we are trying to get the following work:
outlook anywhere sso across network connect without domain-membership
The procedure would be:
(remark: the notebook of this user is _not_ member of domain!)
1) user logs in @ https://ssl.XXX.com with his domain-credentials
2) user starts network connect / WSAM
3) user starts local outlook 2003/2007 "fat-"client" (which is pre-configured) _without_ typing his credentials anymore!
4) user can work with outlook as always
at the moment, from technical sight, everything works, but after starting network connect and starting outlook, he has to type his credentials for exchange / domain controller once more. We want some kind of "single sign on" functionality, that outlook uses the credentials from the user-session from the SA.
Is this possible in any way?
Any Ideas would be great!
That is - as far as I know - not possible, as the credentials are stored on, and used by, the SA. When you start Outlook, it has no knowledge of any credentials at all, and none are stored on the local computer (as it is not logged on to the domain).
You might be able to retrieve the credentials you entered from IE, but I don't think that is possible - and if it is, I wouldn't know how.
The only way I can imagine this might work is if the user has to logon to Windows on the notebook with the exact same username and password, but that definitely isn't best practice.
we thought about something like certificates, or to store the NC-User-Credentials temporary via WSAM-Start & end-Script on the local machine.
Storing the credentials by way of scripts seriously weakens you security: don't go there.
Actually I'm not altogether sure why you would login without entering credentials:
Why not simply use SSO crendentials to present OWA to your customers ?
By the way, the certificate option sounds interesting
I agree that your best bet for this scenario is to use OWA rather than Outlook... not only from a simplicity standpoint but from a security standpoint... no company should allow their email to be downloaded / saved to a non company computer like that. We permit OWA from anywhere in the world, and if users want to use Outlook they have to VPN in using or by connecting to a company computer. It's perfectly adequate for any remote email needs... and if they really need the added functionality of Outlook they can go through the extra steps to do so.