OWA Cross-Site Silent Redirection in Exchange 2010 SP2
(Post courtesy of Krishan Kant Mehta )
It wasn’t too long ago when we were celebrating the release of Exchange Server 2010 SP1. Now, high on the hog, we have Exchange Server 2010 SP2, with pretty interesting set of new features and enhancements including the much awaited Address Book Policiesfeature that provides a simpler mechanism to accomplish GAL separation for the on-premises organization that needs to run disparate GALs.
In this blog, I am going to talk about the Cross-site silent redirection feature that did not make it into SP1. To get an overview of important new features and functionality in Exchange Server 2010 Service Pack 2, please refer to this link.
Before Service Pack 2, with Client Access Servers in two different internet-facing AD sites, an OWA user would be presented with a link to click on to log-in to his mailbox in the site where his mailbox resided.
And after clicking the link, the user would also have to login a second time… isn’t life complicated enough?
Thanks to the Cross-site silent redirection feature, the user will not get a link but will be silently redirected to his own Client Access Server without having to log in again.
As can be seen above, an OWA user is notified that he is using the wrong URL and he is required to enter his credentials twice which leads to sub-optimal experience with manual redirection. To improve the user experience, a new parameter ‘CrossSiteRedirectType’ has been introduced with Set-OWAVirtualDirectory cmdlet in Exchange Server 2010 SP2. As the name implies, this redirection performs silent redirection to CAS located in another Active Directory site that have an OWA ExternalURL specified, within the same Exchange Organization.
This parameter supports two values, Manual and Silent. Cross-Site Silent Redirection is disabled by default which means Manual setting is enabled which would continuously perform manual redirection between CAS in different Active Directory sites, after you deploy Exchange Server 2010 SP2.
Cross-Site Silent Redirection can be enabled by setting the CrossSiteRedirectType to Silent on the Internet-facing CAS OWA virtual directories:
Set-OWAVirtualDirectory –Identity “companyname\owa (Default Web Site)” – CrossSiteRedirectType Silent
When you configure the CrossSiteRedirectType parameter to Silent for a CAS OWA virtual directory, you will get a warning that the cross site silent redirection will work if the corresponding virtual directories in the target Active Directory Sites have the ExternalURL Specified that leverages HTTP SSL protocol (Fig 1).
The output of the command Get-OwaVirtualDirectory shows that the silent redirection is enabled on the Exchange 2010 CAS server in an AD site (Fig 2).
Cross-site silent redirection prevents users from having to learn a secondary Outlook Web App URL. This silent redirection also provides a single sign-on (SSO) experience when forms-based authentication is enabled on each Client Access server i.e. if the authentication method for the Outlook Web App virtual directory on both the source and target Client Access servers is set to forms-based authentication, the user will only have to enter their credentials once. If the authentication methods differ on the source and target Client Access servers, the users may have to enter their credentials two times. Bear in mind when using forms-based authentication, you should have SSL on both the source and target Outlook Web App virtual directories.
Click here to download Exchange Server 2010 Service Pack 2, and let your fingers do the walking!!
Let’s Exchange – KK Mehta (Krishan Kant Mehta)
Partner Technical Consultant
Microsoft Partner Technical Services