Resource forest with multiple domains and OWA
So we have an Exchange 2007 resource forest (DOMAIN.LOCAL) and several account forests (OTHER.LOCAL, MISC.LOCAL).
Take, for example, OTHER>LOCAL. An internal AD account could use the user principal name john.doe@other.local to authenticate to the domain. But their external email address would be john.doe@other.com .
Ideally, we would want the user to login with his email address (alternate UPN) to sort of mask other.local from them and to keep them from having any confusion. This works fine when authenticating to a other.local resource because we can tell the domain to accept @other.com as an alternative UPN suffix.
However, when that user tries to login to OWA as john.doe@other.com, the Exchange resource domain has no idea where to send that authentication request. So the user has to login to OWA with john.doe@other.local to successfully authenticate since domain.local knows about other.local and there is a trust relationship.
Does anyone have any ideas how, or IF, we can get around this?
May 20th, 2008 6:42pm
Hi,
Could you share your envrinment here? I am a little confused about the Exchange 2007 resource forest.
Is there one Exchange oganization for one forest?
The external domain name has been added to the "accept domain" ?
Besides,I found an article which may similar to your scenario:
Planning for a Complex Exchange Organization
http://technet.microsoft.com/en-us/library/aa996010(EXCHG.80).aspx
Best regards,
Xiu
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2008 1:11pm
We have three AD forests. One forest is designated as the Exchange Resource Forest. The other two are account forests for different business units which are in atrust relationship with the Exchange forest.The AD user accounts in the "account" forests are linked to mailboxes in the "Exchange Resource Forest". The mailbox accounts are just disabled AD user accounts.
Exchange Forest Domain name: ExchangeServices.local
Account Forest Internal domain name: contoso.local
Account ForestPublic smtp domain name: contoso.com
I added contoso.com to the accepted smtp domains on the hub transport server and also set the email address policy for linked mailboxes for users in contoso.local to have primary smtp address of @contoso.com.
Example:
John Doe has an enabled user account in the contoso.local domain that is linked to a disabled mailbox account in the the ExchangeServices.local domain. His public email address is john.doe@contoso.com but he logs in to his workstationas the john.doe@contoso.local . I then add, in Active Directory Domains and Trusts mmc, @contoso.com as an alternative user principal name suffix onfor the contosl.local domainso that, now, John Doe can login to his workstation as john.doe@contoso.com.
My goal is for him to be able to log in to OWA with john.doe@contoso.com as well.
When he goes to OWA, he can login as either john.doe@contoso.local or contoso/john.doe since the ExchangeServices.local forest trusts the contoso.local forest.
However, he cannot login as john.doe@contoso.com because the ExchangeServices.local forest doesn't know where the domain controller for contoso.com lives and doesn't have any knowledge of that domain name. It only knows about contos.local.
Does that help illustrate what I'm after?
I need a way for my user to use the same UPN every time he logs in to any resource, be that his workstation, file server, or OWA.
If we had set our internal domain name for the account domain to contoso.com, then this would'nt be an issue.
May 21st, 2008 6:09pm
Hi,
Outlook Web Access does not perform any authentication on its own. It always relies on IIS to perform that task. IIS uses Active Directory to ensure proper authentication occurs.
So it is by design, I recommend you to logon owa use user name.
To configure the settings to only require a user name:
1. Open the Authentication tab on the owa (Default Web Site) Properties page.
2. Select the User name only option
3. Click Browse and select the domain.
4. Click OK.
Then run iisreset /noforce from a command prompt to restart IIS.
Hope it helps.
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2008 2:45pm
I understand that IIS is the performing the authentication queries under the covers. We want to have all users use their public email address (which is also their userprincipalname) to login to OWA.
The settings you prescribed above would be fine if I was'nt set up in an Exchange Resource Forest/User Account Forest topology. We have one single exchange organization servicing several different AD account forests/domains. The settings above would only work for one domain, not multiple.
May 22nd, 2008 9:58pm
Hi,
Thanks for your reply.
Then normally,we would like to set the external domain name same as the internal domain name,so that users would not need to know whether it is internal or external.For Exchange only will query AD which has the same name with that you specified.
Meanwhile,resource forest with mutilply domain may can use resource forest domain name as external email address so that all the account in serveral domain can have uniform smtp e-mail address sapce.
I am not very familar with the scenario that you deployed, but I'm interested in the scenario that you deployed. As we know thatdomain name is not the same as SMTP address space name(accept domain name).You can use accept domain name in the URL for OWA so that the internal domain name will not exposed,but can not use that to logon OWA.
So for your idea, Ithink it may not work.
Managing Accepted Domains
http://technet.microsoft.com/en-us/library/bb124423(EXCHG.80).aspx
Best regards,
Xiu
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2008 10:02am
Hi, I'm sorry but I'm almost sure that it is possible. Without setting the external domain name same as the internal domain name, you can change your UPN to the email address. After that you'll be able to logon to OWA with the email if you put a forest trust relationship between the client domain and the ressources domain. The last step is to configure the name suffix routing on the relationship to route all authentification requests using the new UPN toward the client forest. I think this is functionnal according to this page : http://technet.microsoft.com/en-us/library/cc779566.aspx The interesting part is the "Using the User Principal Name to Log On Across Forests". Best Regards,
June 4th, 2009 10:12pm