As part of a Hybrid deployment of Exchange Server 2010 and Office 365, you’ll be faced with a few challenges if you want to keep a single Outlook Web App URL for your end users.
If you’re using Windows Authenticated Login against Exchange and AD FS then you’ll already have avoided multiple login prompts; and if you’re using Forms Based Authentication for both I’ve covered the TMG setup necessary to configure the same single sign on you’ll see in these videos in my article Configuring AD FS 2 with TMG-based SSO to Office 365.
The other challenge that I really wanted to get a solution for, and get feedback from others on, is the landing page shown above where the end user needs to click-through the “Use the following link to open this mailbox with the best performance” page. What I wanted was a solution that avoided that step entirely.
Now, it’s not necessary to do this if you are happy for users to update their own bookmarks, and concerns about users seeing a non-company domain can be avoided by following the steps in this article by Timothy Heeney which shows you how to setup a separate vanity Office 365 URL like “http://cloud.company.com/owa” by using CNAME records.
However if you have a large user base that will be mixed between on-premise and Office 365, then keeping a single OWA URL will be very desirable. For example, a large University may have user documentation with the URL specified, lab computers with standard bookmarks, and the possibility that users may move between on-premises and Office 365 as they move between different courses or roles. It might only be an extra click, but if you add up that extra 5 seconds across tens of thousands of users logging into OWA per day and it starts to add up..
If you’re not familiar with the process, here’s a quick demo of the current “out of the box” experience, optimised using TMG for forms-based single sign-on:
As you can see it’s good – but it’s not great. It’s not got the “wow” factor that makes a hybrid deployment feel like a single organization.
The redirect page itself does serve other purposes, so it’s not like we can just get rid of it. It’s used by Exchange itself if you have an environment with multiple internet facing sites, unless you use the SP2 feature for silent redirection between sites. So we can’t just do away with the redirection page altogether – we need to take into account where it might be used elsewhere.
Another issue that’s been highlighted to me (thanks BR!) is that the default non-SSL link generated through the Hybrid Wizard is in the form http://outlook.com/owa/federateddomain rather than it’s SSL equivalent – so using this (or the vanity URL mentioned above) could generate browser warnings regarding redirection to a insecure link. Therefore the link we redirect to must be in the form https://outlook.com/owa/federatedomain. This can be changed easily though, by editing the Organization Relationship like so:
Set-OrganizationRelationship “On Premises to Exchange Online Organization Relationship” -TargetOwaURL:https://outlook.com/owa/federateddomain
Once this is changed, we should be ready to enable the silent OWA redirection in Exchange itself, by editing the casredirect.aspx file within OWA.
Before we begin – it’s important to understand that this is unsupported by Microsoft, and it probably never will be. Therefore, you’ll need to test this in your own environment, and be prepared to replace the original casredirect.aspx file in the event of any issues; you’ll also need to check and if needed, re-implement this after application of update rollups or service packs. That said, so far I can’t see a reason why this would cause any issues and part of the point of this post is to gain some feedback from the community as to any other downsides.
So now you know why you shouldn’t do this – let’s look at how to do it..! You’ll find the casredirect.aspx file within the OWA directory, typically in the following path within the Exchange install directory:
C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa\
Edit the casredirect.aspx file directly above the <!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”> tag and add the following lines:
<%
if (RedirectionUrl.Contains(“https://outlook.com/owa”)) {
Response.Redirect(RedirectionUrl);
Response.End();
}
%>
This should look like this in the actual file itself:
What does this do? Well, it’s pretty straightforward – before any content is rendered, the Redirection URL is checked to ascertain if it contains the https://outlook.com/owa URL (note the HTTPS!), and if so, issue a redirect to Office 365. For any other Redirection URLs, the page will render normally.
Let’s take a look at how it works in practice:
As you can see it’s fairly simple to implement, and provides a clean login consistent with on-premises Outlook Web App when combined with other SSO methods. Let me know what you think in the comments…
Steve
Does this only work when SSO (ADFS or Shibboleth) is implemented?
Or can it work when just Directory Sync is enabled?
For Exchange 2013, see this http://parkerjardine.com/2016/02/05/silent-owa-redirection-for-exchange-2013-office-365-hybrid/
I have figured out how to do this with Exchange 2013 if anyone is interested. Thanks Steve for the great post, and others…
Visit: http://parkerjardine.com/2016/02/05/silent-owa-redirection-for-exchange-2013-office-365-hybrid/
Pingback: Silent OWA Redirection for Exchange 2013 / Office 365 Hybrid | Rebel without a reboot
Pingback: 銈广儐銈c償銉ャ儵銆€涓囧勾绛嗐€€銉庛儥銈汇兂銉堛€€銉曘偐銉冦偝銆愰€佹枡鐒℃枡銉诲悕鍏ャ倢銈点兗銉撱偣銉汇儵銉冦償銉炽偘鐒℃枡銆戙€愰珮绱氫竾骞寸瓎銆戙€愩儦銉炽儚
https://blogs.itpro.es/pedrovelasco/2016/01/21/of365-exchange-2013-hybrid-silent-owa-redirection/
Pingback: OWA client protocol connectivity flow in Exchange 2013/2010 coexistence | 3/4 | 22#23 - o365info.com
Pingback: OWA client protocol connectivity flow in Exchange 2013/2007 coexistence | 3/4 |18#23 - o365info.com
Steve,
it is a great post. I am getting this error below after I put it. any thoughts?
An error occurred and your request couldn’t be completed. If the problem continues, contact your helpdesk with this HTTP Status code: 500.
Exception type: System.Web.HttpCompileException
Exception message: c:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\casredirect.aspx(6): error CS1056: Unexpected character ‘“’
alright I found the cause. I just copied and pasted it and ” become something different that was not recognized. I had to delete ” part and manually put. Thanks a lot.
Pingback: ActiveSync and Exchange web service client protocol connectivity flow in Exchange 2013/2010 coexistence environment | 4/4 |
Is it possible to perform a silent OWA redirection for Office 365 hybrid install http://t.co/6Ka1XMR6xH without modifying casredirect.aspx?
@stevegoodman Hi. Is there anyway I can do this w/o modifying any code? http://t.co/h2EIDbZo6f Maybe having some rule in IIS to do redirect?
@stevegoodman This is a great blog post. Thanks. http://t.co/h2EIDbZo6f
We are trying to get this to work and are getting a error stating: “Outlook Web App address is out of date”. In order for this to work, do we need to be using ADFS?
Hi Steve,
I am having an issue where the OWA redirection in a Hybrid deployment with Exchange 2013 is not happening for a single account and it is throwing an auth error. Any help would be greatly appreciated…
I unsuccessfully searched the net for a way to do this with Exchange 2013 since the above doesnt work due to the changes with Exchange 2013 CAS/Frontends. After some digging I figured out a way and thought I’d post my finding to others. MS is using an custom http 500 error page on the frontend to display the redirect office365 target url under C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorFE.aspx so adding similar custom code in there will get the same results.
I inserted this
between the lines
and
The auth strings were just my contribution to Steves code above in Exchange 2010 so that Office365 would auto bounce to our tenant space. I tried to add the code at the beginning of the errorFE.aspx file but it didnt work so I left it in the middle where I know it works.
Hi Bobby,
I’m currently at the point of trying this on an Exchange 2013 server, is there any chance you could reply with information about what you inserted and where in the errorFE.aspx file, the information seems to be missing from your post, I’m guessing that something filtered out the information or maybe there were screenshots that didn’t make it through the posting process?
Many thanks,
Ben
Hi Bobby,
can you please share what you have changed in that aspx file. I wasn´t able to figure it out. Thanks
Is it possible to post the code you used as it doesn’t show up in the post.
Did anybody get the code for this? I really would like to know it.
Thanks.
I know what to add and change, maybe a v2.0 is in order?
Yes please! We really need to get this working at the college I work at. Could you send me the info please?
Did you ever got around to doing that 2.0? That would be great, thank you!
I haven’t yet, sorry
This missing bits:
After line
put in:
This was not my work, I just put it together from this and other sources. Hope it helps someone else in my situation.
Bobby you left everyone hanging, please share how you did it in Exchange 2013, thank you!
I’d love to see this added as an optional feature.
Please vote for it here: http://exchange.ideascale.com/a/dtd/Silent-OWA-Redirection-for-Exchange-Hybrid/571103-27207
Pingback: New on Search Exchange – Publishing Exchange to the Internet using WAP and AD FS 3.0 Part 1 | Steve Goodman's Exchange Blog
Fantastic solution, thanks for the post.
Worked like a charm. Thanks so much!
Thanks this was very helpful. I replaced “RedirectionUrl” in…
Response.Redirect(RedirectionUrl);
…with the smartlink for office365 in the form of “http://mail.domain.com”.
Works great!
hello, thanks for your blog post! how is this affected now outlook.com is a consumer product?
Pingback: Office 365: Configurando Silent OWA Redirect no Hydrid Configuration « Diogo Heringer
Pingback: Office 365: Configurando Silent OWA Redirect no Hydrid Configuration « Office 365 Blog
Pingback: Configuring AD FS 2 with TMG-based SSO to Office 365 | Steve Goodman's Exchange Blog
Great post!,
but I have a question… I have tried it, but when the owa redirects to office 365 page, I´m redirecting to the adfs website… and I have to login again… is there any additional parameters that I have to set?
Thanks.
Hiya,
This doesn’t prevent login to ADFS if you’re already using ADFS’ forms-based authentication. In my example, I’m fronting OWA and ADFS with TMG, using NTLM authentication and SSO for the login domain – hence only one single login.
Steve
Great idea and very interesting!!! Do you think this can apply to cross-sites slient redirection with TMG implemented??
Cross-site should work too with few changes
Great post. thanks for taking the time and writing this, its helped me alot to not have to reinvent the wheel 😀
Thanks, glad you found it useful
Steve
Hey Steve,
When I enter that command Set-OrganizationRelationship -TargetOWAURL http://outlook.com/owa/companydomain.com
I get the following –
cmdlet Set-OrganizationRelationship at command pipeline position 1
Supply values for the following parameters:
Identity:
Not too sure what I should be entering here?
Please help.
You probably need to use the name of the org relationship
Pingback: Enabling Silent OWA Redirection for Office 365 Hybrid | Steve Goodman’s Exchange Blog « JC’s Blog-O-Gibberish