Hello,
I know this is a very specific question, and I already exhausted all my known channels like searching and AI on the internet so I would like to ask if any of you have dealt with this before. I have setup an on-premise MS Exchange 2016-cu22 and I would like to use two-factor token authentication for the Web Access. I followed the instructions, installing ADFS, adding the PrivacyIDEA plugin and setting it all up. Everything is working as expected for all browsers except Safari on MacOS and IOS. After login, all browsers work as expected, but when opening an attachment, Safari only shows a blank page. After investigating, the OWA webserver reports that there is an unauthorised access to the URL pointing to the attachment. If I inspect the webtraffic, I can see that all browsers send the authentication cookie during the attachment request, but Safari does not. This happens specifically during a redirection (an HTML 302 code) when requesting the attachment. This redirection occurs due to a CVE by Microsoft that attachments should point to a different URL then the main OWA url. The solutions seems to lie in having Safari send cookies during a 302. Is there anything (besides convincing Apple to change there browser) that I can do about this, because I would really like to use Two-factor authentication in OWA?
(Note: without ADFS, the OWA works without issues for all browsers)
Regards,
Ge.