Configure Datawiza Access Proxy for Microsoft Entra single sign-on and multifactor authentication for Outlook Web Access

In this tutorial, learn how to configure Datawiza Access Proxy (DAP) to enable Microsoft Entra single sign-on (SSO) and Microsoft Entra multifactor authentication for Outlook Web Access (OWA). Help solve issues when modern identity providers (IdPs) integrate with legacy OWA, which supports Kerberos token authentication to identify users.

Often, legacy app and modern SSO integration are a challenge because there's no modern protocol support. Datawiza Access Proxy removes the protocol support gap, reduces integration overhead, and improves application security.

Integration benefits:


DAP integration architecture includes the following components:

  • Microsoft Entra ID - identity and access management service that helps users sign in and access external and internal resources

  • OWA - the legacy, Exchange Server component to be protected by Microsoft Entra ID

  • Domain controller - a server that manages user authentication and access to network resources in a Windows-based network

  • Key distribution center (KDC) - distributes and manages secret keys and tickets in a Kerberos authentication system

  • DAP - a reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign in. DAP integrates with protected applications by using:

    • HTTP headers

    • Kerberos

    • JSON web token (JWT)

    • other protocols

  • DCMC - the DAP management console with UI and RESTful APIs to manage configurations and access control policies

The following diagram illustrates a user flow with DAP in a customer network.

Screenshot shows the user flow with DAP in a customer network.

The following diagram illustrates the user flow from user browser to OWA.

Screenshot shows the user flow from user browser to owa.

Step Description
1. User browser requests access to DAP-protected OWA.
2. The user browser is directed to Microsoft Entra ID.
3. The Microsoft Entra sign-in page appears.
4. The user enters credentials.
5. Upon authentication, the user browser is directed to DAP.
6. DAP and Microsoft Entra ID exchange tokens.
7. Microsoft Entra ID issues the username and relevant information to DAP.
8. DAP accesses the KDC with credentials. DAP requests a Kerberos ticket.
9. KDC returns a Kerberos ticket.
10. DAP redirects the user browser to OWA.
11. The OWA resource appears.


Subsequent user browser requests contain the Kerberos token, which enables access to OWA via DAP.


You need the following components. Prior DAP experience isn't necessary.

  • An Azure account

  • A Microsoft Entra tenant linked to the Azure account

  • Docker and Docker Compose are required to run DAP

  • User identities synchronized from an on-premises directory to Microsoft Entra ID, or created in Microsoft Entra ID and flowed back to your on-premises directory

  • An account with Microsoft Entra Application Administrator permissions

  • An Exchange Server environment. Supported versions:

    • Microsoft IIS Integrated Windows Authentication (IWA) - IIS 7 or later

    • Microsoft OWA IWA - IIS 7 or later

  • A Windows Server instance configured with IIS and Microsoft Entra services running as a domain controller (DC) and implementing Kerberos (IWA) SSO

    • It's unusual for large production environments to have an application server (IIS) that also functions as a DC.
  • Optional - an SSL Web certificate to publish services over HTTPS, or DAP self-signed certificates, for testing.

Enable Kerberos authentication for OWA

  1. Sign in to the Exchange admin center.

  2. In the Exchange admin center, left navigation, select servers.

  3. Select the virtual directories tab.

    Screenshot shows the virtual directories.

  4. From the select server dropdown, select a server.

  5. Double-click owa (Default Web Site).

  6. In the Virtual Directory, select the authentication tab.

    Screenshot shows the virtual directories authentication tab.

  7. On the authentication tab, select Use one or more standard authentication methods, and then select Integrated Windows authentication.

  8. Select save

    Screenshot shows the internet-explorer tab.

  9. Open a command prompt.

  10. Execute the iisreset command.

    Screenshot shows the iis reset command.

Create a DAP service account

DAP requires known Windows credentials that are used by the instance to configure the Kerberos service. The user is the DAP service account.

  1. Sign in to the Windows Server instance.

  2. Select Active Directory Users and Computers.

  3. Select the DAP instance down-arrow. The example is

  4. In the list, right-click Users.

  5. From the menu, select New, then select User.

    Screenshot shows the users-computers.

  6. On New Object--User, enter a First name and Last name.

  7. For User logon name, enter dap.

  8. Select Next. Screenshot shows the user-logon.

  9. In Password, enter a password.

  10. Enter it again in Confirm.

  11. Check the boxes for User cannot change password and Password never expires. Screenshot shows the password menu.

  12. Select Next.

  13. Right-click the new user to see the configured properties.

Create a service principal name for the service account

Before you create the service principal name (SPN), you can list SPNs and confirm the http SPN is among them.

  1. Use the following syntax on the Windows command line to list SPNs.

    setspn -Q \*/\<****

  2. Confirm the http SPN is among them.

  3. Use the following syntax on the Windows command line to register the host SPN for the account.

    setspn -A host/ dap


host/ is the unique SPN, and dap is the service account you created.

Configure Windows Server IIS for Constrained Delegation

  1. Sign in to a domain controller (DC).

  2. Select Active Directory Users and Computers.

    Screenshot shows the constrained delegation menu.

  3. In your organization, locate and select the Users object.

  4. Locate the service account you created.

  5. Right-click the account.

  6. From the list, select Properties.

    Screenshot shows the properties.

  7. Select the Delegation tab.

  8. Select Trust this user for delegation to specified services only.

  9. Select Use any authentication protocol.

  10. Select Add.

    Screenshot shows the authentication protocol.

  11. On Add Services, select Users or Computers.

    Screenshot shows the add services window.

  12. In Enter the object names to select, type in the machine name.

  13. Select OK

    Screenshot shows the select object names fields.

  14. On Add Services, in Available services, under Service Type, select http.

  15. Select OK

    Screenshot shows the add http services fields.

Integrate OWA with Microsoft Entra ID

Use the following instructions to integrate OWA with Microsoft Entra ID.

  1. Sign in to the Datawiza Cloud Management Console (DCMC).

  2. The Welcome page appears.

  3. Select the orange Getting started button.

    Screenshot shows the access proxy screen.

Deployment Name

  1. On Deployment Name, type a Name and a Description.

  2. Select Next.

    Screenshot shows the deployment name screen.

Add Application

  1. On Add Application, for Platform, select Web.

  2. For App name, enter the app name. We recommend a meaningful naming convention.

  3. For Public Domain, enter the app's external-facing URL. For example, Use localhost DNS for testing.

  4. For Listen Port, enter the port DAP listens on. If DAP isn't deployed behind a load balancer, you can use port indicated in Public Domain.

  5. For Upstream Servers, enter the OWA implementations' URL and port combination.

  6. Select Next.

    Screenshot shows the add application screen.

Configure IdP

DCMC integration features help complete Microsoft Entra configuration. Instead, DCMC calls Microsoft Graph API to perform the tasks. The feature reduces time, effort, and errors.

  1. On Configure IdP, enter a Name.

  2. For Protocol, select OIDC.

  3. For Identity Provider, select Microsoft Entra ID.

  4. Enable Automatic Generator.

  5. For Supported account types, select Account in this organizational directory only (Single tenant).

  6. Select Create.

    Screenshot shows the configure idp screen.

  7. A page appears with deployment steps for DAP and the application.

  8. See the deployment's Docker Compose file, which includes an image of the DAP, also PROVISIONING_KEY and PROVISIONING_SECRET. DAP uses the keys to pull the latest DCMC configuration and policies.

Configure Kerberos

  1. On your application page, select Application Detail.

  2. Select the Advanced tab.

  3. On the Kerberos sub tab, enable Kerberos.

  4. For Kerberos Realm, enter the location where the Kerberos database is stored, or the Active Directory domain.

  5. For SPN, enter the OWA application's service principal name. It's not the same SPN you created.

  6. For Delegated Login Identity, enter the applications external-facing URL. Use localhost DNS for testing.

  7. For KDC, enter a domain controller IP. If DNS is configured, enter a fully qualified domain name (FQDN).

  8. For Service Account, enter the service account you created.

  9. For Auth Type, select Password.

  10. Enter a service account Password.

  11. Select Save.

    Screenshot shows the configure kerberos.

SSL configuration

  1. On your application page, select the Advanced tab.

  2. Select the SSL subtab.

  3. Select Edit.

    Screenshot shows the datawiza advanced window.

  4. Select the option to Enable SSL.

  5. From Cert Type, select a certificate type. You can use the provided self-signed localhost certificate for testing.

    Screenshot shows the cert type.

  6. Select Save.

Optional: Enable Microsoft Entra multifactor authentication


Steps in this article may vary slightly based on the portal you start from.

To provide more sign-in security, you can enforce Microsoft Entra multifactor authentication. The process starts in the Microsoft Entra admin center.

  1. Sign in to the Microsoft Entra admin center as a Global Administrator.
  2. Browse to Identity > Overview > Properties tab.
  3. Under Security defaults, select Manage security defaults.
  4. On the Security defaults pane, toggle the dropdown menu to select Enabled.
  5. Select Save.

Next steps