Sign in / up

back to article Sysadmins: Chucked your Exchange servers up? Let's enable SSO

My previous article focused on migrating Exchange into Microsoft's cloud, but there is more to Office 365 than just Exchange. Single Sign On (SSO) between Office 365 and your local Microsoft domain can be a bit tricky. A proper implementation has high minimum requirements, and there are very good arguments against cutting …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Mage Silver badge

    Or

    How about how to get rid of MS Proprietary Clunky products like Exchange and SSO needing to support MS authentication and use lighter weight, multi-platform alternatives?

    The Domain Server architecture and Exchange are horrors. Especially for smaller offices.

    After using MS Server since NT 3.5 (1994?) I'm migrating to Linux and abandoning MS Windows Update Server.

    Migrated LONG ago from MS Mail, then Outlook + Exchange to MDaemon on Windows and a succession of mail clients. Yes I know Outlook and Exchange do appointments etc.

    I don't miss Sharepoint either.

    I used to install MS Solutions, had MCP cert, wrote and gave training course in NT Admin etc. No longer.

    10 3
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Or

      In my experience, Exchange and AD work quite well in the Small Business Server setups. And WSUS too. And the only time I had problem with sharepoint was a hardware crash.

      Not yet idiot proof, but fairly easy for a small business admin to handle. Though a brief bit of culture shock for me moving from SBS on Server 2003 to latest SBS on 2008.

      1 1
      1. Mage Silver badge
        Reply Icon

        Re: Or SBS

        SBS = MS Crippleware versions of MS Server Applications

        0 0
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Or

      Practically all companies use AD - I've worked with and for FTSE100 companies for the last fifteen years - many even use it for mainframe to desktop authentication. It really is one of very few products that do the job properly and basically essential if you use Windows workstations. A few companies that I have worked at have had a bridge setup so that the Windows AD can replicate with a generic LDAP implementation on UNIX, but Win AD really is quite good and about the only product that can facilitate true single sign on.

      1 0
  2. Anonymous Coward
    Anonymous Coward

    If you are using Exchange...

    ...you have already failed.

    7 10
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: If you are using Exchange...

      So the majority of the top 100 companies have failed?

      R i g h t!

      W O W

      2 6
      1. Miek
        Reply Icon
        Linux

        Re: If you are using Exchange...

        Yes, that's what the AC is saying and I'm inclined to agree.

        7 0
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: If you are using Exchange...

      Idiot.

      That is all

      2 3

      1. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    Carrot and Stick

    ""the more difficult you make things, the more likely your users are to disregard security". Economic arguments should also be considered: fewer passwords to remember and reset equals fewer support calls."

    Agreed.

    BUT:even with SSO the issue of passwords and password security is still not resolevd!

    1 0
  4. Chika
    Trollface

    ADFS?

    What has this to do with Acorn's Advanced Disk Filing System? ;)

    3 0
    1. Gerhard den Hollander
      Reply Icon

      Re: ADFS?

      I consider exchange to be a rather advanced disk filling system.

      (yes, there are 2 L's in filling)

      5 0
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: ADFS?

        Not quite: the disk filling is done by users who use their mailboxes as file repositories (unless you enforce proper mailstore policies of course).

        1 0
        1. Trevor_Pott Gold badge
          Reply Icon
          Facepalm

          Re: ADFS?

          Disk filling is done by Exchange, thanks to no more single instance store. :sadface.jpg:

          2 0
  5. Hyphen
    FAIL

    Eh?

    So by trying to save money, time and energy on maintaining a small Exchange server, you're now maintaining four AD boxes?

    I appreciate the redundancy etc aspects, and I doubt they'd need as much maintenance as Exchange (though if you set things up right, an Exchange box for small business really doesn't need much time spent on it) but this to me seems the opposite of what cloud computing is supposed to achieve!

    2 0
    1. Trevor_Pott Gold badge
      Reply Icon

      Re: Eh?

      Large organisations can have dozens of Exchange servers. Branch office mail stores, edge servers, etc. Heck, a "proper" exchange deployment even with only one mail store has three servers in Exchange 2010! That's before you get into the UC stuff to tie in Lync, federation, etc...

      1 0
  6. Lennart Sorensen
    FAIL

    Of course you would not actually ever use internaldomain.local but rather internaldomain.anythingelse would you? After all .local is reserved for use by zeroconf and you break all sorts of things if you use .local for your windows domain. Sure microsoft used to have an example in their documentation that used .local, but they changed that years ago and even wrote a domain rename tool to help repair the damage, not that anyone seems to ever get around to fixing this mistake. Instead the mac and linux users and anyone else that has a system that supports zeroconf just have to suffer.

    0 0
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      'supports' zeroconf? surely you mean 'poisoned by'

      chkconfig avahi-daemon off

      nozeroconf=yes (in each ethN file)

      reboot

      0 0
  7. b166er

    I like Exchange

    Moving on, thanks for the article, but does this mean SSO for small businesses using SBS 2011 for example is a no-go? I thought the whole point of SBS 2011 was that it federated with Microsoft's cloud based services.

    I can't see many small businesses having an ADFS cluster so they can simplify their O365 usage.

    It's great to have these articles on the Reg, but it's always aimed at enterprises. Perhaps there aren't enough of us chaps supporting small businesses to make research for small business solutions worthwhile?

    0 0
    1. kmonchamp
      Reply Icon

      They don't actually need to cluster it at all, adfs can be installed on one server. The recommend configuration of course starts at running a small cluster on the two domain controllers (you do have two, right ;) ) And goes up from there. I currently use it between our internally hosted exchange server and Lync online. Same user account, same password, works great.

      1 0
    2. Trevor_Pott Gold badge
      Reply Icon

      Um...is there a browser cache issue on my end? the last three paragraphs read as follows to me:

      As you can tell, we left Small and Medium Enterprises (SMEs) behind a long time ago. This is major infrastructure: in many cases more than all of an SME's currently deployed server estate.

      A practicable alternative exists. The Microsoft Online Services Sign-In Assistant (MOS SIA) was made to help bridge the gap. While each of your users will have two sets of credentials (local corporate and cloud-based), with the MOS SIA, you only have to sign in once.

      While not SSO, MOS SIA is a freely downloadable tool that is "close enough" in practice. While useful and convenient, Office 365 SSO in its current form just doesn't make sense for SMEs. ®

      As to "articles on the Reg being aimed at enterprises," that actually hurts my feelings. I'm an SME admin myself. I spend roughly half my day screaming at large corporations all across the globe to keep SMEs in mind. I try very hard to write my articles with SMEs in mind...even when describing a technology that by and large targets enterprises exclusively.

      Sorry it didn’t work out this time. :(

      0 0
      1. b166er
        Reply Icon
        Pint

        Sorry Trevor, my bad :*o

        I do appreciate your articles and must have been having a bad day not reading to the end.

        Hope you've grabbed yourself a cold one for your efforts!

        0 0
        1. Trevor_Pott Gold badge
          Reply Icon
          Pint

          Is friesday today. CAN HAS BEER O'CLOCK. <3

          0 0
  8. Cliff

    You take the Exchange servers, the four 'redundant' ADFS servers, the corporate website and for the hack of it the corporate SQL Server too, virtualise the lot onto a single piece of tin. If you haven't heard something similar from your business beancounters, do not quit - you're already in the best job out there.

    0 0
  9. Anonymous Coward
    Anonymous Coward

    SSO is not a holy grail

    "fewer passwords to remember and reset equals fewer support calls."

    Sure, but it doesn't matter if your AD forces people to change their password every month for no reason other than 'just because'.

    In any large company I've worked for that uses AD for everything such enforcement leads people to shortcuts like subtly changing passwords in very minor ways or using things like 'November12345' and then 'December12345' and so on.

    Sorry but these sysadmin blogs read more like Microsoft literature than anything else these days.

    0 0
  10. Anonymous Coward
    Anonymous Coward

    This isn't SSO

    This is not SSO, this is just linking ones AD account to their Office365 account, a user still needs to type their username / password in twice to gain access.

    The SSO for Office365 still requires use of certificates and a bodged web address which just redirects them.

    0 0
This topic is closed for new posts.

Other stories you might like