question

Joachim-3513 avatar image
0 Votes"
Joachim-3513 asked ZhengqiLou-MSFT commented

Exchange 2016: How to exclude Exchange Server themselves from ADFS authentication on OWA and ECP

We successfully enabled ADFS authentication for OWA and ECP.
While this is what we want for the clients, we now have the problem that the local ECP of any exchange server cant be authenticated anymore: https://localhost/ecp/?ExchClientVer=15 or https://servername/ecp/?ExchClientVer=15

This leads to an ADFS error page because the cert is not valid.

We have to fall back to https://owa.ist.ac.at/ecp/?ExchClientVer=15

The problem with this is, for some tasks i need to know on which server I work. For instance to check if our OWA theme still works after a server upgrade.

So i need to make https://localhost/ecp/?ExchClientVer=15 work again locally on the servers. How I can exclude these servers or the admin users from ADFS authentication? I can apply the authentication in ADFS to groups, but now they are applied to everyone and I would love if I dont have to mess with the groups but somehow could just exclude the servers in a way that does not affect the whole infrastructure.

office-exchange-server-administration
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

ZhengqiLou-MSFT avatar image
0 Votes"
ZhengqiLou-MSFT answered ZhengqiLou-MSFT commented

Hi @Joachim-3513 ,

As Andy said, if you enabled ADFS auth for OWA/ECP, the basics and form auth are disabled, so you can't log in with your logon name and password.
I think you can disable this then re-enable the basic/form auth, or you may have to fix the certificate problems.

Regards,
Lou

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ZhengqiLou-MSFT avatar image ZhengqiLou-MSFT ·

Hi @Joachim-3513 ,

Do the suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

Regards,
Lou

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered

There is no way to do that unless you disable ADFS auth on the virtual dirs of those servers.

Alternatively, set the local hosts file on your workstation for owa.ist.ac.at to a specific server's IP Address and connect that way when you want to verify things.




5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.