Forum Discussion
ADFS and SSO for Exchange Online
I hope this is the right spot for this post...
We have Office 365 E3 in our environment, setup using ADFS. All of our email is in Exchange Online.
Because of this - when a user opens up MS Edge, and browses to https://outlook.office.com/ourdomain.dom they are *magically* auto-signed into their mailbox. Who doesn't like magic :) ?
This is great for most of our users - however I have a small set of desktop computers that are shared workstations, with an auto-login, shared user account. Because it is a shared workstation and shared user account - they do not have an email account.
I recently got a request to add a desktop shortcut to these machines for people to login to their exchange online mailbox via the web browser. When I try to go to the login page I either get a failed to login error OR a loop to select my timezone. I am guessing because the logged on user does not have a mailbox, and the ADFS is trying to perform SSO.
Any ideas how to get around this issue for these machines?
Thanks
Steve
Our organization was able to solve this problem and I documented the solution over on TechNet ("https://social.technet.microsoft.com/Forums/en-US/79c2050b-9977-4524-83a5-eb47d86e2f96/bypass-adfs-...) Stephen Bell
They are effectively logging in with the current windows credentials, as per the "magic" bit. Either disable the WIA auto-login in the browser options on those devices or remove the AD FS URL from the Intranet zone.
You can also alter the AD FS Claim Issuance Rules so that those devices would be treated as externals (i.e. loggin in outside your internal network). That way they would be offered a login form instead of signing in automatically.
I am not sure how I would do this -- do you have an example of where you can link me to?
Thanks
Steve
I think I have this done --
I removed our ADFS URL from the intranet zone, removed the internal DNS record that points to the inside of the ADFS environment. I now ping from this client and get an external IP address.
The WIA (or IWA? - I've seen it both ways??) - I went into IE on one of the clients, Security Tab --> Custom Level --> Login --> Prompt for user name and password.
Rebooted the PC 2 times and I am still getting auto login for my OWA url? What am I missing?
Thanks
Steve
- Or you can ask them to browse to the site via an InPrivate session in the browser, as that does not auto submit credentials
