Moved provisionally to Web Gateway for better support.
I don't know all potential scenarios that might suit into this use case, but at the moment MWG can perform authentication, but cannot perform authentication against OWA in the backend. MWG cannot store/forward kerberos tickets on demand yet. Since a log of single sign on capabilities are added currently, in the future more options may be available.
Nevertheless MWG could probably provide some sort of strong(er) authentication. An (untested) example might be:
- User accesses webmail.mycompany.tld which terminates on MWG
- MWG enforces HTTPS if not already used by the requesting user
- MWG displays form to authenticate against Active Directory or any other possible authentication provider
- User types in Username + Password
- MWG sends SMS to user / User uses soft token to generate one time password
- User types in one time password obtained
- MWG validates username + password + one time password
- Access is granted
The question now is how to authenticate against OWA... I am not an exchange/IIS expert, but it should be possible to setup MWG to either fill the OWA authentication form with the previously supplied credentials or pick a client certificate for the authenticated user and use that to authenticate against Exchange.
Maybe someone else has some additional/better ideas :-)