For the sake of sharing knowledge, I resolved my issue: I found an article from Paul Cunningham that at the very end of the article casually mentioned setting OWA/ECP directories to the same authentication method. I didn't specifically remember doing that so I revisited each authentication mechanism. The 'Authentication Delegation' tab in my OWA publish rule on the TMG was set to 'NTLM Authentication' instead of 'Basic Authentication' as the CAS was defined. Flipped the TMG to Basic Auth, applied the rule and now I'm seeing the expected 2FA page with login sending users directly to inbox instead of a second OWA login page.
From: Orlebeck, Geoffrey Sent: Thursday, June 19, 2014 9:11 AM To: '[email protected]' Subject: RE: OWA with TMG 2010 I'll do a check against those as well. I may have mucked up the info by adding the fact that we're hosting it. For all intents and purposes, it's basically TMG authenticating against a RADIUS server. But I understand this may also be more of a TMG question than Exchange...I just had seen some mentions of TMG on here previously so thought I'd give it a go. Thanks for the link! Geoff From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, June 19, 2014 9:06 AM To: [email protected]<mailto:[email protected]> Subject: [Exchange] RE: OWA with TMG 2010 I've never heard of a configuration like this. I wasn't even aware it was possible. :) All I can do is provide you this step-by-step I found online. As far as I know (which isn't much), the AuthAnvil RADIUS server isn't special in any way. http://www.scorpionsoft.com/docs/authanvil/owatmg/ From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Orlebeck, Geoffrey Sent: Thursday, June 19, 2014 11:33 AM To: [email protected]<mailto:[email protected]> Subject: [Exchange] RE: OWA with TMG 2010 I'm still hitting my head against this one, so I'm just asking one more time if anyone may have some ideas out there. I modified the post a little to hopefully offer some clarity. Thanks. Previous Post: I have an Exchange 2010 SP3 CAS that is protected by an Ex2010 Edge Transport server with TMG 2010 sitting in our DMZ on the perimeter. These servers belongs to Company B (domain2.org) but we are hosting them in our, Company A, datacenter (domain1.org). We, Company A, use 2FA via RADIUS OTP for OWA connections. For Company B, we setup their web listener for RADIUS OTP with our Company A RADIUS server providing that validation. Everything is working as expected except the login experience. For Company A, when we perform 2FA at OWA, it takes users directly to their mailbox. With Company B, it takes users to a second OWA login page, without the 2FA requirement (as if hitting OWA internally). I have tried specifying separate Internal Network Credentials on the main 2FA OWA page but it still prompts a second time, even though the domain username/password are identical to what works on the second OWA login page. I searched around and compared the TMG rules on Company B to what we have at Company A but am not getting anywhere worthwhile. Any ideas? Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you. Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.
