locked
Exchange 2016 OWA MFA - Eliminate 2nd login after MFA RRS feed

  • Question

  • Hi all, 

    All on-premises Exchange 2016 environment and need to implement Azure MFA with OWA. We do have Azure AD setup with MFA and I have published our OWA url through the Azure AppProxy Service and the MFA works great, however after I authenticate MFA, it directs me to our OWA login page where I must authenticate again. The desire is to eliminate the 2nd login at the OWA page, essentially having SSO. I feel I am very close to getting this to work. Any ideas/suggestions how how to eliminate the 2nd login? Thanks!

    Tuesday, June 9, 2020 7:13 PM

Answers

All replies

  • Hi, so there is no other way besides implementing ADFS? ADFS is a technology that our team would rather not use. Is there another way or option to alter the type of authentication on the OWA webpage in order to get this to work?
    Wednesday, June 10, 2020 5:04 PM
  • Hi,

    Based on my knowledge, yes, you have to configure single sign-on, then the Application Proxy connector can communicate with AD to perform any additional authentication required. You can check this to choose a single sign-on method, and for more information about how to set up SSO: Choosing a single sign-on method.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, June 11, 2020 7:11 AM
  • Just checking in to see if above information was helpful. If you have any questions or need further help on this issue, please feel free to post back.

    Regards, 

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, June 17, 2020 8:40 AM
  • I am still struggling with the only option being ADFS even though we are using Azure AD with MFA. I am slightly confused on the other comment about choosing a SSO method. I did change the OWA login page to use Integrated Windows Auth, but was still getting two login prompts. Thank you for the information but it is true ADFS is the only option? Thank you
    Wednesday, June 17, 2020 8:13 PM
  • I am still struggling with the only option being ADFS even though we are using Azure AD with MFA. I am slightly confused on the other comment about choosing a SSO method. I did change the OWA login page to use Integrated Windows Auth, but was still getting two login prompts. Thank you for the information but it is true ADFS is the only option? Thank you

    You need to enable kerberos delegation if you want true SSO

    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-with-kcd

    Specifically, jump to:

    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-with-kcd#configure-active-directory

    and configure the AD properties of the Azure App Proxy Server and give it the ability to impersonate user against the Exchange Server(s).

    Wednesday, June 17, 2020 9:46 PM
  • Any updates so far? If you have solved your problem, could you share with us? Maybe it will help more people with similar problems. 

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, June 23, 2020 9:24 AM
  • Here is a brief summary about replies above for quick reference.

    Request:

    All on-premises Exchange 2016 environment and need to implement Azure MFA with OWA. We do have Azure AD setup with MFA and I have published our OWA url through the Azure AppProxy Service and the MFA works great, however after I authenticate MFA, it directs me to our OWA login page where I must authenticate again.

    The desire is to eliminate the 2nd login at the OWA page, essentially having SSO.

    Suggestions:

    Based on my knowledge, yes, you have to configure single sign-on, then the Application Proxy connector can communicate with AD to perform any additional authentication required. 

    For IWA, the Application Proxy connectors use Kerberos Constrained Delegation (KCD) to authenticate users to the application.

    Reference Link:

    Choosing a single sign-on method

    Kerberos Constrained Delegation for single sign-on to your apps with Application Proxy

    Regards, 

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, June 29, 2020 9:07 AM
  • What ended up working out was choosing Integrated Windows Authentication for the SSO settings on the AppProxy configuration and changing the OWA directories to be Integrated Windows Authentication. But changing the OWA directories to IWA ended up creating other issues in our environment so I had to revert. But this is what ended up being the solution.
    • Marked as answer by Andy DavidMVP Tuesday, June 30, 2020 4:02 PM
    Tuesday, June 30, 2020 3:22 PM