My organization has been moving from hosting our own Exchange and Lync/Office Communications on premise to Microsoft hosted via Office 365.
I had implemented Active Directory Federation Services (ADFS) and Lync Online about 18 months ago. ADFS had some challenges, but once I implemented it, it has been reliable. During implementation, I got on-premise pass through Windows Authentication working and off-premise sign in working. I had tested on versions of Internet Explorer, Mozilla Firefox, and Google Chrome successfully.
We're now readying to migrate to Exchange Online and away from our on-premise mail server. During testing, several of us in IT began realizing that sign-ins from Google Chrome was not working.
On premise, you would be prompted with a Google Chrome pop up dialog. You'd put in your credentials (email address and Active Directory password), and it'd take you right back to the logon prompt without error, and you'd never get in.
Off premise, you would be directed to our sign in page on our Federated Server Proxy server. Same behavior, enter credentials, return right back to sign in page without error.
Googling this error tipped me off to the problem being that Google Chrome not supporting Extended Protection. But I didn't know much about this, so I didn't know how to resolve the issue.
A case opened with Microsoft support got me directed to the fix, as documented here:
http://social.technet.microsoft.com/wiki/contents/articles/1426.ad-fs-2-0-continuously-prompted-for-credentials-while-using-fiddler-web-debugger.aspx
The article mentions problems when using Fiddler Web Debugger, but it's the fix for a Google Chrome issue as well.
It's a setting within IIS. The above link documents where the setting is within IIS to change it manually on each affected server (typically you have multiple ADFS servers for fault tolerance), or PowerShell commands to set this universally across the farm.
Once I made this change, my users can leverage Office 365 from any of the major browsers.
No comments:
Post a Comment