Enable Microsoft Entra ID (Azure AD) SSO and MFA to Microsoft Outlook Web App (OWA) via Datawiza

Overview

This tutorial shows how to enable Microsoft Entra ID (Azure AD) Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for a Microsoft Outlook Web App (OWA) using Datawiza Access Proxy.

Benefits of integrating applications with Azure AD using DAP include:

• Proactive security with Zero Trust through Microsoft Entra ID SSO, Microsoft Entra ID Multi-Factor Authentication and Conditional Access.
• Easy authentication and authorization in Microsoft Entra ID with no-code Datawiza. Use of web applications such as: Oracle JDE, Oracle E-Business Suite, Oracle Sibel, Oracle Peoplesoft, and home-grown apps.
• A single control plane, Datawiza Cloud Management Console, to manage access to applications in public clouds and on-premise.

Background

This document focuses on solving the problem when modern identity providers integrate with the legacy Outlook Web App. Our approach to integration relies on the fact that Outlook Web App supports kerberos authentication, which requires a kerberos token to identify a user.

In many cases, legacy applications have great difficulty integrating modern SSO, mainly due to the absence of modern protocol support.

The Datawiza no-code proxy-based solution effectively reduces the cost of integration, fills the gap, and significantly improves application security.

Architecture

The solution has the following components:

• Microsoft Entra ID : The Microsoft cloud-based identity and access management service, which helps users sign in and access external and internal resources.
• Datawiza Access Proxy (DAP): A lightweight container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It transparently passes identity to applications through HTTP headers.
• Datawiza Cloud Management Console (DCMC): A centralized console to manage DAP. DCMC has UI and RESTful APIs for administrators to configure Datawiza Access Proxy and access control policies.
• Exchange Server (OWA): the legacy application to be protected by Microsoft Entra ID.
• Domain Controller: a server that manages user authentication and access to network resources in a Windows-based network.
• Key Distribution Center (KDC): KDC is used to securely distribute and manage secret keys and tickets in a Kerberos authentication system.

Steps Description

1. The user requests access to a DAP-protected OWA.
2. DAP redirects the user's browser to Microsoft Entra ID
3. Microsoft Entra ID presents its login page to the user.
4. The user submits their credentials to Microsoft Entra ID.
5. Upon successful authentication, Microsoft Entra ID redirects the user's browser to DAP.
6. DAP communicates with Microsoft Entra ID to exchange tokens.
7. Microsoft Entra ID issues the user's username and relative information to DAP.
8. DAP accesses the predefined KDC with credentials to request a Kerberos ticket.
9. KDC returns a Kerberos ticket.
10. DAP redirects the user's browser to Outlook Web App.
11. Outlook Web App presents the requested protected OWA resource to the user.

Subsequent requests from the user's browser will contain the kerberos token, enabling access to OWA via DAP.

Prerequisites

Prior Datawiza Access Proxy experience isn’t necessary, but you need:

• An Azure subscription. If you don't have one, you can get an Azure free account
• A Microsoft Entra ID tenant linked to the Azure subscription.
  • See, Quickstart: Create a new tenant in Microsoft Entra ID.
• Install Docker and Docker Compose
• User identities synchronized from an on-premises directory to Microsoft Entra ID, or created in Microsoft Entra ID and flowed back to an on-premises directory.
  • See, Microsoft Entra ID Connect sync: Understand and customize synchronization.
• An account with Microsoft Entra ID and the Application administrator role
  • See, Microsoft Entra ID built-in roles, all roles.
• An existing Exchange Server environment. Supported versions:
  • Microsoft IIS IWA: IIS 7 or later
  • Microsoft OWA IWA: IIS 7 or later
• You have a Windows server configured with IIS application and Active Directory Services running as a Domain Controller (DC) and implementing Kerberos (IWA) SSO. This is an example architecture, as it would be unusual in large production environments to have an application server (IIS) also be a DC.
• (Optional) An SSL web certificate to publish services over HTTPS. You can also use default Datawiza self-signed certs for testing.

Enable Kerberos Authentication for Outlook Web Access

1. Open the Exchange Administrative Center

2. Login to the admin center, click on Servers and select the Virtual Directories tab

3. Select server and then double click on the OWA Virtual Directory and select the applications tab.

4. On the authentication tab, select Use one or more standard authentication methods , select Integrated Windows authentication , and click save.

5. Open a command prompt.

6. Execute the iisreset command.

Create a Service Account

Datawiza Access Proxy requires a set of known Windows credentials, which will be used by the instance to configure the Kerberos service. We refer to this user as the Datawiza Access Proxy service account.

1. Return to or sign in to your Windows server.

2. Start the Active Directory Users and Computers application.

3. Select the appropriate instance for Datawiza Access Proxy, in this example datawizatest.com, and then Users > New User.

4. Create a new user and click Next. For example:

   Property	Value
   First name	dap
   Last name	service
   User logon name	dap

   

5. Specify an appropriate password.

6. Ensure that you check the boxes User cannot change password and Password never expires, then click Next.

   

7. In the final New Object - User dialog box, click Next.

8. Right click the new user and show properties and note the following properties:

   Property	Value
   Last name	dap@datawizatest.com
   Pre windows 2000 prefix	DATAWIZATEST

Create a Service Principal Name (SPN) for the Service Account

1. Before you can create the SPN, you can List all SPNs and check if the http SPN is among them.

setspn -Q */<domain.com> 

1. Register the host SPN for the account using the following syntax on the Windows command line:

setspn -A host/dap.<domain.com> dap

Info

host/dap.<domain.com> represents the unique service principal name, and dap corresponds to the service account you previously created. It is crucial to include this service principal name to enable the configuration of constrained delegation in the next step. Without it, you won't be able to proceed with the delegation setup.

Configure Windows Server IIS for Constrained Delegation

1. Login to one of your domain controllers and open up Active Directory Users and Computers.

2. Find the Users object within your organization, find the service account you just created and right click Properties on it.

3. Select the Delegation tab, select Trust this computer for delegation to specified services only , check Use any authentication protocol , and click on Add....

4. Select Users or Computers....

5. Type in the machine name and click OK.

6. Select http and click OK.

7. Click OK on the Add Services page.

Getting started with DAP

To integrate Microsoft OWA:

1. Sign in to Datawiza Cloud Management Console.

2. The Welcome page appears.

3. Select the orange Getting started button.

4. In the Name and Description fields, enter the relevant information.

5. Select Next.

6. On the Add Application dialog, use the following values:

   Property	Value
   App Type	Web
   Name	Enter a unique application name.
   Application URL	For example: https://owa.example.com. For testing, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain with the port.
   Listen Port	The port that DAP listens on.
   Upstream Servers	The URL and port combination of the OWA Implementation is being protected. Mine is https://10.0.0.122.

7. Select Next.

8. On the Configure IdP dialog, enter the relevant information.

   Info

   DCMC has one-click integration to help complete Microsoft Entra ID configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf in your Microsoft Entra ID tenant.

9. Select Create.

Note Down a Docker-Compose File

Once clicking on the Create button, the basic configuration on the management console is finished. You will see the final step of the guide, which presents you with a page showing the simple steps to deploy Datawiza Access Proxy with your application. Note down the docker-compose file of your deployment. The file includes the image of the Datawiza Access Proxy and a pair of PROVISIONING_KEY and PROVISIONING_SECRET, which are used by DAP to pull the latest configuration and policies from DCMC.

Configure Kerberos

Go to the application detail you just created and click the Advanced tab. Find the Kerberos sub tab.

Configure the kerberos settings with the following values:

• Kerberos Realm: A realm where the Kerberos database is stored or the active directory domain. In this example, it is DATAWIZATEST.COM.
• SPN: The Service Principal Name of your OWA application. Please note, it is not the same spn you created at the previous step. In this example, it is http/owa.
• Delegated Login Identity: This enables you to define the delegated identity to be sent for authentication in your on premises Active Directory when there is a disparity between user login identities. I use email.
• KDC: IP of a Domain Controller (Or FQDN if DNS is configured & efficient). I use 10.0.0.122.
• Service Account: The service account you created before. Mine is dap.
• Auth Type: Choose password in this example. If you prefer to use keytab instead of password, you can choose keytab option rather than password here.
• Password: The password for the service account.

(Optional) SSL Configuration

1. By default, when you set up this application, it will use the Datawiza self-sign certificate, but you still have the chance to replace it with your own certificate. Select the Advanced tab. Click the edit button, then upload your own certificate.
2. Select Save.

(Optional) Enable MFA on Microsoft Entra ID (Formerly Azure AD)

To provide an extra level of security for sign-ins, sometimes you might want to enforce MFA for user sign-in. There are several ways to achieve this. The simplest and easiest way is to enable MFA on the Azure portal.

1. Sign in to the Azure portal as a Global Administrator.
2. Select Microsoft Entra ID > Manage > Properties.
3. Under Properties , click the Manage security defaults.
4. Under Enable Security defaults, select Yes and then Save.

Troubleshooting

Kerberos authenticate failed: Missing target hostname

The potential causes could include the unreachability of the KDC address by DAP, DAP's inability to resolve the hostname of KDC, or the presence of an @ symbol in the service account password.

Kerberos authenticate failed: S4U2proxy failed! Error Name: KDC_ERR_S_PRINCIPAL_UNKNOWN Detail: "Server not found in Kerberos database"

The provided SPN is not correct.

According to this example of the screenshot, it should be http/exchange2.techoceanllc.com.

Kerberos authenticate failed: Preauth failed! Error Name: KDC_ERR_PREAUTH_FAILED Detail: "Pre-authentication information was invalid"

The provided password is not correct.

Missing @ sign of user

The authentication username should include the @ symbol, signifying that it should be in the form of an email, like user@datawizatest.com. In this context, datawizatest.com serves as the Azure Realm or Domain.

Summary

In this article, you learned how to:

• Configure and Deploy the Datawiza Access Proxy
• Integrate the Datawiza Access Proxy with OWA
• Enable Azure AD SSO login and MFA for OWA

If you have any questions, don't be afraid to contact us through support email (support@datawiza.com) or join our Discord!

What's more

• Configure Datawiza and Azure AD for secure hybrid access
• Configure Datawiza with Azure AD B2C