Exchange 2010 SP2 Hybrid Wizard resets OWA Redirect URL to Tenant Domain
Background
When you run the Hybrid Configuration wizard even in a tenant that uses Federated login, you might find that even if you’ve chosen only one of your federated domains, the redirect URL to Office 365 is set to your tenant domain (onmicrosoft.com) rather than the federated domain you chose in the wizard or would prefer to use:
If you’ve not this before, this results in the end use having to enter their User Principal Name at the Microsoft Online Services login page, before being redirected back to the ADFS services:
So the first thing you might do is the following to set your TargetOWAURL to the correct value:
Set-OrganizationRelationship "On Premises to Exchange Online Organization Relationship" -TargetOwaURL:https://outlook.com/owa/federateddomain
This results in the smoother (or even super-smooth if you check out my previous article) experience where the end use is redirect straight to AD FS login.
The Problem
If you need to update the Hybrid Configuration – for example to add or change IP addresses of External Transport Server IP addresses, update the certificate or add/remove Hub Transport or Client Access Servers, then you’ll re-run the Hybrid Configuration Wizard.
A seemingly innocuous change to an IP address for outbound SMTP servers that doesn’t affect the organization relationship itself will result in the Redirect URL for OWA being set back to the tenant domain resulting in the scenario outlined above.
So, just bear that in mind when you need to re-run the Hybrid Configuration wizard.. It’s simple to deal with by ensuring your reconfigure your TargetOWAURL, just make sure you don’t forget 
Steve
Enabling Silent OWA Redirection for Office 365 Hybrid
As part of a Hybrid deployment of Exchange Server 2010 and Office 365, you’ll be faced with a few challenges if you want to keep a single Outlook Web App URL for your end users.
If you’re using Windows Authenticated Login against Exchange and AD FS then you’ll already have avoided multiple login prompts; and if you’re using Forms Based Authentication for both I’ll be covering the TMG setup necessary to configure the same single sign on you’ll see in the videos here in a future article. (based in part by a post Michel De Rooij pointed me to here).
The other challenge that I really wanted to get a solution for, and get feedback from others on, is the landing page shown above where the end user needs to click-through the “Use the following link to open this mailbox with the best performance” page. What I wanted was a solution that avoided that step entirely.
Now, it’s not necessary to do this if you are happy for users to update their own bookmarks, and concerns about users seeing a non-company domain can be avoided by following the steps in this article by Timothy Heeney which shows you how to setup a separate vanity Office 365 URL like “http://cloud.company.com/owa” by using CNAME records.
However if you have a large user base that will be mixed between on-premise and Office 365, then keeping a single OWA URL will be very desirable. For example, a large University may have user documentation with the URL specified, lab computers with standard bookmarks, and the possibility that users may move between on-premises and Office 365 as they move between different courses or roles. It might only be an extra click, but if you add up that extra 5 seconds across tens of thousands of users logging into OWA per day and it starts to add up..
If you’re not familiar with the process, here’s a quick demo of the current “out of the box” experience, optimised using TMG for forms-based single sign-on:
As you can see it’s good – but it’s not great. It’s not got the “wow” factor that makes a hybrid deployment feel like a single organization.
The redirect page itself does serve other purposes, so it’s not like we can just get rid of it. It’s used by Exchange itself if you have an environment with multiple internet facing sites, unless you use the SP2 feature for silent redirection between sites. So we can’t just do away with the redirection page altogether – we need to take into account where it might be used elsewhere.
Another issue that’s been highlighted to me (thanks BR!) is that the default non-SSL link generated through the Hybrid Wizard is in the form http://outlook.com/owa/federateddomain rather than it’s SSL equivalent – so using this (or the vanity URL mentioned above) could generate browser warnings regarding redirection to a insecure link. Therefore the link we redirect to must be in the form https://outlook.com/owa/federatedomain. This can be changed easily though, by editing the Organization Relationship like so:
Set-OrganizationRelationship "On Premises to Exchange Online Organization Relationship" -TargetOwaURL:https://outlook.com/owa/federateddomain
Once this is changed, we should be ready to enable the silent OWA redirection in Exchange itself, by editing the casredirect.aspx file within OWA.
Before we begin – it’s important to understand that this is unsupported by Microsoft, and it probably never will be. Therefore, you’ll need to test this in your own environment, and be prepared to replace the original casredirect.aspx file in the event of any issues; you’ll also need to check and if needed, re-implement this after application of update rollups or service packs. That said, so far I can’t see a reason why this would cause any issues and part of the point of this post is to gain some feedback from the community as to any other downsides.
So now you know why you shouldn’t do this – let’s look at how to do it..! You’ll find the casredirect.aspx file within the OWA directory, typically in the following path within the Exchange install directory:
C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa\
Edit the casredirect.aspx file directly above the <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> tag and add the following lines:
<%
if (RedirectionUrl.Contains("https://outlook.com/owa")) {
Response.Redirect(RedirectionUrl);
Response.End();
}
%>
This should look like this in the actual file itself:
What does this do? Well, it’s pretty straightforward – before any content is rendered, the Redirection URL is checked to ascertain if it contains the https://outlook.com/owa URL (note the HTTPS!), and if so, issue a redirect to Office 365. For any other Redirection URLs, the page will render normally.
Let’s take a look at how it works in practice:
As you can see it’s fairly simple to implement, and provides a clean login consistent with on-premises Outlook Web App when combined with other SSO methods. Let me know what you think in the comments…
Steve
StartSSL Certs – Great free certs, and even better SAN and Wildcard Certs
This morning I read on Rajith Enchiparambil’s twitter (@rajithe) about the free StartSSL certificates from StartSSL. I’ve been meaning for ages to mention them, as I’ve too been using them in my lab rather successfully.
So, the free certificates…
First of all, I’d like to elaborate on what the free “class one” certificates give you. You get a basic two-name SAN certificate with the following names:
- Your domain name
- The server FQDN
For example – mail.exchangelabs.co.uk and exchangelabs.co.uk. While that’s not as good as a full SAN certificate it can fulfil the basic core requirements for Exchange. You’ve got a name to use for your CAS namespace, and the ability to use it for AutoDiscover using the first-attempted https://domainname.co.uk/AutoDiscover/AutoDiscover.xml URL. An example of the free cert looks a little like this:
What’s the support like amongst browsers and mobile devices?
The first question anyone would have when using one of these certs is what’s the support like? If it’s not supported on nearly all your devices, it’s a waste of time – you may as well use your own private CA. The good news is the cert support is pretty good. I’ve tested it successfully against the following browsers, devices and services:
- Internet Explorer (XP SP2 onwards, IIRC)
- Firefox
- Google Chrome
- Safari
- iPhone
- Android
- Office 365
- Exchange Remote Connectivity Analyser
I’ve had varying success with Windows Phone, as I don’t have one to test against. On a pre-mango device I did need to import the root certificate, though.
Want to test the support for yourself? Visit https://www.stevieg.org and have a try from your device or browser of choice.
SAN and Wildcard certificates
After a few months of using the free certificates, and working around their limitations I needed to do some testing that’s more in parity with customer environments, namely TMG fronting Exchange and ADFS. So, I bit the bullet and decided to upgrade to “Level 2”. This gives you the following of interest:
- Unlimited SAN and Wildcard certs
- Code signing certificates (Yay! I can sign PowerShell scripts!)
It’s not free, but it’s pretty cheap compared to the cheapest I recommend to customers, CertificatesForExchange.com (who I still recommend for production certs) at $59.90 or in UK money, a mere £37. Along with payment, you’ll also need to do the following:
- Send a photo of your passport
- Send a photo of your driving licence
- And in my case, they asked for a copy of my phone bill to confirm my address and phone number.
A few hours after sending the correct docs, I was granted “Level 2” access and able to create Wildcard and SAN certs.
You’ll see here a sample Wildcard cert (or check out https://www.stevieg.org to see a live one):
And below a SAN cert which I’ve added a few domains for Exchange and ADFS:
Caveats?
Only caveat I can think of is when you create your account, you’ll need to set up certificate authentication to the StartSSL website. This is a browser-driven process and isn’t much hassle, and naturally is more secure than simply a username and password.
What you should do however is ensure you back-up the private key and certificate, perhaps by exporting it as a PFX from the Certificates Snap-In. You’ll find it under Personal certificates:
Hope you find this useful, and have fun with the free and nearly free certificates 
Steve
Missed Tech Ed Europe 2010? Watch the Exchange Sessions Online Now
This week in Berlin, Germany, TechEd Europe 2010 is taking place. TechEd is Microsoft’s main educational event providing a week of comprehensive training, hands-on labs and a chance to hear about the future of Microsoft products direct from the source.
If (like myself) you’ve been unable to attend TechEd Europe in Berlin this week you’ll be missing out on a number of fantastic Exchange related sessions, covering what’s new in Exchange 2010 SP1, High Availability and Office 365 amongst others.
The good news is that most of these sessions are available to watch online at the Tech Ed website, and also available to download along with the accompanying PowerPoint decks for offline viewing.
For my (and your) convenience, I’ve collated the Exchange and related sessions below and as they are posted online, I’ll keep this article updated.
Update 1: 21:54 11th Nov - Added COS203, COS208-LNC, SIA303 & SIA304
Update 2: 23:07 13th Nov - Added UNC311, UNC401 & UNC 403
Please note – at least for me, the view online links can be a little flaky, but refreshing the page seems to work. The PPT and WMV links are good though.
UNC203 - What's New in Microsoft Exchange Server 2010 SP1? - Scott Schnoll
This session provides details on the many new features and enhancements in Exchange Server 2010 SP1. We’ll start by covering the new pre-requisites for Service Pack 1, the enhancements and changes to setup and deployment, and the choices of permission models. Then we’ll dive into the enhancements in each server role, covering many of more than 75 new features in SP1, such as mailbox audit logging, new IRM functionality, personal archive enhancements and more.
View Online | Download Video | Download PPT | Flickr Photoset
UNC311 - How Outlook connects to Exchange 2010 Client Access Server - Ross Smith IV
The Client Access Server role in Exchange 2010 brings a lot of new features for the end user, but this session will focus on the improvements for the administrator. We will cover what has evolved and what needs to be understood about the following areas: RPC Client Access, Address Book service, client connection behaviors, and load balancing requirements.
View Online | Download Video | Download PPT
UNC308 - Archiving, Retention and Discovery with Microsoft Exchange Server 2010 SP1 - Krish Sundaresan
As the volume of email continues to increase, you are likely to be seeking new and better ways to preserve and discover critical email data to meet an array of IT governance, legal and compliance requirements. To help address these needs, Exchange Server 2010 introduced integrated archiving and discovery capabilities. This session offers a technical overview and demonstration of the features and functionality delivered in Exchange 2010 and SP1.
UNC215-LNC - Exchange 2010 Solutions from HP and Microsoft for Simplified Messaging - Michael Kohs; Tim Doering
Today’s businesses are becoming more and more reliant on email messaging but at the same time, an increasing number of users and mailboxes has lead to uncertainties about the cost and performance of messaging solutions. Learn about HP’s building blocks for building a variety of Exchange implementations, ranging from small and medium sized to large-scale datacenter deployments. With these unique HP building blocks, customers will benefit from: - Increased business efficiency by seamlessly converging the infrastructure stack, using proven industry standard components - Easy setup, management and monitoring using HP’s renowned software suite - Best in class reliability and variety of choices for high-availability solutions - Lower total cost of ownership through savings in floor space, power, cooling and optimized $/GB Learn how only HP can help you to build a high-availability, cost-effective and simple, yet high-performing environment when migrating to Microsoft Exchange 2010.
View Online | Download Video | Download PPT
UNC401 - Microsoft Exchange Server 2010: High Availability Deep Dive (including changes introduced by SP1) - Scott Schnoll
Go far beyond the basics of Exchange High Availability and learn what's really going on under the hood in an Exchange 2010 database availability group (DAG). This session covers key aspects of the inner workings of DAGs, including a deep dive technical discussion on how DAGs rely on quorum and how the DAG witness and witness server are used. You'll also gain a solid understanding of Active Manager and it's best copy selection process. This session also includes details on the continuous replication and database copy management improvements added in SP1.
View Online | Download Video | Download PPT
UNC403 - Native Data Protection in Exchange 2010 SP1 - Ross Smith IV
This session will explain how Exchange 2010 can protect data with features such as mailbox resiliency, single item recovery, and the lagged copy. We will demonstrate how to use Single Item Recovery and Lagged Copies, and look at how these features can replace traditional point-in-time backups for customers, while lowering costs.
View Online | Download Video | Download PPT
COS201 - Office 365: What’s Coming Soon - Jennifer Pisani, Ural Cebeci, Eron Kelly
This session provides a preview of our next generation cloud productivity services, Office 365 (previously known as Business Productivity Online Standard Suite). Office 365 brings together cloud versions of our most trusted email, communication and collaboration software, Exchange Online, SharePoint Online and Lync Online with our familiar Office Professional Plus desktop suite. In this session we will demonstrate how the messaging and collaboration capabilities in now Office 365 has evolved as the latest server technology is deployed in this collection of hosted enterprise software services. Join us for an interactive conversation on the future of productivity and to learn more about Office 365!
View Online | Download Video | Download PPT
COS302 - Office 365: Identity and Access Solutions - Dan Kershaw
This session provides a preview of the identity and access solutions in the next generation of the Business Productivity Online Standard Suite (Office 365). The session will focus on how authentication works for both web apps and rich client apps, how to enable single sign-on (SSO) using corporate AD credentials and AD FS 2.0 to Office 365 services, and the different SSO deployment options for Office 365 services.
View Online | Download Video | Download PPT
UNC204 - BPOS/S Exchange Online - Notes from the field - Neil Johnson
During this session we will take a look at BPOS/S Exchange Online customer deployments in the real world. What problem areas were discovered during the planning, deployment and migration phases and how they were resolved. Also some practical experience of planning for Office 365deployments with Beta customers. This session aims to provide some real world insight into planning for and deploying Exchange Online into your organisation.
COS202 - Microsoft Live@edu: Moving Your School Communication and Collaboration to the Cloud - Ann Vu, David Fisher, Massimo Marzocchi
Moving email to the cloud is a big trend in Education. Lots of schools are also looking at how to leverage cloud solutions for collaboration. Microsoft Live@edu is part of Microsoft's S+S solutions and provides communication and collaboration services for educational institutions at no cost. Join us in this session and become part of a family of thousands of schools that have chosen Live@edu? We outline the current features of a Live@Edu implementation, touching upon key IT and end user scenarios. We also discuss how you can extend Live@edu to best fit your school needs, demonstrate Office Web Apps for the newest release of Microsoft Exchange on the cloud, and provide a sneak preview of where we are headed in the future with SharePoint based collaboration and productivity.
View Online | Download Video | Download PPT
COS203 - Implementing Microsoft Business Productivity Online Standard Suite (BPOS): Planning, Preparation and Migration - Tom Ligon, Philippe Maurent
This session provides guidance for individuals responsible for coordinating and performing customer deployment and migration activities related to migrating customers from their current environment to BPOS-Standard. This session guides attendees through three key deployment project phases: Plan, Prepare, and Migrate, focusing on the tasks handled by partners and customers, and providing a high-level review of tasks handled internally by Microsoft services teams. This session does not cover processes that occur prior to deployment (Sales and Initial Assessment) and post-deployment (Operations).
View Online | Download Video | Download PPT
COS208-LNC - A Walkthrough of the next version of BPOS now called Office 365 - David Anderson
This session will take you through the key features of the future release of the BPOS platform (now called Office 365). We will cover the Onboarding and Administration portals and the new interfaces with Exchange Online, SharePoint Online and Lync, as well as how to access managing users and groups, commerce, mailbox migrations, and support.
SIA303 - Better Together: Mail Protection and Routing Scenarios with FOPE and Office 365 - Cristian Mora, Wendy Wilkes
The next release of FOPE will have new capabilities that not only enable new Office 365 cloud-based application suite and BPOS customers to route mail via FOPE for filtering, but also enable all FOPE customers to configure secure cross-premise hybrid mailflow scenarios that can help customers seamlessly move mail infrastructure to the cloud while maintaining existing investments and configuration. We will present and demonstrate these scenarios and describe the underlying architecture.
View Online | Download Video | Download PPT
SIA304 - Information Protection for Microsoft Exchange Server 2010 SP1 and Exchange Online using AD RMS - Tejas Patel
Learn about new Exchange 2010 SP1 and Exchange Online IRM capabilities that protect content on premises and in the cloud, using AD RMS.
View Online | Download Video | Download PPT
Keep checking this post for updates, and if there’s any good TechEd Europe 2010 Exchange-related sessions online that I’ve missed, let me know in the comments.
More from StevieG.org
- About Me
- Car PC
- Exchange 2010 Virtual Load Balancer
- Exchange Environment Report
- Recommended Exchange Reference Material
Find Me On…
Important Notice
Categories
Recent Posts
- Checking out GFI MailEssentials Online
- Enabling a Remote Mailbox on Office 365 fails
- Using the KEMP LoadMaster with Exchange Server 2010
- Outlook 2003 is unresponsive when managing Delegates with Exchange 2010
- Exchange 2010 SP2 Hybrid Wizard resets OWA Redirect URL to Tenant Domain
- Updated–Getting info about ActiveSync, EWS and WebDAV clients from Exchange 2007 and 2010
Top posts
- Exchange 2010 SP2 Hybrid Wizard resets OWA Redirect URL to Tenant Domain
- Using the Exchange 2010 SP1 Mailbox Export features for Mass Exports to PST files
- Auto-mapping shared mailboxes in Exchange 2010 SP1 with Outlook 2010 and Outlook 2007
- Generate Exchange Environment Reports using Powershell
Blogroll
- Aaron Tiensivu's Blog
- Clint Boessen's Blog
- Devin on Earth
- Dougs Blog…
- Elan Shudnow's Blog
- Exchange Server Pro
- Exchange Team Blog
- Exchange2010.com
- Exchangepedia Blog
- Henrik Walther Blog
- Microsoft Messaging and Mobility User Group UK
- Mike Crowley's Whiteboard
- Mike Pfeiffer's Blog
- Nuttin but Exchange
- VMlover by Daniel Eason