+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 38
Cloud Services Thread, Office 365 - Outlook and ADFS SSO - Disapointment in Technical; Im very disappointed. Turns out with ADFS outlook cannot be logged into office 365 seamlessly via SSO. The users have ...
  1. #1

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,323
    Thank Post
    903
    Thanked 1,802 Times in 1,551 Posts
    Blog Entries
    12
    Rep Power
    467

    Office 365 - Outlook and ADFS SSO - Disapointment

    Im very disappointed. Turns out with ADFS outlook cannot be logged into office 365 seamlessly via SSO. The users have to enter a password again. Lync Clients is all seamless.

    Really disappointed Microsoft! - Exchange is the biggest selling point of this product!

    This may even stop the Office 365 project.


  2. #2
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    685
    Thank Post
    4
    Thanked 150 Times in 139 Posts
    Rep Power
    54
    Do you mean you have to enter every time you launch Outlook, or just for the first time so it can store your password?

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,323
    Thank Post
    903
    Thanked 1,802 Times in 1,551 Posts
    Blog Entries
    12
    Rep Power
    467
    Well if you have mandatory profiles it will be every time. If you reset the password you will need to enter it again. Compared to our onsite exchange this is rubbish! All our users click outlook it opens, automatically configures with no prompts at all.

  4. #4

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,075
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    Hi,

    are you saying that your users are asked to re-enter there password each time they launch outlook? can you describe the behavior in more detail if possible? Lync Client you will find that you do also have to type in the Username & Password during initial connect because this is an Active Client just like outlook. Lync on the other hand will login using a certificate and a new certificate will be requested using the stored credentials, and likewise if you update the UN/PW you will be asked to update these upon password change, also will happen in outlook.

    - If you are using Office 2010 ensure that you have the SIA installed
    - If you are using Office 2013 then the SIA is not required as a built-in lightweight version is included in the installer.

    You will find that during initial configuration it will prompt you for the credentials, as these then get sent to Exchange Online and then Exchange Online initiates the token request via the WAP/Proxy.

    If you do have those profiles, where the outlook profile is re-created each time then yes for sure you will be prompted to enter credentials each time you launch outlook.

    James.
    Last edited by EduTech; 9th June 2014 at 05:25 PM.

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,323
    Thank Post
    903
    Thanked 1,802 Times in 1,551 Posts
    Blog Entries
    12
    Rep Power
    467
    Basically outlook opens and the user is prompted to enter a password.

    We use Outlook 2013. We have local profiles so a teacher could be in 5 different rooms in a day. Retyping the password 5 different times isn't an option. Then the process start again when the password expires. Similar with the kids. The Lync client never asks for a password, even on first configuration. Just type your email address and you in (even that can be automated).

    For us its a real show stopper. Moving to Office 365 will mean we will loose a function we use daily here.

    Is there no way around this to make it behave like it does with on premise exchange?

    Thanks
    Last edited by FN-GM; 9th June 2014 at 05:55 PM.

  6. #6

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,323
    Thank Post
    903
    Thanked 1,802 Times in 1,551 Posts
    Blog Entries
    12
    Rep Power
    467
    Everything else in Office 365 is pretty good. I feel let down, put loads of time into this to find a road block

  7. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,270
    Thank Post
    884
    Thanked 2,747 Times in 2,321 Posts
    Blog Entries
    11
    Rep Power
    785
    Perhaps a hybrid setup where there is a local exchange box with no accounts on it, this set up in hybrid mode with 365. Depending on how outlook and exchange behave if outlook is fed the local server on account setup it should authenticate you then hand you off to 365, it may manage to use the existing auth details without a prompt.

    If it works its a nasty hack but most stuff seems to be with 365.

  8. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,323
    Thank Post
    903
    Thanked 1,802 Times in 1,551 Posts
    Blog Entries
    12
    Rep Power
    467
    We have a hybrid setup ready to migrate the accounts. You are still prompted for Office 365 mailboxes.
    Last edited by FN-GM; 9th June 2014 at 06:35 PM.

  9. #9

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,342
    Thank Post
    405
    Thanked 652 Times in 595 Posts
    Rep Power
    188
    The benefit of having Office 365 outweigh having to enter password, surely?

  10. #10

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,323
    Thank Post
    903
    Thanked 1,802 Times in 1,551 Posts
    Blog Entries
    12
    Rep Power
    467
    No not really. We shouldn't loose features. The main benefit of 365 is the quota, but that isn't an issue for us at the moment with our on premise setup. Or internal Exchange hardware will last for another 5 years so no costing in renew it etc. The current setup is working a sweet as a nut.

    This will just make the end user experience suffer. Something that is really important. Very close the top of the agenda.
    Last edited by FN-GM; 9th June 2014 at 06:53 PM.

  11. #11

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,342
    Thank Post
    405
    Thanked 652 Times in 595 Posts
    Rep Power
    188

    Office 365 - Outlook and ADFS SSO - Disapointment

    Quote Originally Posted by FN-GM View Post
    No not really. We shouldn't loose features. The main benefit of 365 is the quota, but that isn't an issue for us at the moment with our on premise setup. Or internal Exchange hardware will last for another 5 years so no costing in renew it etc. The current setup is working a sweet as a nut.

    This will just make the end user experience suffer. Something that is really important. Very close the top of the agenda.
    If your on premise solution is working, what are the reasons for moving, out of interest?

    I'd say typing in a password is something that end users should be able to cope with and as it's the only option if you go Office 365, they have little to no choice.
    Last edited by Edu-IT; 9th June 2014 at 06:59 PM.

  12. #12

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,323
    Thank Post
    903
    Thanked 1,802 Times in 1,551 Posts
    Blog Entries
    12
    Rep Power
    467
    Getting ready for the future, get rid of the time spent patching, backup monitor, testing recover testing etc. The technical support is a safety net as well.

    Its not they won't be able to cope its all about experience. People complain about Windows 8 start screen, they don't like the experience but they still cope with it. Rather than make the experience worse for the users i would rather do the above.

  13. #13

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,075
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    Hi,

    The reason you don't have the issue with Lync is because the authentication flow is different, Lync Online follows the following authentication flow when using AD FS

    1. First the user login to there machine/client
    2. After they login the sign in assistant kicks in
    3. The sign in assistant already know the UPN etc. of the user and goes directly to the Authentication Platform
    4. The Authentication Platform return the URL to the sign in assistant pointing to the ADFS server .
    5. The sign in assistant then goes to the ADFS server and authenticate via Kerberos or NTLM and when the it’s authenticated, the ADFS server gives the user an SAML token including the claims: UPN and Source User ID (ImmutableID).
    6. The sign in assistant take the token to the Authentication Platform
    7. The Authentication Platform verifies the token and converts it to an Auth token, which contain the UPN and now Unique ID from the Authentication Platform. This Auth. token can now be used for login.Note all above happens at logon and the users doesn’t see it.
    8. Now the user starts Lync
    9. Lync connects to Lync Online
    10. Lync Online request a Auth. Token
    11. The client have one of those and sends it to Lync Online

    where as Outlook/Active Sync does the following:

    1. The user login and the sign in assistant kick in as above and do the round-trip to get the Auth. token.
    2. Now the user starts Outlook
    3. Outlook connect to Exchange Online and it will request Basic authentication
    4. The user will get at prompt and here they need to type in there username with an UPN ex. james@contoso.com they can save this, but they will get prompted the first time.
    5. This will be send off to Exchange Online
    6. Now Exchange Online does a trick called “Proxy Auth” where it creates a shadow representation of the user.
    7. It then take the domain/UPN from the basic authentication and sends it to the Authentication Platform.
    8. The Authentication Platform returns with the URL to the ADFS server.
    9. Exchange Online then takes the basic authentication credential and sends them to the ADFS server.
    10. The ADFS server authenticate with the basic credentials and converts them to a SAML token including the claims: UPN and Source User ID (ImmutableID).
    11. This comes back to Exchange Online
    12. Exchange Online sends it to the Authentication Platform
    13. The Authentication Platform verifies the token and converts it to an Auth token, which contain the UPN and now Unique ID from the Authentication Platform. This Auth. token can now be used for login.
    14. Exchange Online can now authenticate the user and it will delete the shadow representation of the user.

    It is by design, if your using that type of profile then there is nothing more we can really do from an Exchange Online Perspective.

    Regards,
    James.

  14. Thanks to EduTech from:

    FN-GM (9th June 2014)

  15. #14

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,323
    Thank Post
    903
    Thanked 1,802 Times in 1,551 Posts
    Blog Entries
    12
    Rep Power
    467
    Really if it can be done with on premise it can be done with with 365 (obviously some work from MS is required). It wouldn't be so bad if OWA wasn't missing stuff we use.

    Its MS AD, MS Outlook and MS 365 - They should make this work some how! MS are the king with authentication and identity management!

    might leave 365 this week an work on something else.
    Last edited by FN-GM; 9th June 2014 at 07:42 PM.

  16. #15

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,075
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    The reason why it does not work how you want is primarily because of the following

    4. The user will get at prompt and here they need to type in there username with an UPN ex. james@contoso.com they can save this, but they will get prompted the first time.
    5. This will be send off to Exchange Online
    6. Now Exchange Online does a trick called “Proxy Auth” where it creates a shadow representation of the user.
    7. It then take the domain/UPN from the basic authentication and sends it to the Authentication Platform.
    8. The Authentication Platform returns with the URL to the ADFS server.
    9. Exchange Online then takes the basic authentication credential and sends them to the ADFS server.


    Because the authentication request to AD FS comes from Exchange Online it goes via the Web Application Proxy / AD FS Proxy and uses the /usernamemixed endpoint and it uses the credentials provided at the prompt to then get a SAML token.

    .....

    If you take the browser, this is a passive authentication request and so in this scenario on a Domain-Joined Machine it will talk with the OnPremise AD FS Server and use Windows Integrated Authentication which allows seamless sign-in experience.

    Likewise with Lync, Because it uses the SIA that does the negotiation element with authentication service and then goes and gets a token from AD FS which then it sends to Lync Online which then provides your users with a certificate which will be present in the Local Certificate Store which is valid for ~ 8 Hours and it uses that then to authenticate against the service.

    ... for now, it is by design. The behavior your are experiencing although I understand your point is caused because your users have a new profile each time they sign-in to the Exchange Online service. I imagine there profile is also downloaded each time etc. also.

    James.



SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Office 365 + Outlook - Trying to connect
    By Trapper in forum Cloud Services
    Replies: 5
    Last Post: 30th January 2014, 10:28 AM
  2. [Office 365] Outlook Connectivity through proxy
    By Cache in forum Cloud Services
    Replies: 15
    Last Post: 17th December 2013, 04:40 PM
  3. [Office 365] dirsync and changed username
    By Cache in forum Cloud Services
    Replies: 29
    Last Post: 5th October 2013, 01:02 PM
  4. Office 365- Outlook Auto Account Setup
    By Tallwood_6 in forum Cloud Services
    Replies: 4
    Last Post: 2nd August 2013, 09:17 AM
  5. Office 365 Pros and Cons
    By Primax98 in forum Cloud Services
    Replies: 8
    Last Post: 15th July 2013, 10:25 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •