ADFS, OUTLOOK, Single sign on,

I had to configure ADFS server for chrome

 I ran this command :

Import-module adfs  ( by opening windows powershell and not azure windows power shell

 2)Set-AdfsProperties –WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIE 6.0","MSIE 7.0","MSIE 8.0","MSIE 9.0","MSIE 10.0","Trident/7.0", "MSIPC","Windows Rights Management Client","MS_WorkFoldersClient","=~Windows\s*NT.*Edge","Mozilla/5.0","Edge/12")

 3) reboot


everything worked fine

but there is one workday  mailbox xxx@domain.com which before running the command , IT work day people used chrome and then typed portal.office.com, it used to ask the email address of shared mailbox and then password  and user were getting directed to that shared mailbox ,this mailbox is not allowed to be configured in their respective outlook

but now when they type the same workday mailbox email address when they type portal.office.com and put in email address , it is doing 2 things

1) not asking the password
2) user instead of getting into that workday mailbox are getting apps page on 365 portal and when they open outlook, their mailbox is opening up instead of that shared mail box

hope I put the question correctly , so question is that shared mail box is not opening or showing up

from my personal computer when i type portal.office.com and put the workday mailbox email address it gives me a prompt sts.domain.com and username and pasword

but when i am in my network the above issue is happening
pramod1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeff GloverSr. Systems AdministratorCommented:
this is a case of people wanting the best of all worlds. When you put in the email address in portal.office.com, it looks at the domain part. It then says, this is a Federated domain so redirect authentication to the configured ADFS server. Since the user in on the network and the ADFS server is in the Intranet zone, the ADFS server uses WIA to authenticate the user and redirects them back as themself (their logged in account). That is the way it is working. From outside the network, you use the normal Forms based Authentication for ADFS. Perhaps some expert can tell you a way to circumvent this  but for me, the best way is to go into their own mailbox and once in, then right click on the icon in the upper right and select open another mailbox from the dropdown.  The only other way to do this would be to change the ADFS Authentication method to use FBA only or to remove the ADFS server from the Intranet zone. This way, the redirect would take you to a page where you would put in the shared address and password. However, it would completely negate the earlier work to get WIA working for anything.
  It sounds like your ADFS is working as advertised here.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pramod1Author Commented:
so enabling FBA wont create any isue
0
pramod1Author Commented:
issue
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Jeff GloverSr. Systems AdministratorCommented:
FBA is already enabled. On an ADFS server the first Authentication method is WIA and the second is FBA (Forms Based Authentication). On an ADFS Proxy server, FBA is the first one. That is how you get the username and password prompt. Just removing the ADFS server URL from the Intranet Zone will stop Windows Integrated login for internal users and all users will get the username and password prompt regardless of where they are. However, understand this will affect ALL of your Relying Party trusts, not just Office 365. That is why I recommend they go the Open other users mailbox option.
0
pramod1Author Commented:
Thanks but one question
We can’t remove the Adfs from intranet zone  that as I said won’t work but as you said in first post change the ADFS authentication method to FBA only  so in this case disable WIA  and enable FBA?

Will this cause any issue and how redirecting will help
0
Vasil Michev (MVP)Commented:
No. Any change you make on the AD FS server will affect the login experience for all users, and you definitely dont want to disable WIA for all. You can toggle it client-side on the machine(s) that are used by the workday folks. Or do a more complex solution that detects which machine/browser is trying to access the service and switches the auth method: http://blog.kloud.com.au/2014/11/06/implementing-adfs-v3-0-forms-authentication-in-mixed-environments/

Plus, shared mailboxes are always accessed via the credentials of the delegate (currently logged user). So once they login, they can simply open the shared mailbox via the Open another user menu in OWA, or even use a direct link
0
pramod1Author Commented:
So to open another mailbox I need to give full mail box permission I suppose to those users who are trying to open workday mailbox
0
Jeff GloverSr. Systems AdministratorCommented:
Yes
0
pramod1Author Commented:
Other it guy is to test as run as

I will get back to you
0
pramod1Author Commented:
Will this work

Test as admin account  run as/ user:domain \ admin : c :\ program  files google chrome application chrome .exe
0
Jeff GloverSr. Systems AdministratorCommented:
I don't know for sure but my gut feeling is no. The path is not spelled correctly and launching a browser as a different user does not change the credentials passed via IE or chrome
0
pramod1Author Commented:
Ok we are checking the only issue  is we have some contractors who have no mailbox of their own so how they will access the workday mailbox
0
Vasil Michev (MVP)Commented:
Well you do require a mailbox (Exchange Online license) in order to access shared mailboxes in O365. This has nothing to do with authentication.
0
pramod1Author Commented:
The work day mailbox is a user mail box it has enabled AD account

I am worried ias contractors don’t have mailbox they earlier used the username and password if this mailbox to log in to 365
0
pramod1Author Commented:
To connect to this mailbox
0
Vasil Michev (MVP)Commented:
So then just use one of the methods detailed above, in order to "bypass" SSO.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.