalguard.acme.com.
11) Also on the 2nd line, replace YOUR-PGIDP-SIGNINGCERT-THUMBPRINT with the thumbprint created in the last step of the previous section. For SHA-1, this thumbprint is 40 characters long. A correctly edited version of these two lines should look like this:
12) Copy the two edited lines from the text editor and paste them into the Exchange Management Shell. Press Enter to execute them. You will receive a warning that iisreset must be run before the changes take effect.
13) Get the name of the ECP virtual directory for the CAS you want to federate. You can get the full list for your environment by running the following Powershell command: Get-EcpVirtualDirectory
14) Paste the following line into a text editor: Get-EcpVirtualDirectory -Identity "THESERVER\YOUR-ECP-VDIR-NAME" | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
15) Edit the text by replacing THESERVER with the CAS server host name (e.g. OWA1) and YOUR-ECP-VDIR-NAME with the ECP virtual directory name you got from the previous PowerShell command, e.g. ecp (Default Web Site). A correctly edited version should look like this (note the backslash between the hostname and the ECP virtual directory name):
16) Copy the edited line from the text editor and paste it into the Exchange Management Shell and press Enter to execute it. You will receive two warnings about having to run iisreset and needing to make the same change for the OWA virtual directory. You can ignore those for now.
17) Get the name of the OWA virtual directory for the CAS you want to federate. You can get the full list for your environment by running the following Powershell command: Get-OwaVirtualDirectory
18) Paste the following line into a text editor: Get-OwaVirtualDirectory -Identity "THESERVER\YOUR-OWA-VDIR-NAME" | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
19) Edit the text by replacing THESERVER with the CAS server host name (e.g. OWA1) and YOUR-OWA-VDIR-NAME with the OWA virtual directory name you got from the previous PowerShell command, e.g. owa (Default Web Site).
A correctly edited version should look like this (again, note the backslash between the hostname and the ECP virtual directory name):
20) Copy the edited line from the text editor and paste it into the Exchange Management Shell and press Enter to execute it. You will receive a warning about having to run iisreset.
21) Restart IIS from the Powershell command line by running “iisreset”. Here is a screenshot of the 3 commands being run for a CAS server named antigua:
Test Configuration Changes
You should now be automatically redirected to the PortalGuard login screen when attempting to access OWA. After successful authentication, the user will be automatically redirected back to OWA.