Home > Blogs

OWA Cross-Site Silent Redirection in Exchange 2010 SP2

Published 12/12 courtesy of MS Exchange Team

By now, many of you have seen the articles that discussed Address Book Policies, hosting changes, and the Hybrid Configuration Wizard, but deep down I know you all have been hoping that we would discuss the most sought after feature that we decided to include in Exchange 2010 SP2.

What’s that you say?  Yes, I know, Tony said that the “new features in SP2 are unlikely to cause much of a fuss” and that there are not that many new features in SP2 (I believe his exact words were “relative paucity”) in his SP2 announcement article over at Windows IT Pro.

Well, Im here to set the record straight. Theres one killer feature in Exchange 2010 SP2, thats often not mentioned. Thats right – its time to discuss Cross-Site Silent Redirection for Outlook Web App!

Definitions

First, let’s go over some definitions to make sure we are all on the same page.

• Internet-facing Active Directory Site An Active Directory site that contains CAS that have an ExternalURL populated for the associated service (like OWA). Typically this is the primary datacenter/site where Exchange 2010 is deployed.
• Regional Internet-facing Active Directory Site An Active Directory site that contains CAS that have an ExternalURL populated for the associated service (like OWA).
• Non-Internet-facing Active Directory Site An Active Directory site that contains CAS that do not have an ExternalURL populated for the associated service.
• Direct Connect The process where CAS establishes an RPC session with the Mailbox server hosting the mailbox data.
• Proxy The process where a CAS in an Internet-facing Active Directory site proxies incoming requests to a CAS in a Non-Internet-facing Active Directory site (thats located in the same site as the Mailbox server being accessed).
• Redirection The process where an Internet-facing CAS in one Active Directory site redirects the end user to another Internet-facing CAS that resides in the same site as the Mailbox server being accessed.
• Silent Redirection The process by which CAS issues a silent redirect back to the user’s browser, telling the browser to establish a connection to a specified URL.
• Single Sign-On (SSO) Redirection The process by which CAS issues a silent redirect back to the users browser, telling the browser to submit the request and authentication credentials to a target CAS so that the login experience is seamless.

OWA Connection Process

In order to understand the various proxy and redirection scenarios, its important to understand the mechanics behind what happens when a user authenticates against a CAS to access OWA as it happens today with Exchange 2010 pre-SP2:

1. User accesses OWA URL using web browser.
2. User enters credentials.
3. CAS authenticates user and retrieves the following information via service discovery request:
   1. Users mailbox version
   2. Users mailbox location (Active Directory site), if known
4. CAS gathers additional information based on mailbox information so that it can perform the correct operation:
   1. If mailbox is Exchange 2010 and local, CAS performs direct connect.
   2. If mailbox is Exchange 2007 and local, CAS retrieves the ExternalURL of an Exchange 2007 CAS (if one isnt defined itll use the InternalURL) and silently redirects.
   3. If mailbox is Exchange 2003, CAS retrieves Exchange2003URL and silently redirects.
   4. If mailbox is not local, CAS retrieves target ExternalURL (if defined) and redirects or proxies if no OWA ExternalURLs are defined in the target Active Directory site.

SP1 OWA Redirection Types

In Exchange 2010 SP1, we changed things slightly which resulted in three types of redirection experience for OWA in the on-premises product:

• Manual Redirection
• Temporary Manual Redirection
• Legacy Silent Redirection

Manual Redirection

Manual redirection enables customers to not have to funnel and proxy all traffic from a central location when there are CAS closer to the user’s mailbox.

Manual redirections are performed when CAS must redirect an OWA request to Exchange 2007 or Exchange 2010 CAS infrastructure thats located in a different Active Directory site. As mentioned previously, in order for a manual redirection to be performed, the target OWA virtual directory must have an ExternalURL. Your users see the following manual redirection message and the ExternalURL of the CAS in the other Active Directory site :

 

Figure1: Manual redirection when mailbox is located in another Active Directory site

 

Temporary Manual Redirection

In SP1, we added another redirection type for OWA, known as Temporary Manual Redirection. There are two scenarios where Temporary Manual Redirection comes into play:

1. During a datacenter activation switchback event, there exists the possibility that the user’s web browser still has the incorrect DNS entry cached and thus is pointing to the CAS infrastructure in the Ative Directory site that no longer hosts the mailbox. As a result, the CAS will issue a manual redirect to the correct Active Directory site, but the redirection is to the same URL that the user is currently using. To prevent a ping-pong effect where the user cannot access his mail, CAS will detect if the same session cookie is being returned and if so, will check to see if the target CAS has a FailbackURL value for the OWA virtual directory. If a FailbackURLis specified, then CAS issues a temporary manual redirection page providing the FailbackURL link. If a FailbackURL is not specified, CAS issues an error page asking the user to close all browser sessions and to try again.

   
   Figure 2: Temporary manual redirection upon datacenter activation switchback

2. The second scenario is where CAS will issue the temporary manual redirection page when it detects that the local CASs site matches that of the Mailbox databasess RpcClientAccessServer value, but the database is actually mounted in a different Active Directory site, so CAS issues a temporary redirect with the ExternalURLof the CAS in the site hosting the mounted database.

   
   Figure 3: Temporary manual redirection when mailbox is mounted in another Active Directory site

Legacy Silent Redirection

For Outlook Web Access, Exchange 2010 CAS does not support rendering mailbox data from legacy versions of Exchange. Exchange 2010 CAS does one of four scenarios depending on the target mailboxs version and/or location:

• If the Exchange 2007 mailbox is in the same Active Directory Site as CAS2010, CAS2010 will silently redirect the session to the Exchange 2007 CAS.
• If the Exchange 2007 mailbox is in another Internet-facing Active Directory Site, CAS2010 will manually redirect the user to the Exchange 2007 CAS.
• If the Exchange 2007 mailbox is in a non-Internet-facing Active Directory site, CAS2010 will proxy the connection to the Exchange 2007 CAS.
• If the mailbox is on an Exchange 2003 server, CAS2010 will silently redirect the session to a pre-defined URL.

As indicated above, legacy silent redirection is only used for same-site redirection events between an Exchange 2010 CAS and the legacy infrastructure. When performing the legacy silent redirection, CAS2010 issues a silent redirect back to the user’s browser, telling the browser to establish a connection to legacy CAS2007/FE2003 infrastructure. In order to successfully redirect to the legacy infrastructure, the following must be configured:

• To redirect Exchange 2003 mailboxes, the Exchange 2010 OWA virtual directory must have the Exchange2003URL populated.
• To redirect to an Exchange 2007 CAS, the target Exchange 2007 OWA virtual directory must have the ExternalURL.

Legacy Silent Redirection can also provide a single sign-on experience when Forms-Based Authentication (FBA) is used on the source and destination OWA virtual directories by issuing back to the web browser a hidden FBA form with the fields populated. This hidden form contains the same information as what the user had originally submitted to CAS2010 FBA page (username, password, public/private selector) as well as, a redirect to the target Exchange specific path and query string. As soon as this form is loaded it is immediately submitted to the target URL. The result is the user is automatically authenticated and can access the mailbox data.

What’s wrong with Manual Redirection?

At first glance, you might think, “hey, manual redirection is great, Microsoft” and to some extent you are correct. It is a great feature for the IT organization to control where users access their data (and thus forcing users to utilize the correct network links). But in reality, the experience is not optimal for the end user. In the scenario where the user uses the wrong OWA URL, the user performs the following actions:

1. User enters into the web browser the wrong URL.
2. User enters credentials and authenticates against CAS (wrong site).
3. CAS (wrong site) performs service discovery and determines that it can redirect user to the correct CAS.
4. CAS (wrong site) provides the user with a page that contains a link to CAS (correct site).
5. User clicks link to access OWA from the correct site.
6. User enters credentials and authenticates against CAS (correct site).

It’s this experience where the user is told they used the wrong URL and that he has to enter his credentials twice that are the sub-optimal experiences with manual redirection.

Cross-Site Silent Redirection in Exchange 2010 SP2

To remove this sub-optimal experience (Greg refers to this as a crappy experience, by the way), weve provided a fourth redirection experience for OWA in Exchange 2010 SP2, known as Cross-Site Silent Redirection. As its name implies, Cross-Site Silent Redirection only performs silent redirection for requests that are destined to CAS located in another Active Directory site (within the same Exchange organization) that have an OWA ExternalURL.

A new parameter has been created to support Cross-Site Silent Redirection, CrossSiteRedirectType. This parameter is available on the Set-OWAVirtualDirectory cmdlet and supports two values, Manual and Silent. Cross-Site Silent Redirection is disabled by default (the default value is Manual), meaning that if you currently perform manual redirection between CAS in different Active Directory sites, it will continue after you deploy SP2.

If you want to enable Cross-Site Silent Redirection, set the CrossSiteRedirectType to Silent on the Internet-facing CAS OWA virtual directories:

Set-OWAVirtualDirectory -Identity Contosoowa (Default Web site) -CrossSiteRedirectType Silent

Weve updated the OWA connection process to support Cross-Site Silent Redirection. The CAS performs the following steps during service discovery:

1. Evaluate the mailbox version (either Exchange 2007 or Exchange 2010).
2. Check the mailboxs location.
3. Obtain the ExternalURL of target CAS.
4. Obtain the redirection type on the source CAS.
   1. If CrossSiteRedirectType=Manual, we issue a manual redirect.
   2. If CrossSiteRedirectType=Silent, we issue a silent redirect.
      1. If source and target CAS have FBA enabled, then the source CAS issues a hidden form back to the browser that contains the user’s credentials and FBA settings, along with the redirect URL.
      2. If FBA is not enabled on source and target, source CAS simply issues a 302 redirect.

That’s right; Cross-Site Silent Redirection can be a SSO experience when the source and target OWA virtual directories leverage Forms-Based Authentication. Customers that only deploy OWA internally can also achieve a SSO experience when the OWA virtual directory authentication mechanism is Windows Integrated Authentication and the OWA namespaces are added to the “Local Intranet” security zone.

Want to see Cross-Site Silent Redirection in action? Check out this video:

Video: Outlook Web App: OWA Cross-Site Silent Redirection in Exchange 2010 SP2

When can I not obtain a SSO Experience?

These are the few scenarios where you cant obtain a SSO experience when redirecting between Active Directory sites:

1. You use Basic Authentication on the source and target OWA virtual directories.
2. You leverage different authentication settings on the source and target OWA virtual directories.
3. You leverage a two-factor authentication solution on the source and target OWA virtual directories.
4. You leverage a pre-authentication solution (like Microsoft Threat Management Gateway 2010) that uses different web listeners for the source and target OWA namespaces.

Keep in mind, that while the SSO experience will be unavailable for these scenarios, a 302 redirection will still occur.

Cross-Site Silent Redirection reduces the end user dissatisfaction around having to click a link to get to the correct OWA infrastructure, and may in fact remove the need to enter credentials a second time. For those of you that have been using OWA Manual Redirection up to now, I hope you will enable Cross-Site Silent Redirection when you deploy Exchange 2010 SP2!

Ross Smith IV
Principal Program Manager
Exchange Customer Experience

Read more

---

---

Recent SharePoint Questions

• BIS and Exchange
• Exchange 2007 MAPI log
• Forwarding e-mail
• Accessing my work email from home?
• What’s on the horizon?
• What’s been the assessment of Exchange by industry analysts?
• What was added to Exchange Server 2007 that made it different from its predecessors?
• What was added to Exchange Server 2003 that made it different from its predecessors?
• What versions of Exchange are being used today?
• When does it make sense to only provide Web access to Exchange?

more sharepoint questions

---

More Articles By

Uncovering the new RPC Client Access Service in Exchange 2010 (Part 3)

The new RPC Client Access service included with Exchange 2010. Read more

Read more

Exchange ActiveSync and iPhone OS 3.1

Many Exchange Server customers have reported issues logging on to Exchange using iPhone devices older than iPhone 3GS. iPhones support Exchange ActiveSync (EAS), the same protocol supported by Windows Mobile…

Read more

AppRiver Exchange Hosting - Voted MSExchange.org Readers Choice Award Winner - Exchange Hosting

AppRiver Exchange Hosting was selected the winner in the Exchange Hosting Category of the MSExchange.org Readers Choice Awards. Intermedia Hosted Exchange and Apptix Exchange Hosting were first runner-up and second…

Read more

More Articles Under "Blogs"

The Elusive Kingston SSDNow 40 Gb Solid State Drive

Ive been waiting for the Kingston SSDNow V Series 40 Gb solid state drive (SNV125-S2/40GB).NewEgg.coms ShellShocker deal of the day— $84.99 (after a 20 dollar rebate), and free shipping. Unfortunately,…

Read more

Exchange Server 2010 Released

Microsoft announced the release of Exchange Server 2010 today at Microsoft TechEd 2009 in Berlin. The release marks the first version of Exchange Server designed for the cloud, and provides…

Read more

Windows 2008 R2 Support Coming for Exchange 2007

Exchange 2007 will be supported on Windows Server 2008 R2, Kevin Allison, GM Exchange Customer Experience, posted on the Exchange team blog today. With the general availability of Exchange 2010…

Read more

---

---

---

• Exchange Admin & Management
• Exchange Archiving
• Exchange Backup & Restore

• Exchange Compliance
• Exchange Hosting & Online
• Exchange Security

• Exchange Migration
• Exchange Replication
• Exchange Training

• Exchange Upgrade
• Exchange

• About Us
• Contact Us
• Privacy Policy
• Terms & Conditions