Skip to main content

Enable Microsoft Entra ID (Azure AD) SSO and MFA to Microsoft Outlook Web App (OWA) via Datawiza

About 3 min

Overview

This tutorial shows how to enable Microsoft Entra ID (Azure AD) Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for a Microsoft Outlook Web App (OWA) using Datawiza Access Proxy.

Benefits of integrating applications with Azure AD using DAP include:

Background

This document focuses on solving the problem when modern identity providers integrate with the legacy Outlook Web App. Our approach to integration relies on the fact that Outlook Web App supports kerberos authentication, which requires a kerberos token to identify a user.

In many cases, legacy applications have great difficulty integrating modern SSO, mainly due to the absence of modern protocol support.

The Datawiza no-code proxy-based solution effectively reduces the cost of integration, fills the gap, and significantly improves application security.

Architecture

The solution has the following components:

  • Microsoft Entra ID : The Microsoft cloud-based identity and access management service, which helps users sign in and access external and internal resources.
  • Datawiza Access Proxy (DAP): A lightweight container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It transparently passes identity to applications through HTTP headers.
  • Datawiza Cloud Management Console (DCMC): A centralized console to manage DAP. DCMC has UI and RESTful APIs for administrators to configure Datawiza Access Proxy and access control policies.
  • Exchange Server (OWA): the legacy application to be protected by Microsoft Entra ID.
  • Domain Controller: a server that manages user authentication and access to network resources in a Windows-based network.
  • Key Distribution Center (KDC): KDC is used to securely distribute and manage secret keys and tickets in a Kerberos authentication system.

Microsoft OWA Microsoft Entra ID (Azure AD) SSO and MFA | OWA Arch

Steps Description

Microsoft OWA Microsoft Entra ID (Azure AD) SSO and MFA | OWA Steps

  1. The user requests access to a DAP-protected OWA.
  2. DAP redirects the user's browser to Microsoft Entra ID
  3. Microsoft Entra ID presents its login page to the user.
  4. The user submits their credentials to Microsoft Entra ID.
  5. Upon successful authentication, Microsoft Entra ID redirects the user's browser to DAP.
  6. DAP communicates with Microsoft Entra ID to exchange tokens.
  7. Microsoft Entra ID issues the user's username and relative information to DAP.
  8. DAP accesses the predefined KDC with credentials to request a Kerberos ticket.
  9. KDC returns a Kerberos ticket.
  10. DAP redirects the user's browser to Outlook Web App.
  11. Outlook Web App presents the requested protected OWA resource to the user.

Subsequent requests from the user's browser will contain the kerberos token, enabling access to OWA via DAP.

Prerequisites

Prior Datawiza Access Proxy experience isn’t necessary, but you need:

Enable Kerberos Authentication for Outlook Web Access

  1. Open the Exchange Administrative Center

  2. Login to the admin center, click on Servers and select the Virtual Directories tab Microsoft OWA SSO and MFA | Virtual Directory

  3. Select server and then double click on the OWA Virtual Directory and select the applications tab. Microsoft OWA SSO and MFA | Authentication

  4. On the authentication tab, select Use one or more standard authentication methods , select Integrated Windows authentication , and click save.Microsoft OWA SSO and MFA | Integrated Win Auth

  5. Open a command prompt.

  6. Execute the iisreset command. Microsoft OWA SSO and MFA | Restart IIS

Create a Service Account

Datawiza Access Proxy requires a set of known Windows credentials, which will be used by the instance to configure the Kerberos service. We refer to this user as the Datawiza Access Proxy service account.

  1. Return to or sign in to your Windows server.

  2. Start the Active Directory Users and Computers application.

  3. Select the appropriate instance for Datawiza Access Proxy, in this example datawizatest.com, and then Users > New User. Microsoft OWA SSO and MFA | New User

  4. Create a new user and click Next. For example:

    PropertyValue
    First namedap
    Last nameservice
    User logon namedap

    Microsoft OWA SSO and MFA | Create New User

  5. Specify an appropriate password.

  6. Ensure that you check the boxes User cannot change password and Password never expires, then click Next.

    Microsoft OWA SSO and MFA | Uncheck Pass Expire

  7. In the final New Object - User dialog box, click Next.

  8. Right click the new user and show properties and note the following properties:

    PropertyValue
    Last namedap@datawizatest.com
    Pre windows 2000 prefixDATAWIZATEST

Create a Service Principal Name (SPN) for the Service Account

  1. Before you can create the SPN, you can List all SPNs and check if the http SPN is among them.
setspn -Q */<domain.com> 
  1. Register the host SPN for the account using the following syntax on the Windows command line:
setspn -A host/dap.<domain.com> dap

Info

host/dap.<domain.com> represents the unique service principal name, and dap corresponds to the service account you previously created. It is crucial to include this service principal name to enable the configuration of constrained delegation in the next step. Without it, you won't be able to proceed with the delegation setup.

Configure Windows Server IIS for Constrained Delegation

  1. Login to one of your domain controllers and open up Active Directory Users and Computers. Microsoft OWA SSO and MFA | User Computer

  2. Find the Users object within your organization, find the service account you just created and right click Properties on it. Microsoft OWA SSO and MFA | Properties

  3. Select the Delegation tab, select Trust this computer for delegation to specified services only , check Use any authentication protocol , and click on Add.... Microsoft OWA SSO and MFA | Use Protocol

  4. Select Users or Computers.... Microsoft OWA SSO and MFA | Add Service

  5. Type in the machine name and click OK. Microsoft OWA SSO and MFA | Select Computer

  6. Select http and click OK. Microsoft OWA SSO and MFA | Select HTTP

  7. Click OK on the Add Services page.

Getting started with DAP

To integrate Microsoft OWA:

  1. Sign in to Datawiza Cloud Management Consoleopen in new window.

  2. The Welcome page appears.

  3. Select the orange Getting started button. Microsoft OWA SSO and MFA | Getting Started

  4. In the Name and Description fields, enter the relevant information.

  5. Select Next. Microsoft OWA SSO and MFA | Create a New Deployment

  6. On the Add Application dialog, use the following values:

    PropertyValue
    App TypeWeb
    NameEnter a unique application name.
    Application URLFor example: https://owa.example.com. For testing, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain with the port.
    Listen PortThe port that DAP listens on.
    Upstream ServersThe URL and port combination of the OWA Implementation is being protected. Mine is https://10.0.0.122.
  7. Select Next. Microsoft OWA SSO and MFA | Create a New Application

  8. On the Configure IdP dialog, enter the relevant information.

    Info

    DCMC has one-click integration to help complete Microsoft Entra ID configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf in your Microsoft Entra ID tenant.

  9. Select Create. Microsoft Entra ID (Azure AD) SSO and MFA | Creare a New Microsoft Entra ID (Azure AD) IdP

Install and run Datawiza Access Proxy

Once clicking on the Create button, the basic configuration on the management console is finished. You will see the final step of the guide, which presents you with a page showing the simple steps to deploy Datawiza Access Proxy (DAP) with your application. Note down the commands for your deployment. The first command will download Docker and Datawiza Access Proxy image, and the second command will create a Docker Compose file and run Datawiza Access Proxy. You can refer to Install and Run Datawiza Access Proxy by command for more information.

DAP Docker Compose File

Configure Kerberos

Go to the application detail you just created and click the Advanced tab. Find the Kerberos sub tab. Microsoft OWA SSO and MFA | Select Kerberos Sub Tab

Configure the kerberos settings with the following values:

  • Kerberos Realm: A realm where the Kerberos database is stored or the active directory domain. In this example, it is DATAWIZATEST.COM.
  • SPN: The Service Principal Name of your OWA application. Please note, it is not the same spn you created at the previous step. In this example, it is http/owa.
  • Delegated Login Identity: This enables you to define the delegated identity to be sent for authentication in your on premises Active Directory when there is a disparity between user login identities. I use email.
  • KDC: IP of a Domain Controller (Or FQDN if DNS is configured & efficient). I use 10.0.0.122.
  • Service Account: The service account you created before. Mine is dap.
  • Auth Type: Choose password in this example. If you prefer to use keytab instead of password, you can choose keytab option rather than password here.
  • Password: The password for the service account. Microsoft OWA SSO and MFA | Config Kerberos

(Optional) SSL Configuration

  1. By default, when you set up this application, it will use the Datawiza self-sign certificate, but you still have the chance to replace it with your own certificate. Select the Advanced tab. Click the edit button, then upload your own certificate. Enable SSLUpload self-signed Cert
  2. Select Save.

(Optional) Enable MFA on Microsoft Entra ID (Formerly Azure AD)

To provide an extra level of security for sign-ins, sometimes you might want to enforce MFA for user sign-in. There are several ways to achieve this. The simplest and easiest way is to enable MFA on the Azure portal.

  1. Sign in to the Azure portal as a Global Administrator.
  2. Select Microsoft Entra ID > Manage > Properties.
  3. Under Properties , click the Manage security defaults. Microsoft Entra ID (Azure AD) SSO and MFA | Manage Security Defaults
  4. Under Enable Security defaults, select Yes and then Save. Microsoft Entra ID (Azure AD) SSO and MFA | Enable Security Default

Troubleshooting

Kerberos authenticate failed: Missing target hostname

The potential causes could include the unreachability of the KDC address by DAP, DAP's inability to resolve the hostname of KDC, or the presence of an @ symbol in the service account password.

Kerberos authenticate failed: S4U2proxy failed! Error Name: KDC_ERR_S_PRINCIPAL_UNKNOWN Detail: "Server not found in Kerberos database"

The provided SPN is not correct. Microsoft OWA SSO and MFA | SPN Example

According to this example of the screenshot, it should be http/exchange2.techoceanllc.com.

Kerberos authenticate failed: Preauth failed! Error Name: KDC_ERR_PREAUTH_FAILED Detail: "Pre-authentication information was invalid"

The provided password is not correct. Microsoft OWA SSO and MFA | Incorrect Pass

Missing @ sign of user

The authentication username should include the @ symbol, signifying that it should be in the form of an email, like user@datawizatest.com. In this context, datawizatest.com serves as the Azure Realm or Domain.

Summary

In this article, you learned how to:

  • Configure and Deploy the Datawiza Access Proxy
  • Integrate the Datawiza Access Proxy with OWA
  • Enable Azure AD SSO login and MFA for OWA

If you have any questions, don't be afraid to contact us through support email (support@datawiza.com).

What's more