OWA and Client Authentication

  • Article

OWA URL

So you are deploying Office 365 in a hybrid configuration. Of course you want to configure the clients to go to the same URL. It would not be seamless and that is the goal of a migration. So if you have a URL that is https://mail.contoso.edu/owa on Friday you want the same thing on Monday. You have two options:

 

1. Tell users new URL for migrated users (probably not the options you want) it would be something like https://mail.office365.com/owa/contoso.edu

2. set the targetOWAURL in the organization relationship. Set-OrganizationRelationship – TargetOWAURL https://mail.office365.com/owa/contoso.edu

 

For the second option you should also create a CNAME to redirect the OWA request. Create the CNAME so that mail.contoso.edu redirects to mail.office365.com…. be sure to create internal and external records for split DNS scenarios.

 

CLIENT Authentication

The second question I’m getting often is about client authentication. For internal domain joined machines the SSO will work but requires you to tweak the IE configuration. Add the domain in question https://*.contoso.edu to the local intranet sites in IE.

For SSO to work with both Chrome and Firefox you need to make a change to your IIS configuration for your ADFS installation if you have indeed selected the federation approach. For these client to work you need to relax the settings in IIS for Windows authentication. This is because Chrome and Firefox don’t support Extended Protection. Doing this does provide you with a security risk and therefor isn’t recommended. https://msdn.microsoft.com/en-us/library/dd639324(v=vs.90).aspx

 

  • Start >Administrative Tools >IIS Manager
  • Expand: <server-name>, Sites, Default Web Site, and adfs
  • Select the lsapplication and double-clickAuthentication
  • Select Windows Authenticationand selectAdvanced Settings....
  • Set Extended ProtectiontoOff and clickOK

An alternative to this is use Forms Based Authentication instead of Windows. To do this you need to make the changes outlined in Steve Syfus’s blog here. Thanks Steve!