How to SET 2FA on local on-perm Exchange with open source software for free

properly implementing Gluu’s multi-factor authentication with Exchange Server 2016 Outlook Web App (OWA). Here is an expanded step-by-step walkthrough:

  1. Install Gluu Server on a separate server from Exchange
    • Download latest Gluu Community app package
    • Run setup wizard to configure base url, encrypt keys, set ldap and admin password
    • Verify able to login to Gluu at setup url with admin credentials
  2. Enable needed Gluu authentication plugins
    • Login to Gluu Admin UI as administrator
    • Navigate to Configuration > Manage Authentication
    • Enable “Windows Authentication” and “Google Authenticator” plugins
  3. Add test user and generate user’s Google Authenticator secret
    • Go to Users page and create new Person record
    • Fill first/last name, email, set user password
    • Edit user and enable Google Authenticator under OTP section
    • Scan the QR code or enter key into Google Authenticator on user’s phone
  4. Add Relying Party (RP) for the Exchange OWA site
    • Go to Relying Parties section in Gluu Admin
    • Add New RP with descriptive name like ‘OWA Site’
    • Set configured Base URL to be URL of OWA login
    • Allowed authentication methods to be ‘Windows’
  5. Configure Gluu as Central Authentication Server
    • Stop the Exchange 2016 IIS service
    • Open ADSI Edit tool to access Exchange Auth registry key
    • Modify the key to make Gluu priority 1 for authentication
  6. Update OWA Authentication Providers
    • In Exchange IIS Authentication settings
    • Enable Windows Auth, Basic Auth
    • Require both providers to be satisfied
  7. Validate full MFA login end-to-end
    • Open OWA URL and ensure redirected to Gluu login
    • Enter test username and password
    • Approve prompt on Google Authenticator
    • Validate able login to OWA with MFA

Here are the specific steps to use ADSI Edit to configure Gluu as the priority authentication provider for Exchange 2016:

  1. Open ADSI Edit (comes with Windows Server)
  2. In the console tree, navigate to: Configuration > Services > Microsoft Exchange > <Your Exchange Server> > Protocols > IMAP4
  3. In the right pane, right click on the “IMAP4” node and select “Properties”
  4. Select the property called “AuthProviderPriority” in the list
  5. Click Edit and in the Value field enter: Gluu/Gluu Manager,1;NTAuth,2
  6. Click OK to set this new priority order

This will make the Gluu authentication provider have highest priority (1) over standard Windows NT auth.

Essentially we are telling Exchange that when an authentication request comes in for something like OWA, it should route to Gluu first rather than the normal NT auth provider.

Here are the steps to enable the Windows Authentication and Google Authenticator plugins within the Gluu Admin UI:

  1. Login to Gluu Admin UI (at the setup url, e.g.
  2. Click “Configuration” at the top
  3. Click “Manage Authentication” under the Integration heading
  4. This will display list of installed authentication modules. Look for:
    • “Windows Authentication”
    • “Google Authenticator Authentication”
  5. For both of those modules:
    • Check the box on the left for that plugin
    • On the top right, click the yellow button “Activate selected”
  6. Confirm “Windows Authentication” and “Google Authenticator Authentication” plugins now show as Activated

This will enable Windows integrated auth to delegate to Gluu’s login page as well as allow associating user’s Google Authenticator app for TOTP multi-factor at login.

For installing Gluu Server to use as the authentication provider, Gluu has packages for either Linux or Windows.


For Linux:

  • Download latest .deb or .rpm package for your distro from Gluu’s docs site
  • Install via your package manager

For Windows:

  • Download the latest Gluu Server .msi installer package from docs site
  • Run the .msi package to install Gluu via Windows installer wizard

The Gluu documentation covers the specifics around system requirements and packages for various OSes here:

In general, for integrating Gluu with Active Directory and Exchange, installing Gluu Server directly on Windows Server (via their .msi) is likely the easiest approach.

But Gluu can run on Linux or Docker as well. The implementation steps would be the same regarding handling authentication requests from Exchange/OWA, just OS-specific setup details would differ.

Leave a Reply

Your email address will not be published. Required fields are marked *