This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 26%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Hello,
I'm currently working on a migration from Exchange Server 2013 to 2019.
The customer wants to enable ADFS Claimes based Auth for OWA/ECP only for those 2019 Servers.
is this supported/possible?
According to the docs https://learn.microsoft.com/en-us/Exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019
We have to set organization wide parameters and also enable ADFS auth on VDIRS.
Any help would be appreciated!
Kind Regards
Christian Schindler
One thing to note. Its not supported to do this. To be supported, all the Exchange Servers must be enabled for ADFS auth.
You can use AD FS authentication for Outlook on the web and the EAC when you have more than one version of Exchange deployed in your organization. This scenario is supported only if all clients are connecting through Exchange servers, and all of those servers have been configured for AD FS authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @Schindler Christian ,
If after the migration is complete, you do not uninstall Exchange 2013 and maintain the coexistence state, then you need to enable ADFS for all Exchange organizations, not only for Exchange 2019 .
If you uninstall Exchange 2013 after migration, only Exchange 2019 will exist. It is achievable, you can follow the steps in the link you provided. If you want to set up a specified server, please enter the url entered during the setting process as the address of a special server, and when configuring Exchange for ADFS, please configure it on the specific server.
It should be noted that the "steps 4a: Create relying party trusts in AD FS for Outlook on the web and the EAC" and "4b: Create custom claim rules in AD FS for Outlook on the web and the EAC" need to be executed twice. Respectively for OWA and ECP. Then configure the Exchange organization to use AD FS authentication.
Then run the following command lines to configure the authentication method of ECP and OWA's virtual directory. It should be noted that, please configure ECP first, and then configure OWA.
Finally, please run the IISRESET in CMD start as administrator to restart the IIS.
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -OAuthAuthentication $false -WindowsAuthentication $false
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -OAuthAuthentication $false -WindowsAuthentication $false
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks will give it a try!
Hi @Schindler Christian ,
I am looking forward to your feedback.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Schindler Christian ,
I am writing here to confirm with you how thing going now? If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer.Your action would be helpful to other users who encounter the same issue and read this thread.
Thanks for your understanding.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Schindler Christian
I am writing here to confirm with you how thing going now? If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer.Your action would be helpful to other users who encounter the same issue and read this thread.
Thanks for your understanding.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello,
thanks for your answers. Regarding the supported statement: if clients only connect through 2019 and proxy to 2013, would it then be supported?
Cheers
Christian
Technically, that would probably work, though still not supported :) This is assuming that all traffic and OWA / EAC Urls are pointing to the 2019 servers.
Give it a try!