The key advantage of the agent-less deployment for Outlook Anywhere two-factor authentication is that it does not require end users to install any additional software on their desktops or laptops. However, the  agent-less deployment has the following constraints which might not be viable for all customers.

  1. It supports one-time password only as the second-factor authentication
  2. It supports basic authentication only in the Outlook Anywhere clients
  3. It might conflict with some features in Outlook Web Access.

DualShield Server Configuration

Create a logon procedure of the type "Enhanced Client":

Now, modify its logon steps and add one logon step with "Static Password + One-Time Password" as the only authenticator.

Exchange Server Configuration

For  agent-less deployment, the Client authentication method for Outlook Anywhere in the Exchange server must be set to “Basic authentication”:

Outlook Client Configuration

If the Exchange Proxy settings in the Outlook client is configured manually instead of automatically via Auto Discovery then the Proxy Authentication must be set to "Basic Authentication" in the Outlook client, as shown below:

In Outlook client for Mac, the Authentication Method must be set to "User Name and Password":

CAS/IIS Configuration

Convert OAB virtual directory to an application

For  agent-less deployment, it is necessary to convert the OAB virtual directory to an IIS web application. The article below from Microsoft provides the instruction:

Enable Basic Authentication

On the following IIS Web application nodes, enable Basic Authentication and disable Windows Authentication:

  •         Autodiscover
  •         OAB     
  •         RPC

If Outlook Anywhere for Mac OS is to be supported as well, then on the "EWS" node, Basic Authentication must be enabled and Windows Authentication must be disabled. This might cause issue to OWA, however. See the note below.


Outlook Web Access requires Windows Authentication to be enabled on the EWS application node. Disabling Windows Authentication on EWS for the purpose of Outlook Anywhere  agent-less deployment will restrain certain functions in OWA operation such deleting emails. If Outlook Anywhere for Mac OS is not required, however, you can enable Windows Authentocation on EWS.

Enable DualShield Authentication

DualShield Two-Factor Authentication must be enabled on the following IIS Web applications:

    • Autodiscover
    • OAB
    • RPC

If Outlook Anywhere for Mac OS is to be supported as well, then DualShield Two-Factor Authentication must also be enabled on "EWS" node.

The instruction below describes how to enable DualShield authentication on the RPC web application. Follow the same process to enable DualShield authentication on all other applications listed above, namely Autodiscover, OAB and EWS.

  1. In the IIS Manager, select "Default Web Site | Rpc"

  2. Double click the "DualShield Authentication" icon

Enable "Enable Two-Factor Authentication on the Current Node"

Enable "Apply Settings to Child Nodes"

Select "Service Type" to "Outlook Anywhere"

Click "Change" in the "SSO Server" section, enter the connection details of your DualShield SSO server

Enable the "SSL" if your DualShield platform is operating on the SSL mode.

Enable the "Enable Proxy" option.

Click "OK"

Select your DualShield application for the Outlook Anywhere service, e.g. "Outlook Anywhere".

Click "Apply" to save changes.

Test Logon

For those users who are required to logon with two-factor authentication

For those users who are not required to logon with two-factor authentication, they can continue to logon with their AD password only.