Changing OWA Authentication via PowerShell

Adding and removing authentication types for OWA may not be an everyday task, in fact these permissions may never change. However, if you need to change them, usually these need to be consistent for all servers hosting OWA. The same authentication types also need to be configured on the ECP Virtual directory as well.

The purpose of this script is to provide a simple menu driven approach to performing those tasks, whether in a production or test environment. The script allows modification of these authentication methods:

  • ADFS Authentication
  • Basic Authentication
  • Digest Authentication
  • Forms Authentication
  • Windows Authentication
  • OAuth Authentication


Script Menu

Menu

Notice that along with changing the OWA Virtual Directory Authentication, you can reset IIS or check what the current settings are for authentication.

OWACurrentState

Notice these are not default authentication settings. LiveID is not included as the Set-Command will not allow configuration.

Script In Action

ADFS Authentication Change

ADFSRunthrough

IIS Reset

IISReset

All of the authentication changes require IISReset’s and being able to run a /noforce reset or a force reset of IIS can come into play after your changes have been made.

The Script

<#  
.SYNOPSIS
   	This script will modify the various Authentication settings for the OWA virtual directory

.DESCRIPTION  
    

.NOTES  
    Version      		: 1.0
    Wish list			: 
    Rights Required		: Local admin on server
    Sched Task Req'd		: No
    Exchange Version		: 2013
    Author       		: Just A UC Guy [JAUCG]
    Email/Blog/Twitter	        : ( ) 	https://justaucguy.wordpress.com/
    Dedicated Blog		: https://justaucguy.wordpress.com/
    Disclaimer   		: You are on your own.  This was not written by, support by, or endorsed by Microsoft.
    Info Stolen from 		: None, all hand written code.

.LINK  
[TBD]

.EXAMPLE
	.\Changes-OWAAuthSettings

.INPUTS
	None. You cannot pipe objects to this script.
#>

param(
	[parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, Mandatory=$false)] 
	[string] $strFilenameTranscript = $MyInvocation.MyCommand.Name + " " + (hostname)+ " {0:yyyy-MM-dd hh-mmtt}.log" -f (Get-Date),
	[parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$true, Mandatory=$false)] 
	[string] $TargetFolder = "c:\Install",
	# [string] $TargetFolder = $Env:Temp
	[parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, Mandatory=$false)] 
	[bool] $WasInstalled = $false,
	[parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, Mandatory=$false)] 
	[bool] $RebootRequired = $false,
	[parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, Mandatory=$false)] 
	[string] $opt = "None",
	[parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, Mandatory=$false)] 
	[bool] $HasInternetAccess = ([Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]'{DCB00C01-570F-4A9B-8D69-199FDBA5723B}')).IsConnectedToInternet)
)

Start-Transcript -path .\$strFilenameTranscript | Out-Null
$error.clear()
Clear-Host
Pushd

[string] $menu = @'
	
    ***********************************************************
            OWA Virtual Directory Configuration Menu
    ***********************************************************

    (1) ADFS Authentication                  
    (2) Basic Authentication  
    (3) Digest Authentication                               
    (4) Forms Authentication               
    (5) Windows Authentication                               
    (6) OAuth Authentication

    Resetting IIS
    (7) Perform an IIS Reset /noforce
    (8) Restart IIS forcefully

    Authentication Check
    (9) Status of Authentication Settings

Select an option.. [1-9 or 99]?
'@

function adfsauthentication {
    write-host "Processing ..." -ForegroundColor Red
    write-host " "
    $value = get-owavirtualdirectory
    write-host "Currently ADFS Authentication is set to:"
    foreach ($line in $value) {$line.servername+","+$line.adfsauthentication}
    write-host "Do you want to change you the ADFS Authentication setting: " -ForegroundColor green -NoNewline
    $choice = read-host
    if ($choice -eq "y") {
        write-host "What value would you like to make it?  Valid choices are " -nonewline
        write-host '<$true | $false> ' -ForegroundColor green -nonewline
        [string]$adfsauth = read-host
        $value2 = get-ecpvirtualdirectory
        if ($adfsauth -eq '$true') {
            foreach ($line in $value2) {
                $name = $line.server.name
                if ($line.adfsauthentication -eq $false ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$true' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -adfsauthentication $true
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -adfsauthentication $true
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -adfsauthentication $true
                }
            }
        } else {
            foreach ($line in $value2) {
                $name = $line.server.name  
                if ($line.adfsauthentication -eq $true ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$false' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -adfsauthentication $false
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -adfsauthentication $false
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -adfsauthentication $false
                }
            }
        }
    }
    write-host " "
    write-host "ADFS Authentication - After:" -foregroundcolor cyan
    Get-OwaVirtualDirectory |ft servername,adfs* -auto
}

function basicauthentication {
    write-host "Processing ..." -ForegroundColor Red
    write-host " "
    $value = get-owavirtualdirectory
    write-host "Currently Basic Authentication is set to:"
    foreach ($line in $value) {$line.servername+","+$line.basicauthentication}
    write-host "Do you want to change you the Basic Authentication setting: " -ForegroundColor green -NoNewline
    $choice = read-host
    if ($choice -eq "y") {
        write-host "What value would you like to make it?  Valid choices are " -nonewline
        write-host '<$true | $false> ' -ForegroundColor green -nonewline
        [string]$basicauth = read-host
        $value2 = get-ecpvirtualdirectory
        if ($basicauth -eq '$true') {
            foreach ($line in $value2) {
                $name = $line.server.name
                if ($line.basicauthentication -eq $false ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$true' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -basicauthentication $true
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -basicauthentication $true
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -basicauthentication $true
                }
            }
        } else {
            foreach ($line in $value2) {
                $name = $line.server.name  
                if ($line.basicauthentication -eq $true ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$false' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -basicauthentication $false
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -basicauthentication $false
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -basicauthentication $false
                }
            }
        }
    }
    write-host " "
    write-host "Basic Authentication - After:" -foregroundcolor cyan
    Get-OwaVirtualDirectory |ft servername,basic* -auto
}

function digestauthentication {
    write-host "Processing ..." -ForegroundColor Red
    write-host " "
    $value = get-owavirtualdirectory
    write-host "Currently digest Authentication is set to:"
    foreach ($line in $value) {$line.servername+","+$line.digestauthentication}
    write-host "Do you want to change you the Digest Authentication setting: " -ForegroundColor green -NoNewline
    $choice = read-host
    if ($choice -eq "y") {
        write-host "What value would you like to make it?  Valid choices are " -nonewline
        write-host '<$true | $false> ' -ForegroundColor green -nonewline
        [string]$digestauth = read-host
        $value2 = get-ecpvirtualdirectory
        if ($digestauth -eq '$true') {
            foreach ($line in $value2) {
                $name = $line.server.name
                if ($line.digestauthentication -eq $false ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$true' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -digestauthentication $true
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -digestauthentication $true
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -digestauthentication $true
                }
            }
        } else {
            foreach ($line in $value2) {
                $name = $line.server.name  
                if ($line.digestauthentication -eq $true ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$false' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -digestauthentication $false
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -digestauthentication $false
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -digestauthentication $false
                }
            }
        }
    }
    write-host " "
    write-host "Digest Authentication - After:" -foregroundcolor cyan
    Get-OwaVirtualDirectory |ft servername,digest* -auto
}

function formsauthentication {
    write-host "Processing ..." -ForegroundColor Red
    write-host " "
    $value = get-owavirtualdirectory
    write-host "Currently forms Authentication is set to:"
    foreach ($line in $value) {$line.servername+","+$line.formsauthentication}
    write-host "Do you want to change you the Forms Authentication setting: " -ForegroundColor green -NoNewline
    $choice = read-host
    if ($choice -eq "y") {
        write-host "What value would you like to make it?  Valid choices are " -nonewline
        write-host '<$true | $false> ' -ForegroundColor green -nonewline
        [string]$formsauth = read-host
        $value2 = get-ecpvirtualdirectory
        if ($formsauth -eq '$true') {
            foreach ($line in $value2) {
                $name = $line.server.name
                if ($line.formsauthentication -eq $false ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$true' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -formsauthentication $true
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -formsauthentication $true
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -formsauthentication $true
                }
            }
        } else {
            foreach ($line in $value2) {
                $name = $line.server.name  
                if ($line.formsauthentication -eq $true ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$false' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -formsauthentication $false
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -formsauthentication $false
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -formsauthentication $false
                }
            }
        }
    }
    write-host " "
    write-host "Forms Authentication - After:" -foregroundcolor cyan
    Get-OwaVirtualDirectory |ft servername,forms* -auto
}

function Windowsauthentication {
    write-host "Processing ..." -ForegroundColor Red
    write-host " "
    $value = get-owavirtualdirectory
    write-host "Currently Windows Authentication is set to:"
    foreach ($line in $value) {$line.servername+","+$line.Windowsauthentication}
    write-host "Do you want to change you the Windows Authentication setting: " -ForegroundColor green -NoNewline
    $choice = read-host
    if ($choice -eq "y") {
        write-host "What value would you like to make it?  Valid choices are " -nonewline
        write-host '<$true | $false> ' -ForegroundColor green -nonewline
        [string]$Windowsauth = read-host
        $value2 = get-ecpvirtualdirectory
        if ($Windowsauth -eq '$true') {
            foreach ($line in $value2) {
                $name = $line.server.name
                if ($line.Windowsauthentication -eq $false ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$true' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -Windowsauthentication $true
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -Windowsauthentication $true
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -Windowsauthentication $true
                }
            }
        } else {
            foreach ($line in $value2) {
                $name = $line.server.name  
                if ($line.Windowsauthentication -eq $true ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$false' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -Windowsauthentication $false
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -Windowsauthentication $false
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -Windowsauthentication $false
                }
            }
        }
    }
    write-host " "
    write-host "Windows Authentication - After:" -foregroundcolor cyan
    Get-OwaVirtualDirectory |ft servername,Windows* -auto
}

function oauthauthentication {
    write-host "Processing ..." -ForegroundColor Red
    write-host " "
    $value = get-owavirtualdirectory
    write-host "Currently oauth Authentication is set to:"
    foreach ($line in $value) {$line.servername+","+$line.oauthauthentication}
    write-host "Do you want to change you the OAuth Authentication setting: " -ForegroundColor green -NoNewline
    $choice = read-host
    if ($choice -eq "y") {
        write-host "What value would you like to make it?  Valid choices are " -nonewline
        write-host '<$true | $false> ' -ForegroundColor green -nonewline
        [string]$oauthauth = read-host
        $value2 = get-ecpvirtualdirectory
        if ($oauthauth -eq '$true') {
            foreach ($line in $value2) {
                $name = $line.server.name
                if ($line.oauthauthentication -eq $false ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$true' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -oauthauthentication $true
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -oauthauthentication $true
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -oauthauthentication $true
                }
            }
        } else {
            foreach ($line in $value2) {
                $name = $line.server.name  
                if ($line.oauthauthentication -eq $true ) {
                    write-host "The ECP Virtual Directory needs to be configured as '$false' on $name in order for this to work.  Would you like to configure that now? "  -nonewline -ForegroundColor yellow
                    $ecp = read-host
                    if ($ecp -eq "y") {
                        get-owavirtualdirectory -server $name | set-owavirtualdirectory -oauthauthentication $false
                        get-ecpvirtualdirectory -server $name | set-ecpvirtualdirectory -oauthauthentication $false
                    } else { 
                        write-host "Change not made!"  -ForegroundColor red
                    }
                } else {
                    get-owavirtualdirectory -server $name | set-owavirtualdirectory -oauthauthentication $false
                }
            }
        }
    }
    write-host " "
    write-host "OAuth Authentication - After:" -foregroundcolor cyan
    Get-OwaVirtualDirectory |ft servername,oauth* -auto
}

function currentstatus {
    write-host " "
    write-host "The current Authentication settings are as follows:" -ForegroundColor Cyan
    write-host " "
    get-clientaccessserver | Get-OwaVirtualDirectory  |fl server,*authentication
}

Do {
	if ($opt -ne "None") {Write-Host "Last command: "$opt -foregroundcolor Yellow}	
	$opt = Read-Host $menu

	switch ($opt)    {
        1 { ADFSAuthentication }
        2 { BasicAuthentication }
        3 { DigestAuthentication }
        4 { FormsAuthentication }
        5 { WindowsAuthentication }
        6 { OAuthAuthentication }
        7 { invoke-command -scriptblock {iisreset /noforce /timeout:30} }
        8 { Restart-Service W3SVC,WAS -force}
        9 { currentstatus }

		99 {#	Exit
			popd
			Write-Host "Exiting..."
			Stop-Transcript
		}
		default {Write-Host "You haven't selected any of the available options. "}

	}
} while ($opt -ne 99)

Feel free to download the script from HERE.

Update

I’ve also posted it to the TechNet Gallery under Exchange 2013.

Advertisements

3 thoughts on “Changing OWA Authentication via PowerShell

  1. Hello, I receive the following error:

    Select an option.. [1-9 or 99]?: 1
    Processing …

    Currently ADFS Authentication is set to:
    WIN2012DEV03,False

    Do you want to change you the ADFS Authentication setting: Y

    What value would you like to make it? Valid choices are $true

    A parameter cannot be found that matches parameter name ‘adfsauthentication’.
    + CategoryInfo : InvalidArgument: (:) [Set-OwaVirtualDirectory], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Set-OwaVirtualDirectory
    + PSComputerName : win2012dev03.test2012.dom

    ADFS Authentication – After:

    ServerName AdfsAuthentication
    ———- ——————
    WIN2012DEV03 False

    The same happens with the “raw” command:

    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false -OAuthAuthentication $false

    The similar setting on ECP instead works fine… Why ???

    If I choose option 9:

    The current Authentication settings are as follows:

    Server : WIN2012DEV03
    BasicAuthentication : True
    WindowsAuthentication : False
    DigestAuthentication : False
    FormsAuthentication : True
    LiveIdAuthentication : False
    AdfsAuthentication : False

    So AdfsAuthentication is there!

      • Since I was trying the trial Sharepoint 2013 version available on the Microsoft site, I didn’t notice that it is the oldest version! So after upgrading to CU11 version, everything works fine. So it was a bug in Sharepoint. Thank you for the good work, the script worked very fine!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s