Microsoft Online Sign In Client In-Depth Version 1.0

www.MessageOps.com

info@messageops.com

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 2

Contents Sign In Client Basics ....................................................................................................................................... 3

How Does the Authentication Work? ........................................................................................................... 4

What the Sign in Client Configures ............................................................................................................... 6

Deploying the Sign In Client .......................................................................................................................... 7

1. Share the Install Package .................................................................................................................. 7

2. Configuring the GPO ......................................................................................................................... 7

3. Setting Permissions on the GPO ..................................................................................................... 11

4. Testing the Installation ................................................................................................................... 12

Managing the Sign In Client ........................................................................................................................ 13

1. Downloading and Configuring the Admin Template ...................................................................... 13

2. Importing and Using the Admin Template...................................................................................... 16

3. Configuring the Desired Settings .................................................................................................... 17

Sign In Client Logging .................................................................................................................................. 18

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 3

Sign In Client Basics The Microsoft Online Services Sign In Application allows end users to access Exchange Online (encompasses Outlook and OWA), SharePoint Online, Live Meeting, and Office Communicator Online OCS without being prompted for credentials in each application. You can see below that it has the ability to remember the username and password and to automatically sign the user in which make for a very seamless user experience. There are two other primary functions the sign in client performs:

1. Configuration of Applications - The Sign In client will automatically configure Outlook, LiveMeeting, and Office Communicator for use with Microsoft Online.

2. Password Management – The Sign In client will allow users to change their Microsoft Online password and alerts them when their password is about to expire.

The services that show in the Sign In Client are dependent on the license assigned to the user within the Microsoft Online Administration Center (MOAC). That being said, if a user only has an Exchange Online license assigned they will only see an option to launch Outlook or Outlook Web Access, icons for the other services will not show in the sign in client. The supported operating systems for the Sign In Client are as follows: Windows XP Professional, Windows Vista (all versions including the home SKU’s), and Windows 7 (all versions).

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 4

How Does the Authentication Work? After seeing the single sign in process work, the MessageOps team wanted to understand how the authentication worked. The first place we looked was in the Credential Manager as we know it has the functionality to store usernames and passwords. Sure enough, we noticed a lot of Microsoft Online entries stored (see below). To get into the Credential Manager on a XP machine to run type:

Control userpasswords2

You’ll notice that after the server name is (Certificate). Clicking on the properties of an entry you see:

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 5

So it appears a certificate is being issued to the user which allows them to access the various services. The next logical place to look for more information is the certificate manager, certmgr.msc.

In the Personal Certificates, you’ll see that a user cert has been issued to the user by Microsoft Online.

If you look at the details on the cert an interesting thing to note is the short lifespan of 40 hours. If a client is unable to access Microsoft Online, this might be a good item to check.

You can also see this behavior in the Sign In Client logs:

10/7/2009 9:08:32 PM Info Certman2.MakeCertRequest_XP Certificate request prepared successfully 10/7/2009 9:08:33 PM Info Certman2.InstallCert_XP Client certificate installed successfully 10/7/2009 9:08:33 PM Info SingleSignOn.StoreCredentials Server *.RED001.local added to credman for user chad.demo@messageopsdemo.com 10/7/2009 9:08:33 PM Info SingleSignOn.StoreCredentialsForAServer Storing credentials for *.RED001.local 10/7/2009 9:08:33 PM Info SingleSignOn.StoreCertCredentials Server home.microsoftonline.com added to credman for user chad.demo@messageopsdemo.com 10/7/2009 9:08:33 PM Info SingleSignOn.StoreCertCredentialsForAServer Storing cert credentials for home.microsoftonline.com 10/7/2009 9:08:33 PM Info SingleSignOn.StoreCertCredentials Server webpool1.oconline.microsoftonline.com added to credman for user chad.demo@messageopsdemo.com It is also interesting to note that when the user signs out of the Sign In client, the certificate is removed and the entries in Credential manager are also removed.

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 6

What the Sign in Client Configures After signing into the client for the first time, it will prompt the user to configure Internet Explorer. During this stage it will add *.microsoftonline.com to the Local Intranet Zone in Internet Explorer.

The next step is to configure the various client applications. Each application has its own settings to configure. To get an idea of what is configured, on a Windows XP client browse to:

C:\Documents and Settings\Username\Local Settings\Application Data\Microsoft\Sign In\Config\user@domain.com

In that directory you will see various registry files, XML documents, and other configuration settings files.

For Outlook you’ll see that there is an Outlook PRF file which is used to configure the Outlook profile. You can open the file in Notepad to see exactly what it is configuring. You’ll also notice an outlook-configuration.reg and outlook-autodiscovery.xml. The contents of the outlook-configuration.reg are simply:

;// ensure that logon profile always asks ;// (this is a string value, not a dword!) ;// [HKEY_CURRENT_USER\Software\Microsoft\Exchange\Client\Options] "PickLogonProfile"="1" ;// ;// Turn on local Auto-Discovery for this domain ;// [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover] "messageops.com"="C:\Users\Chad\AppData\Local\Microsoft\Sign In\Config\chad.mosman@messageops.com\outlook-autodiscovery.xml" [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover] "PreferLocalXML"=dword:1 "ExcludeHttpRedirect"=dword:0 "ExcludeHttpsAutodiscoverDomain"=dword:1 "ExcludeHttpsRootDomain"=dword:1 "ExcludeScpLookup"=dword:1 "ExcludeSrvLookup"=dword:1 "ExcludeSrvRecord"=dword:1 The combination of the XML file and the PreferLocalXML registry entry force Outlook to look locally for its AutoDiscover settings. Examination of the other registry files, will show similar Microsoft Online configuration options being performed.

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 7

Deploying the Sign In Client It is highly recommended that you deploy the Sign In client to all clients on the network. There are countless ways which you could deploy the client to the desktops, but in this document we’ll focus on using a Group Policy Object to perform the deployment.

1. Share the Install Package The first step in the deployment is to place the Online Services Sign In .msi file on a network share that all users can access. Users will simply need read access to the file in order to perform the installation.

2. Configuring the GPO 1. To configure the GPO you will first have to open the Group Policy Management console in the

Administrative Tools. 2. Expand the domain, Right click on Group Policy Objects and chose New.

3. Enter a name for the GPO and click Ok. 4. Right click on the new GPO and click Edit

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 8

5. In the Group Policy Management Editor, Expand User Configuration, Expand Policies, Expand

Software Settings, Right Click on Software Installation and choose New->Package

6. In the window that appears browse to the path of the install file on the network share you place the install file on in Step 1.

7. In the Deployment Method dialog box choose Advanced and click OK.

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 9

8. In the Properties window, click on the Deployment tab and ensure that the Deployment type is set to “Assigned” and that “Install this application at logon” is selected in the deployment options as shown below.

9. Click OK to exit the properties window. 10. You will now see the see the package listed as shown below.

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 10

11. Exit the Group Policy Management Editor to Return to the Group Policy Management Console.

We must now assign the policy to the users who we want it to apply to.

12. Right click on the OU that your user accounts reside in and choose Link an Existing GPO. You could also link the GPO at the root of the domain.

13. Choose MSO Client Deployment GPO and Click OK.

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 11

3. Setting Permissions on the GPO At this point, the Sign In client would be automatically installed on users when they log in, which may not be what you want. MessageOps typically modifies the security so that only specific users get the GPO applied. To do that you’ll need to modify the Security Filtering Settings.

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 12

By default the GPO applies to Authenticated Users. It is recommended that you remove the Authenticated Users group and replace with a Security Group. As users are migrated you place their account in the security group, so they get the Sign In client only after they have been migrated.

4. Testing the Installation You are ready to test the deployment. If you used a security group to control who the policy applies to, place your test user account in the security group.

When the test user logs into the workstation you should see the software being installed.

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 13

Managing the Sign In Client After the client has been deployed, you may want to change its settings centrally via Group Policy. The options that are configurable are shown below.

Allow Remember Name

Enables Sign In to remember the username of the last signed in user. This policy should be Enabled when your user's Online Account Name should be displayed each time the Sign-In Client is launched.

Allow Remember Password

Enables Sign In to remember the password of the last signed in user. This policy should be Enabled if your Online user's password should be remembered and populated each time the Sign-In Client is launched.

Allow Auto Sign In

Enables Sign In to automatically sign in the user. This policy should be Enabled if you want the Sign-In Client to automatically sign-in once Windows is started.

Allow Auto Start

Enables Sign In to automatically start when the user starts Windows. This policy should be Enabled if you want the Sign-In Client to automatically launch after Windows starts.

Allow Minimize after Sign In

Enables Sign In to automatically minimize when the user signs in to Sign In. This policy should be Enabled if you want the Sign-In Client to automatically minimize to the Windows SysTray.

Allow Update Alerts

Enables Sign In to show alerts when a new update is available for Sign In. This policy should be Enabled. It provides visible popup notifications when a Sign-In Client Application update is available.

Allow Configuration Alerts

Enables Sign In to show alerts when a new configuration is available. This policy should be Enabled. It provides visible popup notifications when a Sign-In Client Application Configuration update is available.

1. Downloading and Configuring the Admin Template Microsoft has created an Admin Template that can be imported into the Group Policy Editor which allows you modify all of the above settings.

http://blogs.technet.com/msonline/archive/2009/02/09/microsoft-online-sign-in-client-adm-group-policy-object.aspx

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 14

In MessageOps testing there were a couple minor problems with the ADM file. The highlighted items below represent the MessageOps modifications. First the CLASS was changed from USER to MACHINE. Second, AutoStart was changed to AutoRun. Both of these changes are backed up by the following article: http://www.microsoft.com/online/help/en-us/bpos/html/be780b9a-78a4-42c3-8b21-0f09ff01b32a.htm Note, this is not supported by Microsoft or MessageOps so use at your own risk. Please contact MessageOps if you have any questions as we’d be happy to help you get it implemented.

*************************************************************************************

CLASS MACHINE CATEGORY !!MicrosoftOnlineComponents CATEGORY !!MochaCat POLICY !!RememberMe KEYNAME "Software\Policies\Microsoft\MOCHA\Preferences" EXPLAIN !!RememberMeExplain VALUENAME "RememberMe" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY !!RememberPassword KEYNAME "Software\Policies\Microsoft\MOCHA\Preferences" EXPLAIN !!RememberPasswordExplain VALUENAME "RememberPassword" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY !!AutoSignIn KEYNAME "Software\Policies\Microsoft\MOCHA\Preferences" EXPLAIN !!AutoSignInExplain VALUENAME "AutoSignIn" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY !!AutoRun KEYNAME "Software\Policies\Microsoft\MOCHA\Preferences" EXPLAIN !!AutoStartExplain VALUENAME "AutoRun" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY !!HideDash KEYNAME "Software\Policies\Microsoft\MOCHA\Preferences" EXPLAIN !!HideDashExplain VALUENAME "HideDash" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY !!ShowUpdateAlerts KEYNAME "Software\Policies\Microsoft\MOCHA\Preferences" EXPLAIN !!ShowUpdateAlertsExplain

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 15

VALUENAME "ShowUpdateAlerts" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY !!ShowConfigAlerts KEYNAME "Software\Policies\Microsoft\MOCHA\Preferences" EXPLAIN !!ShowConfigAlertsExplain VALUENAME "ShowConfigAlerts" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY END CATEGORY [strings] MicrosoftOnlineComponents="Microsoft Online Services Components" MochaCat="Sign In" RememberMe="Allow Remember Name" RememberMeExplain="Enables Sign In to remember the username of the last signed in user\n\nThis policy should be Enabled when your user's Online Account Name should be displayed each time the Sign-In Client is launched." RememberPassword="Allow Remember Password" RememberPasswordExplain="Enables Sign In to remember the password of the last signed in user\n\nThis policy should be Enabled if your Online user's password should be remembered and populated each time the Sign-In Client is launched." AutoSignIn="Allow Auto Sign In" AutoSignInExplain="Enables Sign In to automatically sign in the user\n\nThis policy should be Enabled if you want the Sign-In Client to automatically sign-in once Windows is started." AutoRun="Allow Auto Start" AutoStartExplain="Enables Sign In to automatically start when the user starts Windows\n\nThis policy should be Enabled if you want the Sign-In Client to automatically launch after Windows starts." HideDash="Allow Minimize after Sign In" HideDashExplain="Enables Sign In to automatically minimize when the user signs in to Sign In\n\nThis policy should be Enabled if you want the Sign-In Client to automatically minimize to the Windows SysTray." ShowUpdateAlerts="Allow Update Alerts" ShowUpdateAlertsExplain="Enables Sign In to show alerts when a new update is available for Sign In\n\nThis policy should be Enabled. It provides visible popup notifications when a Sign-In Client Application update is available." ShowConfigAlerts="Allow Configuration Alerts" ShowConfigAlertsExplain="Enables Sign In to show alerts when a new configuration is available\n\nThis policy should be Enabled. It provides visible popup notifications when a Sign-In Client Application Configuration update is available." *************************************************************************************

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 16

2. Importing and Using the Admin Template 1. The first step will be to create a new GPO which applies to the computer accounts you want the

policy to apply to. Once the policy is created, edit the Policy. 2. Expand Computer Configuration, Expand Policies, right Click on Administrative Templates and

choose Add/Remove Templates.

3. Browse to the location of the MOCHA.ADM file and choose open. You should see the dialog box

below after import.

4. After the Template has been added Browse to the Microsoft Online Services Components. You will see the configuration options on the right.

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 17

3. Configuring the Desired Settings Configure the desired settings is pretty straightforward.

• If a setting is set to “Not Configured” the user will have the choice of enabling or disabling each setting.

• If a setting is “Enabled” (On),the option will be forced upon the user and they will not be able to modify it.

• If the option is “Disabled”(Off), the option will be disabled, and the user will not be able to change it.

The default settings are show in the table below:

Option Default Comments Remember my user name Off "Off" is recommended when a computer is shared by

multiple users.

Remember my password Off "Off" is recommended when a computer is shared by

multiple users.

Automatically sign me in On "On" makes it easier for users to access their services at all

times.

Automatically start when Windows starts Off "Off" is recommended when a computer is shared by

multiple users.

Minimize to the notification area when signed in. Off Set according to the user’s personal preference.

Show notifications: When an update of the Sign In application is

available

On "On" makes it easier for users to stay up-to-date.

Show notifications: When a new application configuration is

available

On "On" makes it easier for users to stay up-to-date.

www.MessageOps.com

©2009 MessageOps, LLC. All Rights Reserved. 18

Sign In Client Logging By default the sign in client keeps a very detailed log of its activity. On a Windows XP machine, the logs are stored in

C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Sign In\Logs

There is no Group Policy support for log levels.

The LogLevel key for the Sign In application is located in the Windows registry at: HKEY_CURRENT_USER\Software\Microsoft\MOCHA\Preferences.

To set the LogLevel key, use the following information.

Log level Value None 0 Critical 1 Error 2 Exception 3 General (default value) 4 Verbose 5