We're implementing an WebApplication Proxy (WAP) on Windows server 2012R2 for our organisation to replace the authenticatin/SSO features of TMG. Currently we have a working WAP with SSO for:
- SharePoint 2013
- Outlook
- Office 365
- several other webapplications.
Authentication works great and it is a realy seamless authentication environment. It's backend is based on Kerberos, so no Claims are being used for SharePoint or Exchange. The right SPN's are created in AD.
When I'm logged in with the webbrowser (tried the usual suspects) and try to open an office document located on the SharePoint server, the document opens fine in the Office WebApp server (again with SSO), but when I try to edit the document in Word (or Excel etc), I get a new authentication prompt (forms based) from the WAP server.
If I enter my credentials again, the document opens and everything works fine. I can save the document etc. When I leave the MS Office application open and open another document from the SharePoint site, I don't get another authentication prompt. This is not the seamless experience we had on the TMG solution.
It seems to me that there are two different session cookies in play. One for the browser and one for the MS Office applications. Of course I googled this extensively, but no solution to be found. It almost seems like I'm the only one with this problem!
Things I've learned so far is that MS Office uses the MSOFBA 'engine' for their applications. Maybe there is a way to add this useragent to the WAP server, to receive the right cookie when authenticated in the webbrowser? I'm really stuck here. Plus the feeling I'm the only one, makes me think I'm doing something very stupid.
Thanks for any ideas!

P.S. All access to the WAP is external. No internal (intranet) authentication is being done in our domain. We have a full BYOD network where everything is presented as 'if you are working from your home'.

0 Answers0