SungHoon_Kim

O365 Integration Test Result

Blog Post created by SungHoon_Kim Employee on Mar 29, 2017

This is an internal test which I performed.

Single Sign-On version is R12.52SP1CR6(CR4 provides STS IWA feature).

Policy Server and CA Access Gateway are on the same version.

Client used was Office 2013 and Office 2016 which the installer is directly downloaded from portal.office.com

Tests are performed after emptying the credential manager(in control panel)

 

CA DEMO ENV

User caseClientOSActive ProfilePassive Profile
outlookOffice 2013Win7N/AN/A
Win10PromptSeamless
Win2012 R2N/AN/A
Office 2016Win7PromptSeamless
Win10N/AN/A
Win2012 R2N/ASeamless
skypeOffice 2013Win7N/AN/A
Win10Seamlessly login but get prompt while clicking on addressbook/calendarSeamless
Win2012 R2N/AN/A
Office 2016Win7Seamlessly login but get prompt while clicking on addressbook/calendarSeamless
Win10N/AN/A
Win2012 R2N/ASeamless
word/excelOffice 2013Win7N/AN/A
Win10PromptSeamless
Win2012 R2N/AN/A
Office 2016Win7Seamless (X)
Prompted (O)
Seamless
Win10N/AN/A
Win2012 R2N/ASeamless

* Active profile:

Client authentication at https://(FQHN)/microsoftonline/windowstransport with Authorization header and SOAP message

* Passive profile:

Client authentication at https://(FQHN)/siteminderagent/ntlm/ntcreds.ntc with Authorization header

(Redirected from AuthenticationURL: https://(FQHN)/siteminderagent/redirectjsp/redirect.jsp)

* Modern Authentication to be enabled at the O365 tenant: 

https://social.technet.microsoft.com/wiki/contents/articles/32711.exchange-online-how-to-enable-your-tenant-for-modern-authentication.aspx

https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx

* N/A: This means this specific combination has not been tested by me in CA Demo Env.
* "Prompt" means popup promt appears immediately
* "Seamless" means popup prompt does not appear immediately and have not prompted while navigating to app features.

* SPS ACO has IWA support parameter "WindowsNativeAuthentication=No" configured.

* SPS Authentication Scheme for IWA created and assigned to protect the AuthenticationURL (https://(FQHN)/siteminderagent/redirectjsp/redirect.jsp)

 

 

Screenshot of Credential Manager being emptied.

 

When Modern Authentication is enabled(Passive Profile Mode) then you will see the user credentials getting stored when the seamless login was successful.

 

1. If you are trying to test the same in your environment, make sure you have enabled modern authentication mentioned in the above links for exchange/sharepoint/skype.

 

2. And that your Office Client version is also higher than the version mentioned in the document mentioned below.

How to use Modern Authentication (ADAL) with Skype for Business 

 

Clients where Modern Authentication / ADAL isn't Supported

Some client versions don't support OAuth. You can check your version of Office client in Control Panel where you Add and Remove programs in order to compare your version number to the versions (or ranges of versions) listed here:

  • Office Client 15.0.[0000-4766].*

  • Office Client 16.0.[0000-4293].*

  • Office Client 16.0.6001.[0000-1032]

  • Office Client 16.0.[6000-6224].*

 

3. Finally, ensure that you have set the registry in the correct location.

(Link about registry Enable Modern Authentication for Office 2013 on Windows devices - Office 365 )

 

And switching between the Active and Passive mode is a simple registry change.

ModeRegistry
Active Profile Mode

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity]
"EnableADAL"=dword:00000000
"Version"=dword:00000001

Passive Profile Mode

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity]
"EnableADAL"=dword:00000001
"Version"=dword:00000001

 

 

 

Client : Windows 7

Office: Office 2016

Application: Excel

Mode: Active Profile Mode

Got prompted and is asking for Password.

 

 

Client : Windows 7

Office: Office 2016

Application: Outlook

Mode: Active Profile Mode

Got prompted immediately after running outlook.

 

 

Client : Windows 7

Office: Office 2016

Application: Skype for Business

Mode: Active Profile Mode

Seamlessly logged in.

But after navigating there is a prompt.

 

 

Client : Windows 7

Office: Office 2016

Application: Excel

Mode: Passive Profile Mode

Seamlessly login.

 

 

Client : Windows 7

Office: Office 2016

Application: Outlook

Mode: Passive Profile Mode

Seamlessly login.

 

 

Client : Windows 7

Office: Office 2016

Application: Skype for Business

Mode: Passive Profile Mode

Seamlessly login and no prompt while navigating to other features.

 

 

Client : Windows 10

Office: Office 2013

Application: Excel

Mode: Active Profile Mode

Gets prompted for Password.

 

 

Client : Windows 10

Office: Office 2013

Application: Outlook

Mode: Active Profile Mode

Outlook immediately prompts for login.

 

 

Client : Windows 10

Office: Office 2013

Application: Skype

Mode: Active Profile Mode

Seamlessly login but later get prompted.

 

 

Client : Windows 10

Office: Office 2013

Application: Excel

Mode: Passive Profile Mode

You still need to manually enter the userID here.

Seamlessly logged in.

For reference, Excel or other Office Suite, they would ask for username.

If seamless login works, you would be logged in.

If seamless login does not work, you would be prompted for password.

If you did manually login or seamlessly login, you are able to access the onedrive without challenge.

 

 

Client : Windows 10

Office: Office 2013

Application: Outlook

Mode: Passive Profile Mode

Seamlessly logged in.

 

 

Client : Windows 10

Office: Office 2013

Application: Skype

Mode: Passive Profile Mode

Seamlessly login.

The window with progress bar appears and disappears when you need to be authenticated.

When seamless login was not working, you would be presented with the basic prompt.

In this case, this window apears for a very short time and disappears.

Same goes to outlook client. You would see this window appear where you would have been presented with the basic prompt when seamless login did not work.

 

 

Client : Windows Server 2012

Office: Office 2016

Application: Excel

Mode: Passive Profile Mode

Seamless login

 

 

Client : Windows Server 2012

Office: Office 2016

Application: Outlook

Mode: Passive Profile Mode

Seamless login and no prompt.

 

 

Client : Windows Server 2012

Office: Office 2016

Application: Skype

Mode: Passive Profile Mode

Seamless login and no prompt after navigating other features.

 

 

If you are unable to get the same result, you will have to use the tool in the below link to check for any misconfiguration.

 

http://aka.ms/offcat

 

Run the "Office Configuration Analyzer Tool".

 

Select the application that you would like to scan for configuration.

You can see this screen after the configuration was analyzed.

You are informed that the "Support for the 2013 versions of Office 365 ProPlus ends February 28, 2017" so it has ended.

 

Click on the "Configuration Details" box.

Basically you will be going through any hints from the report.

 

For registry, if you have not set the EnableADAL in the correct location, you will not see that appear in the configuration.

That is under "Miscellaneous".

So, if this is missing in your report, then you must have entered the registry in the wrong location.

Otherwise, you should just look for any warning signs in the report.

 

 

From this test, I have learnt that development to allow Seamless Login to STS by using IWA has its limitations.

Not due to Single Sign-On product but the Active Profile does not really offer true Seamless Login.

That is why the Office 2016 now supports Passive Mode which is truly Seamless.

 

What does this mean?

That means you do not need to install "CA Access Gateway" to setup STS(Active Mode) for rich clients.

You can use either "WAOP" or "CA Access Gateway" of your choice as all you need is to enable is the Passive Mode.

And you do not need to upgrade to R12.52SP1CR4 since you do not need STS.

 

 

 

More content: O365 Integration Test Result - Part 2 

Outcomes