{"id":2624,"date":"2023-12-16T20:36:56","date_gmt":"2023-12-16T18:36:56","guid":{"rendered":"https:\/\/itsimple.info\/?p=2624"},"modified":"2023-12-16T20:36:58","modified_gmt":"2023-12-16T18:36:58","slug":"how-to-set-2fa-on-local-on-perm-exchange-with-open-source-software-for-free","status":"publish","type":"post","link":"https:\/\/itsimple.info\/?p=2624","title":{"rendered":"How to SET 2FA on local on-perm Exchange with open source software for free"},"content":{"rendered":"\n<p>properly implementing Gluu&#8217;s multi-factor authentication with Exchange Server 2016 Outlook Web App (OWA). Here is an expanded step-by-step walkthrough:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Install Gluu Server on a separate server from Exchange\n<ul class=\"wp-block-list\">\n<li>Download latest Gluu Community app package<\/li>\n\n\n\n<li>Run setup wizard to configure base url, encrypt keys, set ldap and admin password<\/li>\n\n\n\n<li>Verify able to login to Gluu at setup url with admin credentials<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Enable needed Gluu authentication plugins\n<ul class=\"wp-block-list\">\n<li>Login to Gluu Admin UI as administrator<\/li>\n\n\n\n<li>Navigate to Configuration &gt; Manage Authentication<\/li>\n\n\n\n<li>Enable &#8220;Windows Authentication&#8221; and &#8220;Google Authenticator&#8221; plugins<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Add test user and generate user&#8217;s Google Authenticator secret\n<ul class=\"wp-block-list\">\n<li>Go to Users page and create new Person record<\/li>\n\n\n\n<li>Fill first\/last name, email, set user password<\/li>\n\n\n\n<li>Edit user and enable Google Authenticator under OTP section<\/li>\n\n\n\n<li>Scan the QR code or enter key into Google Authenticator on user&#8217;s phone<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Add Relying Party (RP) for the Exchange OWA site\n<ul class=\"wp-block-list\">\n<li>Go to Relying Parties section in Gluu Admin<\/li>\n\n\n\n<li>Add New RP with descriptive name like &#8216;OWA Site&#8217;<\/li>\n\n\n\n<li>Set configured Base URL to be URL of OWA login<\/li>\n\n\n\n<li>Allowed authentication methods to be &#8216;Windows&#8217;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Configure Gluu as Central Authentication Server\n<ul class=\"wp-block-list\">\n<li>Stop the Exchange 2016 IIS service<\/li>\n\n\n\n<li>Open ADSI Edit tool to access Exchange Auth registry key<\/li>\n\n\n\n<li>Modify the key to make Gluu priority 1 for authentication<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Update OWA Authentication Providers\n<ul class=\"wp-block-list\">\n<li>In Exchange IIS Authentication settings<\/li>\n\n\n\n<li>Enable Windows Auth, Basic Auth<\/li>\n\n\n\n<li>Require both providers to be satisfied<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Validate full MFA login end-to-end\n<ul class=\"wp-block-list\">\n<li>Open OWA URL and ensure redirected to Gluu login<\/li>\n\n\n\n<li>Enter test username and password<\/li>\n\n\n\n<li>Approve prompt on Google Authenticator<\/li>\n\n\n\n<li>Validate able login to OWA with MFA<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>Here are the specific steps to use ADSI Edit to configure Gluu as the priority authentication provider for Exchange 2016:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open ADSI Edit (comes with Windows Server)<\/li>\n\n\n\n<li>In the console tree, navigate to: Configuration &gt; Services &gt; Microsoft Exchange &gt;&nbsp;&lt;Your Exchange Server&gt;&nbsp;&gt; Protocols &gt; IMAP4<\/li>\n\n\n\n<li>In the right pane, right click on the &#8220;IMAP4&#8221; node and select &#8220;Properties&#8221;<\/li>\n\n\n\n<li>Select the property called &#8220;AuthProviderPriority&#8221; in the list<\/li>\n\n\n\n<li>Click Edit and in the Value field enter: Gluu\/Gluu Manager,1;NTAuth,2<\/li>\n\n\n\n<li>Click OK to set this new priority order<\/li>\n<\/ol>\n\n\n\n<p>This will make the Gluu authentication provider have highest priority (1) over standard Windows NT auth.<\/p>\n\n\n\n<p>Essentially we are telling Exchange that when an authentication request comes in for something like OWA, it should route to Gluu first rather than the normal NT auth provider.<\/p>\n\n\n\n<p>Here are the steps to enable the Windows Authentication and Google Authenticator plugins within the Gluu Admin UI:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Login to Gluu Admin UI (at the setup url, e.g.&nbsp;<a href=\"https:\/\/gluu.example.com\/identity\/admin\">https:\/\/gluu.example.com\/identity\/admin<\/a>)<\/li>\n\n\n\n<li>Click &#8220;Configuration&#8221; at the top<\/li>\n\n\n\n<li>Click &#8220;Manage Authentication&#8221; under the Integration heading<\/li>\n\n\n\n<li>This will display list of installed authentication modules. Look for:\n<ul class=\"wp-block-list\">\n<li>&#8220;Windows Authentication&#8221;<\/li>\n\n\n\n<li>&#8220;Google Authenticator Authentication&#8221;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>For both of those modules:\n<ul class=\"wp-block-list\">\n<li>Check the box on the left for that plugin<\/li>\n\n\n\n<li>On the top right, click the yellow button &#8220;Activate selected&#8221;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Confirm &#8220;Windows Authentication&#8221; and &#8220;Google Authenticator Authentication&#8221; plugins now show as Activated<\/li>\n<\/ol>\n\n\n\n<p>This will enable Windows integrated auth to delegate to Gluu&#8217;s login page as well as allow associating user&#8217;s Google Authenticator app for TOTP multi-factor at login.<\/p>\n\n\n\n<p>For installing Gluu Server to use as the authentication provider, Gluu has packages for either Linux or Windows.<\/p>\n\n\n\n<p>Specifically:<\/p>\n\n\n\n<p>For Linux:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Download latest .deb or .rpm package for your distro from Gluu&#8217;s docs site<\/li>\n\n\n\n<li>Install via your package manager<\/li>\n<\/ul>\n\n\n\n<p>For Windows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Download the latest Gluu Server .msi installer package from docs site<\/li>\n\n\n\n<li>Run the .msi package to install Gluu via Windows installer wizard<\/li>\n<\/ul>\n\n\n\n<p>The Gluu documentation covers the specifics around system requirements and packages for various OSes here:<\/p>\n\n\n\n<p><a href=\"https:\/\/gluu.org\/docs\/gluu-server\/installation-guide\/install-centos\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/gluu.org\/docs\/gluu-server\/installation-guide\/<\/a><\/p>\n\n\n\n<p>In general, for integrating Gluu with Active Directory and Exchange, installing Gluu Server directly on Windows Server (via their .msi) is likely the easiest approach.<\/p>\n\n\n\n<p>But Gluu can run on Linux or Docker as well. The implementation steps would be the same regarding handling authentication requests from Exchange\/OWA, just OS-specific setup details would differ.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>properly implementing Gluu&#8217;s multi-factor authentication with Exchange Server 2016 Outlook Web App (OWA). Here is an expanded step-by-step walkthrough: Here are the specific steps to use ADSI Edit to configure Gluu as the priority authentication provider for Exchange 2016: This will make the Gluu authentication provider have highest priority (1) over standard Windows NT auth. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,20,13,8,9,21,6,4,12,18,19,14,15],"tags":[],"class_list":["post-2624","post","type-post","status-publish","format-standard","hentry","category-centos","category-hyper-v","category-linux","category-microsoft-exchange-2013","category-microsoft-exchange-2016","category-operating-systems","category-software","category-tech","category-tutorials","category-virtualization","category-vmware","category-windows","category-windows-server"],"_links":{"self":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/2624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2624"}],"version-history":[{"count":0,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/2624\/revisions"}],"wp:attachment":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}