Remove Dependency of ADFS server for authentication of OWA and ECP of Exchange Server 2016

Sayantan Raha 0 Reputation points
2024-07-29T14:18:35.5766667+00:00

We have 2 Hybrid server and 2 Edge server, but the authentication is redirected via WAP(ADFS) server.

We need to remove dependency from the ADFS server, what modification needs to do in Exchange Server. Currently we are having Windows Authentication and ADFS Authentication to True.
We tried to move the authentication to Azure APP Proxy but 2016 donot support Hybrid modern Authentication.
Then How to remove the dependency from ADFS.

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,136 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Andy David - MVP 149.2K Reputation points MVP
    2024-07-29T14:58:18.2666667+00:00

    Start with Step 6 and reverse the settings back to the default:

    https://learn.microsoft.com/en-us/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019#step-6-configure-the-exchange-organization-to-use-ad-fs-authentication

    Essentially:

    Run commands in order:

    Get-OwaVirtualDirectory -Server <server> | Set-OwaVirtualDirectory -BasicAuthentication $true -AdfsAuthentication $false -FormsAuthentication $true

    Get-EcpVirtualDirectory -Server <server> | Set-EcpVirtualDirectory -AdfsAuthentication $false -BasicAuthentication $true -FormsAuthentication $true

    followed by IISRESET


  2. Andy David - MVP 149.2K Reputation points MVP
    2024-07-29T18:20:21.1866667+00:00

    The commands will remove the ADFS dependency:.

    If you dont want to use basic auth or forms based auth, then set to $false for it.

    Get-OwaVirtualDirectory -Server <server> | Set-OwaVirtualDirectory -BasicAuthentication $true -AdfsAuthentication $false -FormsAuthentication $true

    Get-EcpVirtualDirectory -Server <server> | Set-EcpVirtualDirectory -AdfsAuthentication $false -BasicAuthentication $true -FormsAuthentication $true

    followed by IISRESET You can also clear the org config in Exchange ) set those values to $null

    but its not required if you just want to set -AdfsAuthentication $false in the above commands

    Set-OrganizationConfig -AdfsIssuer https://<FederationServiceName>/adfs/ls/ -AdfsAudienceUris "<OotwURL>","<EACURL>" -AdfsSignCertificateThumbprint "<Thumbprint>"

    0 comments No comments

  3. Bruce Jing-MSFT 5,795 Reputation points Microsoft Vendor
    2024-07-30T07:23:56.77+00:00

    Hi,@Sayantan Raha

    Thanks for posting your question in the Microsoft Q&A forum.

    According to your description, do you want to disable the ADFS service?

    Microsoft provides guidance on how to deactivate the ADFS service: Active Directory Federation Services (AD FS) decommission guide | Microsoft Learn

    Exchange 2016 does not support Modern Authentication. To use Modern Auth, all servers used for client connections must have Exchange Server 2019 CU13 installed.

    If my answer is helpful to you, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.