+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 38
Cloud Services Thread, Office 365 - Outlook and ADFS SSO - Disapointment in Technical; Well its not really a profile issue either, when a password is reset you to stick it in outlook again. ...
  1. #16

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,228
    Thank Post
    894
    Thanked 1,779 Times in 1,533 Posts
    Blog Entries
    12
    Rep Power
    462
    Well its not really a profile issue either, when a password is reset you to stick it in outlook again. I have known companies to reset every 7 days. I know its by design but the design stinks!

  2. #17

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,074
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    I suppose, but if you understand the authentication flow then you will understand the reasons behind why you experience such. I guess you have to just consider, and think about the following points:

    - Giving new users a new profile each time they sign-in to a machine, is it really the best way for your organization?
    - Increase password complexity & increase the amount of time until password change to minimize disruption over a 12 month period.

    You really need to weigh up the pro's and con's of having a cloud service and on-premise deployment, if that behavior is a real issue for you and will stop you from adopting Office 365 in favor of managing this infrastructure on-premise for such experience then that is a choice only you can make.

    Let me put it in this scenario....

    If i understand you correctly in terms of what your users experience, is having them to click Next, Next, Next etc. the best experience for them each time they need to launch outlook? surely them just being able to open outlook and get access to there e-mail is much preferred... yet they have to cope with that change? right....

    :-)

    James.

  3. #18

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,228
    Thank Post
    894
    Thanked 1,779 Times in 1,533 Posts
    Blog Entries
    12
    Rep Power
    462
    But there are still ways to make Outlook work like Lync does. For the long term things need to change in the way Outlook authenticates. Anyway im not here to argue about it. Don't want to be here all night.

    Our users don't press next, next, next outlook is automatically configured for them. Group policy is your friend! So they already just open outlook and read emails. With 365 there is an added step. Open outlook, enter password and read emails. So you are right, just being able to open outlook and access email is much preferred, thats why the 365 way is causing problems. But that isn't the issue, even with the local profiles where the configuration is stored they will have to stick the password in on each machine. Roaming profiles have a hit on logon performance and redirected app data has its own issues.
    Last edited by FN-GM; 9th June 2014 at 07:10 PM.

  4. #19
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    635
    Thank Post
    4
    Thanked 140 Times in 131 Posts
    Rep Power
    52
    Originally I thought you were looking at ADFS as a method to restrict Outlook usage/Storage outside of the school environment?
    There is always compromised with moving services off site, and it may be you need to see if Roaming profiles may be a better choice to local profiles if you wish to have the Outlook authentication only on initial use and subsequent password changes.

    We have all our staff network accounts as roaming profiles, but for students use mandatory ones. Since moving to 365 back in August I've not encountered an issue with the integration with Outlook 2013 and 365 once staff enter their password the initial time, which is the same as our previous mail solution.

    As @EduTech said, it's the design process and we all know that some Microsoft Applications never seem to want to behave in a manner that we expect them to. Heck I had to spend a while working out how to redirect the OST files from the local profile path as I clear user accounts off workstation at logoff and the official documentation says that OST redirection does not work with 2013.... well it does if you get the right fields in registry and GPO but does limit the number of instances users be in of Outlook to 1 (which is no bad thing really).

  5. #20

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,228
    Thank Post
    894
    Thanked 1,779 Times in 1,533 Posts
    Blog Entries
    12
    Rep Power
    462
    Quote Originally Posted by Boredguy View Post
    Originally I thought you were looking at ADFS as a method to restrict Outlook usage/Storage outside of the school environment?
    As well as this yes. At first (very early days) i thought you could get SSO without ADFS. But When you didn't i set that up.

    Quote Originally Posted by Boredguy View Post
    There is always compromised with moving services off site, and it may be you need to see if Roaming profiles may be a better choice to local profiles if you wish to have the Outlook authentication only on initial use and subsequent password changes.

    We have all our staff network accounts as roaming profiles, but for students use mandatory ones. Since moving to 365 back in August I've not encountered an issue with the integration with Outlook 2013 and 365 once staff enter their password the initial time, which is the same as our previous mail solution.
    Local profile have a performance hit, plus you get the prompt again when you reset the password.

    Quote Originally Posted by Boredguy View Post
    As @EduTech said, it's the design process and we all know that some Microsoft Applications never seem to want to behave in a manner that we expect them to. Heck I had to spend a while working out how to redirect the OST files from the local profile path as I clear user accounts off workstation at logoff and the official documentation says that OST redirection does not work with 2013.... well it does if you get the right fields in registry and GPO but does limit the number of instances users be in of Outlook to 1 (which is no bad thing really).
    I agree, but design isn't perfect, infact any design anywhere is hardly ever perfect.


    So i ask myself why leave my on premise system for something that is interior?
    Last edited by FN-GM; 9th June 2014 at 07:15 PM.

  6. #21
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    635
    Thank Post
    4
    Thanked 140 Times in 131 Posts
    Rep Power
    52
    I believe you mean inferior as interior and on premise is the same thing

    You will always get a prompt to re-enter your password when you change it in Outlook.... or at least I've had to for the last 17 years but I've not had an on premise Exchange server to worry about since the 5.5 days.

    I would debate the performance hit issue as it can be managed but it depends on how your system is setup as all of us are different and you do know your own network so it's a debate for another year

    Compare the pro's and con's for running onsite verses cloud and then maybe ask some of your users how they would feel to the compromise to give an indication if it is worth the additional time for you to apply the patches etc for the on premise compared to staff typing in their password again if required.
    On the whole it's another Outlook design feature

  7. #22

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,228
    Thank Post
    894
    Thanked 1,779 Times in 1,533 Posts
    Blog Entries
    12
    Rep Power
    462
    Quote Originally Posted by Boredguy View Post
    You will always get a prompt to re-enter your password when you change it in Outlook.... or at least I've had to for the last 17 years but I've not had an on premise Exchange server to worry about since the 5.5 days.
    Been using Exchange since version 2003. I have never seen that. When an AD password is changed you login and outlook functions as usual. Must have been changed when they linked the accounts to AD.
    Last edited by FN-GM; 9th June 2014 at 07:25 PM.

  8. #23

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,074
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    Sure, as of today that is how things work and so i hope the information has answered your question. I appreciate that it's not exactly what you want to hear but in your deployment state that is how things will be in terms of an experience, unless anything major changes in the authentication flow in the future that takes your scenario into account.

    I know many people on here don't even use AD FS and use Password Sync and although they have the do click on Remember Password even if they were to have your scenario they would be hit with the same issue, not just AD FS with O365.

    ====

    - The fact your User Profiles get re-built each time is something that has not been taken into consideration and so hence your lack of SSO Experience.
    - In terms of the authentication prompt when a password is changed, this is because the credentials are stored in Credential Manager and so in order to update them, it needs to prompt for new credentials.

    ====

    Remember, Your Exchange On-Premise Environment has clean access to authenticate your users against your DCs via Kerberos etc. and so in way let's say it has privileged access to do such where as Exchange Online if using Federated Identity does not have the ability to do that and so has to via the WAP/Proxy and so yes the behavior is that you will be prompted and in essence this will only be Once or Password is Changed and in the case of your scenario every time someone logs on due to how you manage your user profiles across the organization.

    Thanks.
    James.

  9. #24

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,228
    Thank Post
    894
    Thanked 1,779 Times in 1,533 Posts
    Blog Entries
    12
    Rep Power
    462
    I know many people on here don't even use AD FS and use Password Sync and although they have the do click on Remember Password even if they were to have your scenario they would be hit with the same issue, not just AD FS with O365.
    More people might use ADFS if outlook SSO worked - Besides just cause others put up with it doesn't make it right. We all put up with the rubbish weather, doesn't mean we like it :P

    Thanks for your input

    PS: I assume not but is there anything 3rd party or anything that i can get around this issue? Worth a shot!
    Last edited by FN-GM; 9th June 2014 at 07:33 PM.

  10. #25

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,074
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    The authentication flow will be the same which ever authentication provider you use.

    P.S. I have taken this information and will of course feed this back in to the relevant PG teams.

    Thanks,
    James.

  11. Thanks to EduTech from:

    FN-GM (9th June 2014)

  12. #26

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,250
    Thank Post
    404
    Thanked 630 Times in 575 Posts
    Rep Power
    185
    Do your users have to login to SIMS each time, or have you tied that to AD? If not, it's the same sort of thing.

  13. #27

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,228
    Thank Post
    894
    Thanked 1,779 Times in 1,533 Posts
    Blog Entries
    12
    Rep Power
    462
    Thanks @EduTech

    Im going to see if we can dump some stuff that we use in Outlook and isn't in OWA.

    Quote Originally Posted by Edu-IT View Post
    Do your users have to login to SIMS each time, or have you tied that to AD? If not, it's the same sort of thing.
    Tired into AD like our other services.

  14. #28

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,250
    Thank Post
    404
    Thanked 630 Times in 575 Posts
    Rep Power
    185
    Just out of interest, do you have to run Internet Explorer before opening Outlook for first time in order for Office 365 account to be setup automatically? That's what I experience. Not too troublesome but curious if you have same issue. I wonder if it's something to do with our web filter needing a connection from IE to establish the user and policy etc.

  15. #29

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,074
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    Quote Originally Posted by Edu-IT View Post
    Just out of interest, do you have to run Internet Explorer before opening Outlook for first time in order for Office 365 account to be setup automatically? That's what I experience. Not too troublesome but curious if you have same issue. I wonder if it's something to do with our web filter needing a connection from IE to establish the user and policy etc.
    Hi Mate, @Edu-IT

    If that is the experience you have, this is caused because the Web Proxy I assume you are going through requires authentication, in this scenario outlook is not able to negotiate the authentication and so therefore this is why you have to launch Internet Explorer first so that it authenticates against your Web Proxy which then allows outlook to get out on the internet etc.

    Generally, If your machines can go direct to the internet without the proxy then you would add this into an exception list and so that it can break out directly without going over the web proxy but that will depend on your infrastructure.

    in essence, outlook is unable to negotiate the authentication mechanism required by your web application proxy in order to access the internet and so hence it fails to connect until you launch a browser to handle that aspect for you.

    Hope that helps,
    James.

  16. #30

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,250
    Thank Post
    404
    Thanked 630 Times in 575 Posts
    Rep Power
    185
    What URL will it be going out to as I'm confident they're excluded. I suspected it was a filtering auth issue so you've just confirmed that. I suppose I could dive into the logs to see where it's trying to go.

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Office 365 + Outlook - Trying to connect
    By Trapper in forum Cloud Services
    Replies: 5
    Last Post: 30th January 2014, 09:28 AM
  2. [Office 365] Outlook Connectivity through proxy
    By Cache in forum Cloud Services
    Replies: 15
    Last Post: 17th December 2013, 03:40 PM
  3. [Office 365] dirsync and changed username
    By Cache in forum Cloud Services
    Replies: 29
    Last Post: 5th October 2013, 12:02 PM
  4. Office 365- Outlook Auto Account Setup
    By Tallwood_6 in forum Cloud Services
    Replies: 4
    Last Post: 2nd August 2013, 08:17 AM
  5. Office 365 Pros and Cons
    By Primax98 in forum Cloud Services
    Replies: 8
    Last Post: 15th July 2013, 09:25 AM

Thread Information

Users Browsing this Thread

There are currently 3 users browsing this thread. (0 members and 3 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •