Hideez Authentication Service (EN)
  • Hideez Authentication Service for Enterprises
    • Release notes
    • Key features of the Hideez Authentication Service in 5 minutes
  • Quick Start Guides
    • Hideez Authenticator Mobile app guide
    • Hideez Key guide
    • Passkey guide
    • FIDO Security Key guide
      • Activation FIDO key and setting PIN code
    • Quick Start Guide for subscriptions
      • Hideez Security Key
      • Hideez Authenticator App
      • Passkeys
    • Guide for Hideez Enterprise Server on Cloud
      • Passkeys
      • Mobile app
      • Hideez Key
  • Use cases
    • Hideez Authenticator Mobile App
      • Passwordless PC login
      • Password-based PC login
      • SSO login to Webservises (FIDO2) via mobile app
        • Using Hideez Authenticator as your passwordless authentication method for SSO
      • Using Hideez Authenticator as your two-factor authentication method for SSO
      • OTP generation by Hideez Authenticator App for 2FA
      • RDP login by Hideez Authenticator App
      • Remote PC lock
    • Hideez Key
      • Proximity Lock
      • Proximity Unlock
        • Unlock PC by Hideez Dongle Touch (Tap-and-Go)
      • Changing a Domain User Password on the Hideez Server
      • Proximity settings (guide for admin)
      • Automatic RDP Launch and Logon
      • Password manager and OTP generator
      • OTP manager for two-factor authentication
    • FIDO Security Key
      • SSO login to Web Servises via Hardware Key (FIDO2)
      • Passwordless PC Login to Entra ID (Azure AD).
      • Using Hideez Key as U2F security key for your two-factor authentication
      • Other vendors' hardware keys
    • Passkey
      • SSO login to Web Services (FIDO2) via Passkey and Hideez Server as Identity Provider
    • Emergency blocking of all computers
    • Employee's account disabling
  • Hideez Enterprise Server
    • Hideez Enterprise Server
    • Glossary
    • Hideez Server Architecture
    • Deployment
      • Database installation
        • MySQL on Windows
        • MySQL on Linux
        • Microsoft SQL Server on Windows
        • Microsoft SQL Server on Linux
      • HES deployment
        • Windows
        • Linux
        • Docker
        • Deployment without Internet access
        • Troubleshooting
      • HES update
        • Windows
        • Linux
        • Docker
      • Publishing on-premises HES for remote users
    • Administration
      • How to change the password for an administrator account?
      • How to recover a forgotten admin password?
      • Adding an admin account
      • Deleting an admin account
      • How to enable two-factor authentication at the Hideez Enterprise Server?
      • Authorization on the HES server via a FIDO key
      • Platform authentication on the HES server
      • Connecting Linux server to Active Directory
      • Setting Hideez Server parameters
      • Configuring DNS server
      • Setting up a Proxy for Mobile App Access to HES
      • How to create and set Hideez Key Access Profiles
      • How to manage companies and departments?
      • How to manage Positions?
      • Enable load balancing
      • Data Protection
    • Dashboard
      • Information about the server
      • Information about employees
      • Information about devices
      • Workstations Information
    • Employees
      • How to add an Employee?
      • Employees management
      • Employee management with Active Directory
    • Workstations
      • How to add and approve Workstations?
      • Workstations management
      • Workstation Profiles
      • Use Proximity Unlock Workstations
    • Hardware Vaults
      • How to add Hideez Key into the Server
      • Assign a key to the user
      • Remove the key from the Employee
      • Set a profile for a Hardware Vault
      • How to see an RFID code on the Employee key?
    • Accounts
      • Creating personal employee accounts
      • Creating shared employee accounts
      • Personal account management
      • Shared account management
      • Accounts backup and restore
      • How to work with the account template?
    • Keys Management
      • Keys Statuses
      • Transition to Reserved status
      • Keys Activation mechanism
      • Cancel issuance of Hideez Key (Reserved -> Ready)
      • Transition to Suspended status
      • Transition to Locked status
      • Transition to Deactivated status
      • Transition to Compromised status
      • Removing the Locked status
      • Wipe procedure
      • Delete key from Hideez Server
    • Audit
      • Workstation events
      • Workstation Sessions
      • Summaries
    • Single Sign On settings
      • How to get employee licenses
      • Admin settings
      • User settings
    • Configuring SAML Protocol
    • Configuration OIDC (OpenID Connect)
  • Hideez Server Integration
    • Active Directory Integration
      • Synchronization and import employees from Active Directory
      • Import and Sync Users from Active Directory
      • Import and sync users from Active Directory with domain password changing
      • How to enable FIDO2 passwordless authentication with Microsoft Azure AD for use with Windows 10-11
    • SAML integration
      • ASA AnyConnect VPN
      • Citrix services
      • Fortinet services
      • GitHub Enterprise
      • GitLab on premises
      • Google Workspace
      • Microsoft Exchange for Authentication via SAML
        • ADFS Installation
      • Okta (SAML)
    • Open ID Connect integration
      • Hideez Server as an External Authentication Method for Microsoft Entra ID via OIDC
      • OKTA (OIdC)
    • WS-Federation integration
      • Configure Exchange Outlook Web Application and Exchange Admin Center
  • Hideez Client App
    • Hideez Client deployment
      • Installation of the Hideez Client Application
      • Deploying Hideez Client MSI via GPO (Group Policy Object)
      • Configuration app
      • Uninstall Hideez Client app
      • Uninstalling via GPO
      • Upgrade Hideez Client
      • Downgrade Hideez Client
    • Application interface
      • General Settings
      • Logon settings
      • Aditional settings
      • Configuring hotkeys
    • Account management
      • Account creation
      • Editing an Existing Account
      • Deleting your account
    • Shortcuts
    • Remote Vault connection
    • Mobile Authenticator
  • Hideez Authenticator App
    • Quick overview
    • Admin guide
      • Setup for PC login scenario
        • Passwordless PC Login Setup
          • Configuring an Active Directory Certification Authority
          • Hideez Enterprise Server setup for passwordless login
        • Password-based PC login Setup
      • Setup for SSO login scenario
    • User guide
      • Mobile App Primary Setup
      • App enrollment on Hideez Server
        • Enroll the application on Hideez Server for SSO
          • SSO enrollment (admin account)
          • SSO enrollment (user account)
        • PC Authorization Enrollment
          • Enrollment for Passwordless PC Authorization
            • Passwordless account re-enrollment
          • Enrollment for Password-based PC Authorization
            • Account roaming
      • Login with Hideez Authenticator
        • SSO login
        • PC login
          • Offline passwordless login
          • Login to the remote PC via RDP
      • PC lock
      • OTP generation
      • Software key disabling
        • PC logon disabling
        • SSO logon disabling
      • Service operations
  • Hideez Key (Enterprise Edition)
    • Hideez Key (Enterprise Edition)
    • Technical Specifications
      • Technical specifications Hideez Key 3
      • Technical specifications Hideez Key 4
    • Principles of operation
    • Device Layout
    • Battery maintenance
    • Hideez Key modes
    • How to update the Hideez Key (Enterprise) firmware
    • How to enter credentials with the Hideez Key
    • How to unlock PC
    • Key for Physical doors
  • Product Updates
    • Product updates
    • Hideez Enterprise Server updates
    • Hideez Key firmware updates
    • Hideez Client updates
    • Hideez Authenticator updates
  • API
    • Hideez Enterprise Server web API
  • FAQ
    • How-to's
      • How to add an Employee?
      • How to add personal user account on HES?
      • How to assign Hideez Key to a user?
      • How to activate Hideez Key?
      • How to unlock Hideez Key on HES?
      • How to unlock PC with Hideez Key?
      • How to setup proximity PC unlock?
      • How to use Hideez Key on remote PC?
      • How to enroll the Hideez Authentication app on HES for SSO?
      • How to login on HES with Hideez Authenticator?
      • How to enroll the Hideez Authentication app for PC login?
      • How to login to PC with Hideez Authenticator?
      • Enable QR Code Display for Hideez Authenticator on the Lock Screen of a Windows Remote Workstation
    • Hideez Client App
      • What do I do if I see the message "Connection failed. Trying to re-bond device"?
      • What do I do if the connection with the HES server cannot be established?
      • What should I do if the Password Manager menu item is not displayed?
    • Hideez Enterprise Server
      • How to view logs at Hideez Enterprise Server?
    • Setting Up Gmail with HES
    • Hideez Authenticator
      • QR code is not displayed at the credential provider on my PC
      • I have registered successfully but cannot login
      • What do I do if I changed domain and cannot login now
      • Does the Hideez App collect or transmit data from the phone to third parties or services?
    • Hideez Key
      • What physical conditions are dangerous for the Hideez Key?
      • Is the Hideez Key allowed on planes?
  • Documentation portal
Powered by GitBook
On this page
  • Step 1: Configure integration for Exchange OWA in Hideez Server
  • Step 2: Configure integration for Exchange admin center (EAC) in Hideez Server
  • Step 3: Configure Exchange Server Sign-On via Hideez Server
  • 1. Install the Certificate on the Exchange Server for Exchange OWA:
  • 2. Execute Commands in Exchange Management Shell for Exchange OWA:
  • Step 4: Configure Sign-On to Exchange admin center (EAC) via Hideez Server
  • 1. Install the Certificate on the Exchange Server for Exchange OWA:
  • 2. Execute Commands in Exchange Management Shell for Exchange admin center (EAC):
  • Step 5: Configure Virtual Directories:
  • 1. Configure virtual directories for AD FS authentication for OWA:
  • 2. Configure virtual directories for AD FS authentication for Exchange admin center (EAC):
  • Step 6: Restart Internet Information Services (IIS)

Was this helpful?

  1. Hideez Server Integration
  2. WS-Federation integration

Configure Exchange Outlook Web Application and Exchange Admin Center

Hideez Enterprise Server – Integration of Hideez Server with Exchange OWA and Exchange AC via WS Federation

PreviousWS-Federation integrationNextHideez Client deployment

Last updated 1 month ago

Was this helpful?

This integration is designed to enable authentication for the Exchange Outlook Web Application (OWA) and Exchange Admin Center acting as a Service Providers (SP) via the Hideez Server as the Identity Provider (IdP).

Step 1: Configure integration for Exchange OWA in Hideez Server

  1. Login to Hideez Server as Administrator.

  2. Navigate to WS Federation Settings:

    • Go to Settings → Parameters → WS Federation section.

  3. Add Exchange OWA as a Service Provider:

  • Click Add Service Provider.

  • Fill in the following details:

    • Name: OWA

    • WT-Realm: https://{owa-url} (e.g., https://mail.example.com/owa/)

    • Reply URL: https://{owa-url} (e.g., https://mail.example.com/owa/)

      • In our case https://exch.lab.hideez.com/owa/

  • Click Add.

  1. Obtain IdP Details:

  • Click on Details for the newly added service provider.

  • Download the IdP signing certificate.

  • Copy the IdP WS Federation URL.

Keep the tab WS Federation with values IdP WS Federation URL and the certificate ready for the next step.

Step 2: Configure integration for Exchange admin center (EAC) in Hideez Server

  1. Add an Exchange admin center (EAC) as a Service Provider:

  • Click Add Service Provider.

  • Fill in the following details:

    • Name: ECP

    • WT-Realm: https://{ecp-url} (e.g., https://mail.example.com/ecp/)

    • Reply URL: https://{ecp-url} (e.g., https://mail.example.com/ecp/)

      • In our case https://exch.lab.hideez.com/ecp/

  • Click Add.

  1. Obtain IdP Details:

  • Click on Details for the newly added service provider.

  • Download the IdP signing certificate.

  • Copy the IdP WS Federation URL.

Keep the tab WS Federation with values IdP WS Federation URL and the certificate ready for the next step.

Step 3: Configure Exchange Server Sign-On via Hideez Server

1. Install the Certificate on the Exchange Server for Exchange OWA:

  • Open the MMC Console on the Exchange Server:

  1. Press Win + R, type mmc, and press Enter.

  2. In the MMC console, go to File → Add/Remove Snap-in.

  3. Select Certificates from the list, then click Add.

  4. Choose Computer account and click Next → Select Local Computer → Click Finish → OK.

  • Import the Certificate

  1. In the MMC console, navigate to:

    • Certificates (Local Computer) → Trusted Root Certification Authorities → Certificates.

  2. Right-click on Certificates → All Tasks → Import.

  3. Follow the Certificate Import Wizard:

    • Click Next and browse to the location of the ws-fed-signing-owa.cer

    • Select the certificate and click Next.

    • Ensure the certificate is placed in the Trusted Root Certification Authorities store.

    • Click Next → Finish.

2. Execute Commands in Exchange Management Shell for Exchange OWA:

  • Open the Exchange Management Shell and execute the following commands:

Set-OrganizationConfig -AdfsIssuer "{Hideez WS Fed URL}" -AdfsAudienceUris "{OWA Base URL}" -AdfsSignCertificateThumbprint {Hideez Cert Thumbprint}

In the above command:

  • {OWA Base URL} is the Exchange OWA host,

  • {Hideez WS Fed URL} is the Idp WS Federation URL.

  • {Hideez Cert Thumbprint} is the thumbprint of the certificate you downloaded and installed.

Example:

Set-OrganizationConfig -AdfsIssuer "https://dev.hideez.com/wsfed" -AdfsAudienceUris "https://exch.lab.hideez.com/owa/" -AdfsSignCertificateThumbprint d80e7aa3d27ac800fb2d5fa7c08748a73d924cd2

Step 4: Configure Sign-On to Exchange admin center (EAC) via Hideez Server

1. Install the Certificate on the Exchange Server for Exchange OWA:

  • Open the MMC Console on the Exchange Server:

  1. Press Win + R, type mmc, and press Enter.

  2. In the MMC console, go to File → Add/Remove Snap-in.

  3. Select Certificates from the list, then click Add.

  4. Choose Computer account and click Next → Select Local Computer → Click Finish → OK.

  • Import the Certificate

  1. In the MMC console, navigate to:

    • Certificates (Local Computer) → Trusted Root Certification Authorities → Certificates.

  2. Right-click on Certificates → All Tasks → Import.

  3. Follow the Certificate Import Wizard:

    • Click Next and browse to the location of the ws-fed-signing-ecp.cer

    • Select the certificate and click Next.

    • Ensure the certificate is placed in the Trusted Root Certification Authorities store.

    • Click Next → Finish.

2. Execute Commands in Exchange Management Shell for Exchange admin center (EAC):

  • Open the Exchange Management Shell and execute the following commands:

Set-OrganizationConfig -AdfsIssuer "{Hideez WS Fed URL}" -AdfsAudienceUris "{ECP Base URL}" -AdfsSignCertificateThumbprint {Hideez Cert Thumbprint}

In the above command:

  • {ECP Base URL} is the Exchange Admin Center (EAC) host,

  • {Hideez WS Fed URL} is the Idp WS Federation URL.

  • {Hideez Cert Thumbprint} is the thumbprint of the certificate you downloaded and installed.

Example:

Set-OrganizationConfig -AdfsIssuer "https://dev.hideez.com/wsfed" -AdfsAudienceUris "https://exch.lab.hideez.com/ecp/" -AdfsSignCertificateThumbprint 3e04c68e71a591de637d0d21dcfd8e6f4b843684

If you need to configure both Outlook Web Application (OWA) and Exchange Admin Center (EAC) simultaneously, you can use the following command:

Set-OrganizationConfig -AdfsIssuer "{Hideez WS Fed URL}" -AdfsAudienceUris "{OWA Base URL}","{ECP Base URL}" -AdfsSignCertificateThumbprint {Hideez Cert Thumbprint}

Command Parameters Explained:

  • {Hideez WS Fed URL}: The URL of the Hideez WS Federation endpoint, acting as the Identity Provider (IdP) for authentication.

  • {OWA Base URL}: The base URL of the Outlook Web Application Service Provider (SP), such as https://mail.example.com/owa/.

  • {ECP Base URL}: The base URL of the Exchange Admin Center (EAC) Service Provider (SP), such as https://mail.example.com/ecp/.

  • {Hideez Cert Thumbprint}: The thumbprint of the Hideez signing certificate installed on the Exchange server, used to establish a trust relationship.

Example:

Set-OrganizationConfig -AdfsIssuer "https://dev.hideez.com/wsfed" -AdfsAudienceUris "https://exch.lab.hideez.com/owa/","https://exch.lab.hideez.com/ecp/" -AdfsSignCertificateThumbprint d80e7aa3d27ac800fb2d5fa7c08748a73d924cd2, 3e04c68e71a591de637d0d21dcfd8e6f4b843684

Step 5: Configure Virtual Directories:

1. Configure virtual directories for AD FS authentication for OWA:

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

2. Configure virtual directories for AD FS authentication for Exchange admin center (EAC):

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false

Step 6: Restart Internet Information Services (IIS)

Restart IIS to apply the changes:

net stop was /y
net start w3svc