As many of you know with OWA 2010 RTM and SP1 (and OWA 2007 for that sake), when a user hits a CAS server in the wrong AD site (that is another AD site than where the user’s mailbox is located), the user will be either proxied or redirected to the correct AD site depending on whether an external OWA URL has been specified or not. If no external URL has been specified for the OWA vdir on the CAS servers in the AD site holding the user’s mailbox, the CAS server in the “wrong” AD site will try to proxy the request to a CAS server in the “right” AD site. If the OWA vdir on the CAS servers in the right AD site has been configured with integrated authentication, the users will experience SSO (only be prompted for credentials once).
However, if an external URL has been specified for the OWA vdir on the CAS servers in the AD site where the user’s mailbox is stored, the CAS server in the “wrong” AD site will initiate a redirect instead of a proxy. Let’s say the user hits https://failover.exchangeonline.dk/owa which points to another AD site than where he’s mailbox is located, he will will be presented a screen similar to the following:
After clicking on the link that points to the right AD site, he will be prompted for credentials once again:
Now although this forces the user to connect to a CAS server in the “right” AD site, it doesn’t provide a real SSO experience.
Exchange 2010 SP2 will improve the redirection experience by offering a mechanism that will let the user get a cross site redirection SSO experience. What does that mean? Well, it means that is the user will be redirected automatically (doesn’t have to click manually on a link) and not only that, he will also be allowed access to the mailbox without having to authenticate.
Yes very cool stuff is coming your way with Exchange 2010 SP2!
Technology Architect/Writer/MS Vendor
MCM: Exchange 2007 | MVP: Exchange Architecture