Ouestion about Outlook and SSO

  • 897 Views
  • Last Post 09 November 2015
  • Topic Is Solved
Dima Razbornov posted this 05 November 2015

So, okay, experts! This is my scenario. I`ve setup ADFS on 2012r2 server, another box with Azure AD Connect and one server with Exchnage 2013 CU10 (with setup Hybrid 365). All works fine: I can create and sync my users. But, when I move mailboxes to Office 365 Outlook 2010 and 2013 promt password when I start application. :( SSO with OWA works, but Outlook is not! I have 2 computers,  Windows 7 SP1 with outlook 2010 (I installed MS Online Services Sign-In Assistant but it did not help)and second  workstation with Outlook 2013.When I migrated into cloud my user and he is start Outlook, its promt credentials. When user enter credential, Outlook connect to Exchnage Online.But where is SSO ? I read about ADAL and try to setup registry keys but it does`nt works...
MS Online Services Sign-In Assistan on first computer with 2010 too :(
Any thougths?
--
Dima R

Order By: Standard | Newest | Votes
hcoleman posted this 05 November 2015

This may be the way things work, at least for now.

 

https://support.microsoft.com/en-us/kb/2535227

 

“Accessing Office 365 resources by using a non-federated account or a federated account from

a public Internet connection may not result in a single sign-on experience.



The experience for logging on to Microsoft Outlook connections is also not expected to be a single sign-on experience. ”

 

show

kebabfest posted this 05 November 2015

Just make sure the outlook websites and federated logon site in the trusted zone and your federated site are in your intranet zone and you are good to go. Had the same problem myself two weeks ago !

show

kebabfest posted this 05 November 2015

And for outlook put in remember credentials when it asks first time. No getting around that one !! Outlook not designed for sso.




show

Dima Razbornov posted this 06 November 2015

hcoleman I've seen this link and tried to make an offer for its actions. Unfortunately, with this result, I came to the forum.

kebabfest - yep, outlook and federated sites in trusted

Dima Razbornov posted this 06 November 2015

And for outlook put in remember credentials when it asks first time. No getting around that one !! Outlook not designed for sso.


... and every time change or reset password, right? That is not SSO, in that case I think.



kebabfest posted this 06 November 2015

I agree. Sso simply doesn't work for outlook.

show

Dima Razbornov posted this 06 November 2015

But why MS write about ADAL and Online Services Sign-In Assistant? That is not a solution?

"Multi-factor authentication (MFA) for Office 2013 client applications

   SAML-based third-party identity provider sign in

   Smart card and certificate-based authentication

   Outlook no longer requiring the basic authentication protocol"

https://blogs.office.com/2015/03/23/office-2013-modern-authentication-public-preview-announced/

https://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers/

With the new ADAL-based authentication enabled Office 2013 client applications, users no longer need to sign in with an App Password. Instead, they can sign in using true multi-factor authentication. The second factor of authentication the user must provide is dependent on the configuration done by their administrator.

https://community.office365.com/en-us/w/sso/534

The Microsoft Online Services Sign-In Assistant (MOS SIA) provides end user with sign-in capabilities to Microsoft Online Services like Microsoft Office 365. The MOS SIA installs client components that allow desktop applications like Azure Active Directory Module for Windows PowerShell, or Microsoft Office 2010 applications such as Outlook and Microsoft Skype for Business (formerly known as Lync) to authenticate to Microsoft Online Services. The MOS SIA also provides an improved sign-in experience so users can access Microsoft Online Services without re-entering their usernames or passwords.

kebabfest posted this 06 November 2015

It is like selling a car with the best windscreen wipers ever, but unfortunately they don't work in the rain !!




show

Mahesh posted this 08 November 2015

Hi Friend,
Outlook is not designed to work with Adfs, you have to enter / store outlook password no matter you use it from intranet / internet
Check below link - https://mahesh1000.wordpress.com/2015/11/06/adfs-aadsync-and-exchange-online-o365-facts/
Best Regards
Mahesh
09819096244

show

ThomasVuylsteke posted this 09 November 2015

For “older” Outlook clients this is by design. For the more recent ones you can get Outlook to use SSO using ADAL (also called Modern Authentication). However

you need to get this configured client side (reg keys) AND tenant side: you need to have your Azure AD/O365 tenant enrolled somewhere.



 

Kind regards,

Thoams

 

show

  • Liked by
  • Dima Razbornov
Dima Razbornov posted this 09 November 2015

Thanks,Thoams!

I've setup ADAL preview program, and it's notify me that change to apply ADAL on my tenant was 3-4 weeks. I have only to wait this time and check it out

Mahesh posted this 09 November 2015

I don't know about outlook 2016
But we have tested outlook 2013 with O365\Adfs and AAD Sync and still we need to save password
Outlook 2007 / 2010 / 2013 and even O365 ProPlus is not adfs aware
Best Regards
Mahesh
09819096244

show

  • Liked by
  • Dima Razbornov
Close