Posted on 07-15-2014 02:53 AM
Hi,
Thanks for reading. We deployed a JSS server, in addition with network homefolders in a company. We setup several configuration profiles for homefolder sync, network mounts, etc.
Clients use Microsoft Office (2011) Outlook for Mac to read their email which is hosted on the company exchange server. Email works well, but when one client gets a message one of their emails is being put in quarantine and needs to be released, they have to click on a provided link to release it.
By default the Mac's open Safari, and then is being asked for a administrator username/password to unlock a certain keychain for the system to use with the website. It says for the website **.outlook.com a certificate is needed. It displays a JSS certificate in the window but when I fill in the admin user&pass, it comes back with the same window to fill in the username and password again.
We tried opening the same link in firefox, then all works well and the email is released from quarantine. The certificate is OK and trusted, so I don't understand why Safari keeps asking for a username and password, while firefox doesn't.
I attached a screenshot, hoping it would shine a light on the issue trying to resolve it.
Any help would be greatly appreciated.
Solved! Go to Solution.
Posted on 07-15-2014 07:11 AM
You have Exchange Online Protection enabled; the link to manage a message carries you to a site which prompts for a certificate to authenticate. If Safari detects any identity certificates within your Keychain, it will present you with the selection window you're seeing. This does not happen in other browsers, for various reasons (Firefox doesn't use your Keychain, for example - Chrome is better at only showing you relevant certificates). Workaround: click cancel on this prompt.
This is a bug with Outlook.com; you need to contact Microsoft support and complain (as we have). There is a proposed solution from Microsoft, but it's kind of a joke: remove all of the identity certificates that show up in that window from your Keychain. This obviously doesn't work for a lot of Enterprise environments where certificates are required for various reasons (in our case, WiFi, LAN, Remote Access, and Signed/Encrypted Email, to name a few). State at the outset if it is unacceptable to remove certificates from the Keychain per their recommendation.
Posted on 07-15-2014 07:11 AM
You have Exchange Online Protection enabled; the link to manage a message carries you to a site which prompts for a certificate to authenticate. If Safari detects any identity certificates within your Keychain, it will present you with the selection window you're seeing. This does not happen in other browsers, for various reasons (Firefox doesn't use your Keychain, for example - Chrome is better at only showing you relevant certificates). Workaround: click cancel on this prompt.
This is a bug with Outlook.com; you need to contact Microsoft support and complain (as we have). There is a proposed solution from Microsoft, but it's kind of a joke: remove all of the identity certificates that show up in that window from your Keychain. This obviously doesn't work for a lot of Enterprise environments where certificates are required for various reasons (in our case, WiFi, LAN, Remote Access, and Signed/Encrypted Email, to name a few). State at the outset if it is unacceptable to remove certificates from the Keychain per their recommendation.
Posted on 07-16-2014 11:50 PM
Hi JPDyson,
Many thanks for your reply, this clarifies a lot.
I will set the default browser to firefox on this client, which I think for now is a better workaround then to remove all relevant certificates. I will try to make a case with Microsoft about this, see how far we can get..
thanks again!