# #Edit the following URLs and thumbprints to match your environment before running this script # #OWA URL $owaURL="https://mail.homelab.net/owa" #ECP URL $ecpURL="https://mail.homelab.net/ecp" #WebApplication Proxy Certificate Thumbprint $WebApplicationProxyCertThumpbrint="E154575C1B6C77AB5B8FDDB702D25ED08C58F116" #ADFS Signing Certificate Thumbprint $ADFSSigningCertificateThumbprint="BFA9D8A6A763171CE9C9A2DA26A08ABCE65C0E62" #ADFS Issuer URL $ADFSIssuerURL="https://sts.homelab.net/adfs/ls/" #The following section is only for ADFS Federation Service Servers function fnADFSServiceServers{ $IssuanceAuthorizationRules=@' @RuleTemplate = "AllowAllAuthzRule" => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true"); '@ $IssuanceTransformRules=@' @RuleName = "ActiveDirectoryUserSID" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value); @RuleName = "ActiveDirectoryGroupSID" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"), query = ";tokenGroups(SID);{0}", param = c.Value); @RuleName = "ActiveDirectoryUPN" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value); '@ Add-ADFSRelyingPartyTrust -Name "Outlook Web App" -Enabled $true -Notes "This is a trust for $owaURL" -WSFedEndpoint $owaURL -Identifier $owaURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules Add-ADFSRelyingPartyTrust -Name "Exchange Admin Center (EAC)" -Enabled $true -Notes "This is a trust for $ecpURL" -WSFedEndpoint $ecpURL -Identifier $ecpURL -IssuanceTransformRules $IssuanceTransformRules -IssuanceAuthorizationRules $IssuanceAuthorizationRules Write-host "Active Directory Federation Service Server Configuration Complete" } #The following function is only for Web Application Proxies function fnWebApplicationProxies{ Add-WebApplicationProxyApplication -BackendServerUrl "$owaURL/" -ExternalCertificateThumbprint $WebApplicationProxyCertThumpbrint -ExternalUrl "$owaURL/" -Name 'OWA' -ExternalPreAuthentication ADFS -ADFSRelyingPartyName 'Outlook Web App' Add-WebApplicationProxyApplication -BackendServerUrl "$ecpURL/" -ExternalCertificateThumbprint $WebApplicationProxyCertThumpbrint -ExternalUrl "$ecpURL/" -Name 'EAC' -ExternalPreAuthentication ADFS -ADFSRelyingPartyName 'Exchange Admin Center (EAC)' Write-host "Web Application Proxy Configuration Complete" } #The following section is only for Exchange 2013 SP1 Servers function fnExchangeServers{ $s=New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionURI "http://$($env:ComputerName)/PowerShell/" -Authentication Kerberos; Import-PSSession $s $uris = @($owaURL,$ecpURL) Set-OrganizationConfig -AdfsIssuer $ADFSIssuerURL -AdfsAudienceUris $uris -AdfsSignCertificateThumbprint $ADFSSigningCertificateThumbprint Write-host "Exchange Organization Configuration Complete" Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false #-LiveIdAuthentication $false Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false #-LiveIdAuthentication $falseOAuthAuthentication $false IISReset /Noforce Write-host "Exchange Virtual Directory Configuration Complete" } #Displays Selection Popup Box $title="Select Server Role" $Message="Select the role of the server you are currently configuring.`r`n-This script must be ran locally on the server you are configuring.`r`n-Ensure you have modified the parameters in this script to match your environment or click Cancel to do so now." $ADFS=New-Object System.Management.Automation.Host.ChoiceDescription "&AD Federation Server","AD FS Federation Service Server." $ADFP=New-Object System.Management.Automation.Host.ChoiceDescription "AD &Federation Proxy","AD FS Federation Proxy." $Exchange=New-Object System.Management.Automation.Host.ChoiceDescription "&Exchange 2013 SP1 CAS Server","Exchange 2013 SP1 CAS Server." $Cancel=New-Object System.Management.Automation.Host.ChoiceDescription "&Cancel","Cancel." $options = [System.Management.Automation.Host.ChoiceDescription[]]($ADFS,$ADFP,$Exchange,$Cancel) $result = $host.ui.PromptForChoice($title, $message, $options, 0) switch($result) { 0{fnADFSServiceServers} #Configures Federation Service Servers 1{fnWebApplicationProxies} #Configures Web Application Proxy Servers 2{fnExchangeServers} #Configures Exchange Servers 3{Exit} #Terminates Script }