Hybrid Modern Authentication with VMware Boxer – Part 3 – Configuration

Hybrid Modern Authentication configuration

The first thing to do before doing any of it is to make sure the Exchange organization is following the latest guidance on Hybridity; this is due to have a very strict support stance from Microsoft and how are things evolves over time. Once, certainty is acquired, you can proceed with the activation of the authentication on the Exchange organization. Also, you have to remember that the activation of Hybrid Modern Authentication impacts all services on Exchange, OWA and ECP excluded.

Check current status of Modern Authentication

Modern Authentication might already be activated, you can check by using this command:

Get-OrganizationConfig | fl OAuth*

OAuth2ClientProfileEnabled : True

Azure SPN Configuration

Azure has an application listing the services valid to deliver a token to. Normally, Hybrid Exchange Wizard configuration does this job for you, but you need to make sure that the list is up to date and correspond to your infrastructure.

First you need to list the URLs used in the Exchange organization.

Get-MapiVirtualDirectory | FL server,*url*
Get-WebServicesVirtualDirectory | FL server,*url*
Get-ClientAccessServer | fl Name, AutodiscoverServiceInternalUri
Get-OABVirtualDirectory | FL server,*url*
Get-AutodiscoverVirtualDirectory | FL server,*url*
Get-OutlookAnywhere | FL server,*hostname*

Then you need to check the list in Azure but first you need to connect to Azure using

Connect-MsolService

Then run this command

Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 | select -ExpandProperty ServicePrincipalNames

If you don’t have this command in your PowerShell, you need to install the MSOnline module

Install-Module MSOnline

If the FQDN used for the services are not in the list then you need to add them, like so:

$AzureSPNs = Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000
$AzureSPNs.ServicePrincipalnames.Add("https://activesync.domain.com/")
$AzureSPNs.ServicePrincipalnames.Add("https://ews.domain.com/")
Set-MSOLServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $AzureSPNs.ServicePrincipalNames

Virtual directories authentication method

We now need to validate that oAuth is listed as an authentication method for every services.

Get-MapiVirtualDirectory | FL server,*url*,*auth*
Get-WebServicesVirtualDirectory | FL server,*url*,*oauth*
Get-OABVirtualDirectory | FL server,*url*,*oauth*
Get-AutoDiscoverVirtualDirectory | FL server,*oauth*

For each service, look for OAuth in the authentication method.

Get-WebServicesVirtualDirectory | FL server,*url*,*oauth*

Server               : EXCHANGESERVERNAME
InternalNLBBypassUrl :
InternalUrl          : https://ews.internal.lan/EWS/Exchange.asmx
ExternalUrl          : https://ews.domain.com/EWS/Exchange.asmx
OAuthAuthentication  : True

If oAuth is missing, you then need to add it as an authentication method also make sure it’s consistent across all servers.

You can use the following command to add oAuth Set-MapiVirtualDirectorySet-WebServicesVirtualDirectorySet-OABVirtualDirectory, and Set-AutodiscoverVirtualDirectory

ActiveSync virtual directory does not have by default authentication methods listed, you can, however, restrict the authentication methods for external and internal using Set-ActiveSyncVirtualDirectory, like so:

Set-ActiveSyncVirtualDirectory -Identity EXCHANGESERVERNAME\Microsoft-Server-ActiveSync -ExternalAuthenticationMethods "OAuth,Certificate"

More info : Set-ActiveSyncVirtualDirectory (ExchangePowerShell) | Microsoft Learn

Validating EvoSTS object

EvoSTS object is the authentication server used by Office 365 and it is associated to the tenant so if the organization have multiple tenants linked then there will be multiple entries. The realm is the GUID of the Azure AD tenant allowing you to match the EvoSTS server entry and the tenant.

Open the Exchange Management Shell and run:

Get-AuthServer | where {$_.Name -like "EvoSts*"} | ft name,enabled,realm

As described in the prerequisite, Microsoft Exchange 2010 and 2007 cannot be in the organization, if there is, then EvoSTS server entry is not created.

If you cannot see any EvoSTS entry, you need to run the Hybrid Configuration Wizard.
To download the Hybrid Configuration wizard, go to https://aka.ms/HybridWizard

Enable Hybrid Modern Authentication

The command to run will depends on the version of exchange and on when the hybrid configuration was done, all commands are run in the Exchange Management Shell.

If the Exchange version is Exchange 2016 (CU18 or higher) or Exchange 2019 (CU7 or higher) and hybrid was configured with Hybrid Configuration Wizard downloaded after September 2020, you need to add the parameter DomainName, to the Set-AuthServer commands below

-DomainName "mycompany.onmicrosoft.com"

You can get the domain name using this command

Get-AuthServer | where {$_.Name -like "EvoSts*"} | fl name,DomainName

If Get-AuthServer return EvoSTS without GUID, run:

Set-AuthServer -Identity EvoSTS -IsDefaultAuthorizationEndpoint $true

Otherwise run

Set-AuthServer -Identity "EvoSTS - <GUID>" -IsDefaultAuthorizationEndpoint $true

Finally, configure the organization:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

VMware Boxer configuration

While the authentication flow from a user standpoint is the same the configuration between an on-premises hosted mailbox and a cloud mailbox it differs at the endpoint to reach.

In both cases, the assignment, the restrictions and other non-related configuration can be common.

Add boxer application to Azure

In order for VMware Boxer to be allowed to request token, as described in the Scope section of part 1, it is necessary to add VMware Boxer application to Azure, you either need a first user to give consent or you can use the following link to grant consent for the organization, you will need to have admin rights in Azure to do so:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=f0bdb2fb-7148-4a4f-ac82-c2c357243d58&response_type=code&prompt=admin_consent&sso_reload=true&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient

The successful result is a white page.

If the VMware Boxer app cannot be added, a custom application can be added to the Azure tenant by following this KB: Configuring Modern Authentication Flow with Azure in Workspace ONE Boxer (87610)

Endpoint Configuration

Cloud Mailbox

For cloud mailboxes, change Exchange ActiveSync Host to outlook.office365.com, you can go now the Enable Modern Authentication section below.

On-premises Mailbox

For on-premises mailbox few settings need to be configured, we will consider that Secure Email Gateway (SEG) is used as it is the best way to secure ActiveSync and avoid exposing Exchange to the internet.

Exchange ActiveSync Host: SEG FQDN or Exchange ActiveSync endpoint

EWS URL: URL to reach EWS always in the following format

https://<your_ews_domain>/EWS/Exchange.asmx

If EWS endpoint is not reachable via Internet, you can use per-app VPN, see part 4.

Email Management: Select the Secure Email Gateway configuration related.

To support Shared Mailbox as well as other EWS features you need to add the following KVP, in the Custom Account Configuration:

KVP NameKVP Value TypeKVP Value
PolicyEnableHybridModernAuthEWSBooleanTrue
Email Notification Service (ENS)

If you are using ENS cloud, you need to add the following KVP in the Custom Account Configuration:

KVP NameKVP Value TypeKVP Value
PolicyENSResourceURLStringhttps://ews.domain.com

If you are using ENS on-premises, you have to modify the value “Resource” in the configuration file “web.config” located in “<installationfolder>\Email Notification Service\” to “https://ews.domain.com

From

<add key="Resource" value="https://outlook.office365.com" />

To

<add key="Resource" value="https://ews.domain.com" />

Enable Modern Authentication

Once the endpoints are configured you need to need to enable Modern Authentication. To do so click on Edit next to the Authentication section.

In the Authentication section, toggle the Modern Authentication button to green to enable Modern Authentication.

Configure any other settings required in the profile and save it.

Next: Part 4 – Special use cases and FAQ

Written by
Website | + posts

vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP