Microsoft Exchange - OWA - MFA
This document explains how to implement Monosign with Microsoft Exchange - OWA.
đź“‘ Instructions
This documentation contains 4 main steps for integration.
Creating an Application on Monosign
Configuration Single Sign-On for Microsoft Exchange - OWA
Assign a user to the Microsoft Exchange - OWA app
Sign In Test
1- Creating an Application on Monosign
Create your application on Monosign and configure your access policy. Once you create, click “Keys” and add a new Access Key for Rest API Key for access.
We will need this information while configuring the Microsoft Exchange - OWA app.
Your application needs to have access to groups. If you are configured it yet, you can Edit your application, go to the “Source, Provider and Profile” tab, and configure User Group Access Type “Assigned Users and Defined Sources”. It means this application can access users’ groups when they sign in.
Property | Description | Options |
---|---|---|
User Access Type | Defines which Users will access to this application. | Only Assigned Users |
User Group Access Type | Defines application’s user group access | Only Assigned Users |
Profile Access Type | Defines Application’s user’s profile access | Restricted - Only restricted user profile attributes |
2- Configure your OWA App on IIS
2.1- Install IIS Module Files
Monosign MFA for Exchange OWA is working with IIS customization. Before continue please download below zip file.
⬇️ Download the latest IIS Module.
Zip file is contains below files.
Copy the IIS Module “dll” files under your application “bin” folder.
For OWA use below path.
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\bin
Please create bin
directory if does not exist.
2.2- Configure OWA
Connect your OWA server and open IIS (Run inetmgr.exe).
Expand your Computer Name and click Sites then double-click “Default Web Site” right-click “owa” and click “Explore”. You will be redirected to the Explorer window that contains OWA configuration files.
Back up your web.config
file just in case.
Right-click on web.config
and Open with Notepad.
Edit and put your settings between the appSettings section.
<add key="MONOSIGN_API_URL" value="https://your-api-url/"/>
<add key="MONOSIGN_API_KEY" value="your-api-key"/>
<add key="MONOSIGN_API_SECRET" value="your-api-secret"/>
<add key="MONOSIGN_DEBUG_MODE" value="true"/>
<add key="MONOSIGN_LOG_PATH" value="log-directory"/>
<add key="MONOSIGN_USER_EXCEPTIONS" value="if-you-have-type-email@address"/>
For example;
Add the following line to the end of the system.webServer/modules
section.
<add name="MonoSignExchange" type="MonoSign.IISModule.MSExchange, MonoSign.IISModule"/>
For example;
Save the file. It will take a couple of minutes to restart the app.
Multiple User Sources on Monosign (Optional)
What if I use multiple User Sources in Monosign and I want to specify my User Source for my Exchange?
For that, add an additional line to appSettings
.
<add key="MONOSIGN_USER_SOURCE" value="MONOFOR"/>
This setting refers to your Active Directory User Source or Domain Name on Monosign.
Like the following
Or you can use the following Domain Name
3- Sign In Test
Now try login in. Navigate to the Microsoft Exchange - OWA app. Click Monosign on the UI.
Troubleshooting
If you cannot sign in to OWA, the following reasons may cause this.
The user needs to be assigned to the application
The user needs to configure MFA properly
You can check the log files if you cannot see the error properly.
4- Troubleshooting
If you get any issue while trying to login OWA please take a look log files which are under the c:\monosign-logs
Issue 1 - Monosign API Access
Log
[MONOFOR\john.smith] By-username result is 0
[] https://mail.monofor.com/owa/auth/errorFE.aspx?httpCode=500
By-username result is 0
means Exchange servers needs to be access monosign-api services. Please check your firewall to allow this communication.
Issue 2 - Invalid Key or Secret
Log
[MONOFOR\john.smith] By-username result is OK {"InternalMessage":"Invalid Application Key","Code":12,"Success":false}
[] https://mail.monofor.com/owa/auth/errorFE.aspx?httpCode=500
[] White listed: /owa/auth/errorFE.aspx?httpCode=500
{"InternalMessage":"Invalid Application Key","Code":12,"Success":false}
means your application key or secret is invalid. Please check your application settings than verify configurations values in web.config
on your Exchange.
Issue 3 - Permission Denied
Log
[MONOFOR\john.smith] Mfa result is Forbidden {"Message":"Permission Denied","InternalMessage":"This user not assigned to this application.","Code":22,"Success":false}
[] https://mail.monofor.com/owa/auth/errorFE.aspx?httpCode=500
[] White listed: /owa/auth/errorFE.aspx?httpCode=500
Mfa result is Forbidden {"Message":"Permission Denied","InternalMessage":"This user not assigned to this application.","Code":22,"Success":false}
means your user has not assign to OWA application in the Monosign. Please assign this user than retry.