Outlook 2013 with Modern Authentication gives prompt because of dual RP.

%3CLINGO-SUB%20id%3D%22lingo-sub-30155%22%20slang%3D%22en-US%22%3EOutlook%202013%20with%20Modern%20Authentication%20gives%20prompt%20because%20of%20dual%20RP.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30155%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20in%20the%20process%20of%20migrating%20some%20mailboxes%20to%20EXO.%20When%20on%20prem%20users%20try%20to%20open%20EXO%20users%20calendars%20they%20are%20prompted%20for%20credentials.%20In%20order%20to%20eliminate%20these%20prompts%20in%20Outlook%202013%20we%20have%20enabled%20Modern%20Authentication%20both%20on%20the%20tenant%20and%20on%20the%20client%20side%20(EnableADAL%3D1%20etc.)%2C%20as%20well%20as%20enabling%20the%20endpoint%20(%2Fadfs%2Fservices%2Ftrust%2F13%2Fwindowstransport)%20in%20ADFS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%26nbsp%3Bsince%20users%20have%20two%20%22identity%20providers%22%20(Claims%20Provider%20Trusts%3F)%20to%20choose%20from%2C%20Active%20Directory%20%2B%20one%20EDU%20related%2C%20they%20get%20a%20white%20webform%20with%20two%20choises%20when%20opening%20EXO%20calendars.%20If%20they%20choose%20AD%20SSO%20handles%20the%20rest.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EObviously%20we%20don't%20want%20this%20popup%2C%20is%20there%20a%20way%20to%20make%20Outlook%20go%20directly%20the%20same%20way%20we%20do%20with%20smart%20links%2C%20or%20turn%20of%20one%20of%20these%20for%20that%20particular%20endpoint%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOh%2C%20we%20are%20also%20using%20Alternate%20Login%20ID%20(mail).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMagnus%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-30155%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30729%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%202013%20with%20Modern%20Authentication%20gives%20prompt%20because%20of%20dual%20RP.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30729%22%20slang%3D%22en-US%22%3E%3CP%3EOK%2C%20that%20particular%20issue%20was%20solved%20with%20the%20following%20command%3A%3C%2FP%3E%3CP%3ESet-AdfsProperties%20-IntranetUseLocalClaimsProvider%20%24true%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20happens%20now%26nbsp%3Bis%20that%20on%20premise%20users%20are%20prompted%20to%20log%20on%20to%20Office%20365%20when%20they%20open%20an%20EXO%20users%20calendar.%20The%20form%20come%20pre%20filled%20with%20the%20upn%20as%20username%20(not%20resolvable).%20If%20they%20fill%20in%20their%20email%20address%20it%26nbsp%3Bdiscovers%20that%20the%20domain%20is%20federated%2C%20redirects%20to%20adfs%20and%20logs%20on%20automatically.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20make%20Outlook%20pre%20fill%20the%20form%20with%20the%20email%20address%2C%20maybe%20like%20a%20client%20side%20registry%20setting%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

We are in the process of migrating some mailboxes to EXO. When on prem users try to open EXO users calendars they are prompted for credentials. In order to eliminate these prompts in Outlook 2013 we have enabled Modern Authentication both on the tenant and on the client side (EnableADAL=1 etc.), as well as enabling the endpoint (/adfs/services/trust/13/windowstransport) in ADFS.

 

However, since users have two "identity providers" (Claims Provider Trusts?) to choose from, Active Directory + one EDU related, they get a white webform with two choises when opening EXO calendars. If they choose AD SSO handles the rest.

 

Obviously we don't want this popup, is there a way to make Outlook go directly the same way we do with smart links, or turn of one of these for that particular endpoint?

 

Oh, we are also using Alternate Login ID (mail).

 

Thanks,

 

Magnus

1 Reply
Highlighted

OK, that particular issue was solved with the following command:

Set-AdfsProperties -IntranetUseLocalClaimsProvider $true

 

What happens now is that on premise users are prompted to log on to Office 365 when they open an EXO users calendar. The form come pre filled with the upn as username (not resolvable). If they fill in their email address it discovers that the domain is federated, redirects to adfs and logs on automatically.

 

Is there a way to make Outlook pre fill the form with the email address, maybe like a client side registry setting?