Feb 03 2017 06:19 AM
Hi all,
I have an environment with Exchange 2010 in a hybrid setup with Office 365.
We have ADFS 3.0 running which is working fine when, for example, we logon to portal.office.com.
We migrated a few test users to Office 365/ Exchange. That is all working fine.
One thing I see and I wonder if that is normal behaviour with AD FS;
When a migrated user opens Outlook 2016 (fully patched) for the first time on a domain joined Windows 10 PC on the internal network, he is asked for his password with a screen for basic authentication. Is expected a SSO experience, because modern authentication is turned on for Exchange and did this setting on the ADFS Server Enable-AdfsEndpoint -TargetAddressPath "/adfs/services/trust/13/windowstransport"
It is probably hitting the old Exchange 2010 first when running the autodiscover process, which is causing the prompt. The autodiscover points at the internal Exchange server and not to O365, becuase are other mailboxes are on-prem.
Is their a solution to prevent this behaviour of Office 2016?
Thank you!
Feb 03 2017 10:38 AM
Feb 03 2017 10:55 AM
Feb 03 2017 10:58 AM
For real SSO experience in Outlook you need Modern authentication enabled. Otherwise you get the basic auth prompt, that's the expected behavior. If you want more info check the AD FS whitepapers: https://www.microsoft.com/en-us/download/details.aspx?id=36391
Feb 03 2017 10:58 AM
Oh, and Modern auth needs to be enabled both client-side and server-side.
Feb 03 2017 11:29 AM
Feb 04 2017 02:03 AM - edited Feb 04 2017 02:06 AM
It should be the expected behavior in hybrid setup. Autodiscover will and should point to your on-premises Exchange setup.
This article here talks about the autodiscover lookup process in detail: https://blogs.technet.microsoft.com/rmilne/2015/04/29/office-365-autodiscover-lookup-process/
Feb 10 2017 05:54 AM
It is because of the autodiscover cache which points the client to the old Exchange 2010 server. When I delete the autodiscover cache (manually) from the users profile and reboot the device I don`t see the basic auth popup and the user is logged on seamless to Outlook.
I have also setup a few test users on the Exchange 2016 server, when they are moved to Office 365, they don`t see the popup, just restart Outlook and they are logged on to Outlook.
So when I move users at night and the next morning the users starts his device, the autodiscover cache should be renewed and don`t see a popup.
Dec 12 2017 06:15 AM - edited Dec 12 2017 06:15 AM
Thanks Vasil! This solved my problem. I enabled the modern auth on O365 tenant but not on my Outlook 2013 client. After doing that no prompts anymore and it worked. Outlook 2016 has this already setup and now checking the need for Outlook 2010.
Dec 12 2017 11:41 AM
Office 2010 doesn't support Modern authentication though. It might be better if you describe your specific issue in a separate post.
Dec 21 2017 08:51 AM
Hi peter, do you get SSO to your internal Autodiscover website? if not then that's the problem, add your internal Autodiscover website to local intranet sites.
Jan 29 2020 10:42 AM
@Peter Klapwijk Although this is an old article. I just wanted to add my findings as i have experienced exactly this.
What solved my problem was https://support.microsoft.com/en-gb/help/3126599/outlook-prompts-for-password-when-modern-authentica...
This fix was: