To clarify, passive federated signin to OWA works by the client starting with a request https://mail.foo.bar/owa/ and following a redirect over to the ADFS2 STS, which handles authenticating the client (via one of Kerberos or forms-based auth), the result of which renders a new HTML form for the client to push its security token back to the OWA app, and I wouldn't expect RPC/HTTP or ActiveSync clients to be able to follow those steps out of the box. But, maybe they can--is there any way to make those endpoints federation-aware?
In addition, these clients would need to have some additional hints during setup for identity provider-initiated sign-on, in the case where some other environment is responsible for creating the user's token (i.e., a pure passive federated signon would not know the current user's IdP). Please let me know if I'm not making sense and I'll break down and make a diagram... --Steve On Fri, Jul 27, 2012 at 8:59 PM, Michael B. Smith <[email protected]> wrote: > Regular outlook client would use RPC/HTTP. ActiveSync is a http-based > technology, so I'm not sure what you are asking about there... > > Is it supported "in general"? I dunno. But that's how Office 365 federation > works. > > -----Original Message----- > From: Steve Kradel [mailto:[email protected]] > Sent: Friday, July 27, 2012 2:16 PM > To: MS-Exchange Admin Issues > Subject: Experiences with on-premises Exchange 2010 and ADFS2 > > Hi list, > > Having just configured Exchange 2010 SP2 with ADFS2 in a lab environment > (somewhat but not entirely based on Ken St. Cyr's guide @ > http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html > which, although very helpful, also documents some things that didn't or at > least do not now work), I wanted to get the list's perspective... > > * Anyone doing this now to provide federated OWA services across orgs w/o > domain trusts? > * If so, does Microsoft consider it a supported configuration? > * Are users willing to accept federated OWA but not federated ActiveSync > access? > > I'm pondering how folks would access any non-HTTP-browser aspects of Exchange > (regular Outlook client, ActiveSync) in a federated arrangement, but it's > hard to escape a dependency on password sync. > And in that case, why federate at all? > > --Steve > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe exchangelist > --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe exchangelist
