OWA Single-sign-on support

  • Article

OWA 2010 and prior is considered non-extensible as far as Microsoft is concerned in the area of doing single-sign-on programmatically.  The exception to this would be when a person is in-network and uses their existing network credentials to access OWA through Windows Authentication.  Please understand that while there are some ways people have been working around this issue, that they are considered not-supported my Microsoft.

Please understand by not supported that we will not provide assistance in the area.  If there were an issue with the work-around code, then Microsoft would only help with the issue after it has been brought into a supportable state.  Any changes involving modification to areas of Exchange which are not deemed to be supported could be overwritten by a service pack or rollup.  There is no guarantee of any unsupported work-around working in the future and getting a fix to make an unsupported piece of code work is not possible.  Please refer to the following for more details.

What Does "Unsupported" Mean?
https://blogs.msdn.com/b/pcreehan/archive/2007/05/04/what-does-unsupported-mean.aspx

However, I have seen customers have some success by using script or .net code in a web form and posting log-in data to OWA’s login form or the owaauth.dll of OWA.  The most common seems to be posting to owaauth.dll.  While this may work for now, there is no telling when it may not work in the future.  In theory, OWA would work properly as long as the initial authentication worked – however there has been no testing by the Exchange product team in that area and the actual behavior is thus unkown. This approach is not supported by Microsoft.

HOWTO: Automatically Login to OWA 2007 using HTML + JavaScript            
https://blogs.msdn.com/b/vikas/archive/2009/06/03/howto-automatically-login-to-owa-2007-using-html-javascript.aspx

Some developers have opted to use ISAPI filters, extensions, etc. to modify the stream of OWA in order to inject authentication headers.   Such modifications to OWAs stream are very much not supported and very much advised against.  Please refer to the KB article below.

Microsoft does not support using ISAPI extensions or filters to modify Outlook Web Access credentials on a server that is running Exchange Server
https://support.microsoft.com/kb/938609

Please note that the full OWA page used in an IFRAME is also not supported.  At a minimal there will be frame reference issues caused by doing so.  OWA Web Parts (they show a view of a folder, etc.) can be used in an IFRAME and are as such supported – however doing single-sign-on is also not supported with them.  This is discussed in my blog below

Using ISAPI Extensions to change-out OWA Credential is not supported.
https://blogs.msdn.com/b/webdav_101/archive/2007/05/04/using-isapi-extensions-to-change-out-owa-credential-is-not-supported.aspx

Please take a few minutes and review the following KB on OWA customization.

Microsoft support policy for the customization of Outlook Web Access for Exchange
https://support.microsoft.com/kb/327178

Its possible that something in this area may be possible with the next version of Exchange.  However, I have no information on what that may or may not be - or even if there is going to be any such implementation.