Hi,
Having attempted to resolve this issue in the Office 365 Forums (https://community.office365.com/en-us/f/156/t/407619), as it was after partially setting up an ADFS server (configured the Wizard to create the ADFS entry in AD, using my Exchange OWA Certificate - eg owa.domain.co.uk, rather than the desired STS.domain.co.uk) and then attempting to activate AD Synchronisation in the Office365 Portal, I noticed that my Outlook clients were prompting for AD credentials (which are no longer recognised). Also. I applied SP1 to my windows 2008 R2 DC's at the same time but I'm pretty sure this not related.
Anyway, the intersting thing is Outlook Anywhere works externally (if I connect a laptop via a 3G dongle) but not the LAN, although I did notice that Outllok 2013 did intermittently work on an internally connected laptop.
I have tried to retrace my steps (remove ADFS and then re-install with correct SSL cert - STS.domain.co.uk) and removed the old ADFS entries using ADSIEDIT (CN=<GUID>,CN=ADFS,CN=Microsoft,CN=Program Data,DC=<Domain>,DC=<COM>) but the Office 365team have suggested that I raise this with the Exchange experts.
Note, I did start to configure SSO
- Connect to Microsoft Online Services with the credential variable set previously
- Connect-MsolService –Credential $cred
- Connect-MsolService –Credential $cred
Set the MSOL ADFS Context server, to the ADFS server
- Set-MsolADFSContext –Computer adfs_servername.domain_name.com
- Set-MsolADFSContext –Computer adfs_servername.domain_name.com
BUT DID NOT RUN
- Convert the domain to a federated domain
- Convert-MsolDomainToFederated –DomainName domain_name.comand even tried to disbale ADS
And even tried to disable the Federation
Set-MSOLDomainAuthentication-Authentication Managed -DomainNameJohn Philipson
Possibly made a bit of progress, regarding Outlook Anywhere Security Settings. Not sure whether this was thing that changed but all settings are now for "Anonymous Logon", rather than say "Negotiate Authentication".
I have tried to change the Internal Settings with the following Powershell Command
Get-OutlookAnywhere -Server Exchange_CAS_Server| Set-OutlookAnywhere -InternalClientAuthenticationMethod NTLM
and when I checked, with the following command,
Get-OutlookAnyWhere – Server Exchange_CAS_Server | fl *internal*
the settings has changed to NTLM
but when I check Outlook clients, Autodiscover is still keeping the settings for "Anonymous Logon"
I think there us a way of changing this in the registry but looks very involved
Am I right in saying that Office365 actually needs "Anonymous Logon" https://support.microsoft.com/en-gb/kb/2984912