1. If you install the AD FS role on a domain controller, follow the steps here first: https://support.microsoft.com/en-us/kb/2832204 to grant the "Log on as a service" right to "NT SERVICE\ALL SERVICES"
2. Follow instructions at http://blog.ittoby.com/2014/04/web-application-proxy-server-in-2012-r2.html
3. Add "Authenticated Users" to the "Pre-Windows 2000 Compatible Access" group in Active Directory (reference).
4. Configure the Web Application Proxy to support *all* Exchange services: http://searchexchange.techtarget.com/tip/How-to-configure-Active-Directory-to-publish-Exchange-to-the-Internet
5. Point your firewall's NAT policy to the WAP server instead of the Exchange server.
6. Allow end-users to change expired passwords by running this on the AD FS server (source):
Enable-AdfsEndpoint
"/adfs/portal/updatepassword/"
Set-AdfsEndpoint
"/adfs/portal/updatepassword/"
-Proxy
:
$true
Restart-Service
AdfsSrv
-Force
7. If you support Outlook 2011 clients on a Mac, you'll need to add a wildcard certificate binding per https://blogs.technet.microsoft.com/applicationproxyblog/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2/ because Outlook 2011 doesn't support the Server Name Indicator (SNI) extension of TLS SSL.
Note: the command below seems to need to be run from a CMD prompt, not Powershell.
Note: the command below seems to need to be run from a CMD prompt, not Powershell.
Example:
netsh http add sslcert ipport=0.0.0.0:443 certhash=2ff79b325a0c4aa4eb5cb04b1330ff78750a1639 appid={f955c070-e044-456c-ac00-e9e4275b3f04}
Update after configuring ADFS in Server 2016 at a different place:
1) I was getting tons and tons of errors in the Application Event log - ID 28005 - "An exception occurred while enqueueing a message in the target queue. Error:15404, State: 19. Could not obtain information about Windows NT group/user XXX\XXX, error code 0x5.
This was resolved by right-clicking the OU which contains my ADFS service account and delegating the "read all attributes" permission to "Authenticated Users". (reference)
2) Windows Authentication wasn't working. This was resolved by deleting the internal CNAME DNS record for adfs.domain.com and replacing it with an A record. (reference)
3) An invaluable list of ADFS customizations for Server 2016 (including how to enable changing of expired passwords)
How to deal with an expired application certificate:
So after you add a new application certificate to both the target host (e.g. Exchange server) and your Web Application Proxy server, you need to either remove and re-add the associated application in the Web Application Proxy GUI, or else use Powershell to update the associated certificate. Here's an example of the Powershell syntax:
Get-WebApplication{ProxyApplication Autodiscover | Set-WebApplicationProxyApplication -ExternalCertificateThumbprint 50F089C9DF06EC5EC48C2110BDC3AE28BAA73543