The key advantage of the agent-less deployment for Outlook Anywhere two-factor authentication is that it does not require end users to install any additional software on their desktops or laptops. However, the agent-less deployment has the following constraints which might not be viable for all customers.
- It supports one-time password only as the second-factor authentication
- It supports basic authentication only in the Outlook Anywhere clients
- It might conflict with some features in Outlook Web Access.
DualShield Server Configuration
Create a logon procedure of the type "Enhanced Client":
Now, modify its logon steps and add one logon step with "Static Password + One-Time Password" as the only authenticator.
Exchange Server Configuration
For agent-less deployment, the Client authentication method for Outlook Anywhere in the Exchange server must be set to “Basic authentication”:
Outlook Client Configuration
If the Exchange Proxy settings in the Outlook client is configured manually instead of automatically via Auto Discovery then the Proxy Authentication must be set to "Basic Authentication" in the Outlook client, as shown below:
In Outlook client for Mac, the Authentication Method must be set to "User Name and Password":
Convert OAB virtual directory to an application
For agent-less deployment, it is necessary to convert the OAB virtual directory to an IIS web application. The article below from Microsoft provides the instruction:
Enable Basic Authentication
On the following IIS Web application nodes, enable Basic Authentication and disable Windows Authentication:
If Outlook Anywhere for Mac OS is to be supported as well, then on the "EWS" node, Basic Authentication must be enabled and Windows Authentication must be disabled. This might cause issue to OWA, however. See the note below.
Outlook Web Access requires Windows Authentication to be enabled on the EWS application node. Disabling Windows Authentication on EWS for the purpose of Outlook Anywhere agent-less deployment will restrain certain functions in OWA operation such deleting emails. If Outlook Anywhere for Mac OS is not required, however, you can enable Windows Authentocation on EWS.
Enable DualShield Authentication
DualShield Two-Factor Authentication must be enabled on the following IIS Web applications:
If Outlook Anywhere for Mac OS is to be supported as well, then DualShield Two-Factor Authentication must also be enabled on "EWS" node.
The instruction below describes how to enable DualShield authentication on the RPC web application. Follow the same process to enable DualShield authentication on all other applications listed above, namely Autodiscover, OAB and EWS.
In the IIS Manager, select "Default Web Site | Rpc"
- Double click the "DualShield Authentication" icon
Enable "Enable Two-Factor Authentication on the Current Node"
Enable "Apply Settings to Child Nodes"
Select "Service Type" to "Outlook Anywhere"
Click "Change" in the "SSO Server" section, enter the connection details of your DualShield SSO server
Enable the "SSL" if your DualShield platform is operating on the SSL mode.
Enable the "Enable Proxy" option.
Select your DualShield application for the Outlook Anywhere service, e.g. "Outlook Anywhere".
Click "Apply" to save changes.
For those users who are required to logon with two-factor authentication
For those users who are not required to logon with two-factor authentication, they can continue to logon with their AD password only.