SafeNet Agent for Microsoft Outlook Web App release notes
The SafeNet Agent for Microsoft Outlook Web App (OWA) is designed to help Microsoft enterprise customers ensure that their OWA email accounts can be accessed only by authorized users, whether working remotely or behind a firewall. It delivers a simplified and consistent user login experience and helps organizations comply with regulatory requirements. The use of Two-Factor Authentication (2FA) instead of traditional static passwords to access OWA is a critical step for information security.
For a list of existing issues, see Known Issues.
Release description
SafeNet Agent for Microsoft OWA 3.0.0
Build number: 3.0.0
This release introduces the following features and resolves the issue listed below:
-
Exchange Server Subscription Edition compatibility: The agent now fully supports Microsoft Exchange Server Subscription Edition (SE).
-
Browser support update: Internet Explorer support has been completely removed. Full functionality has been validated on Microsoft Edge, Chrome, and Firefox.
-
Security Hardening: TLS v1.2+ is now enforced as the minimum supported protocol. Support for TLS 1.0 and 1.1 has been removed.
-
Enhanced operating system support: Compatible with Windows Server 2022 and 2025.
-
.NET upgrade: Upgraded .NET Framework from 4.5 to 4.8 to improve platform compatibility and security.
| Issue | Synopsis |
|---|---|
| SAS-21371 | Previously, users were unable to login to SafeNet Agent for Microsoft OWA v 2.1.5. Now, the authentication flow works correctly for all supported configurations. |
SafeNet Agent for Microsoft OWA 2.1.5
This release introduces the following features and resolves the issues listed below:
-
Support for Windows Server 2022
-
Removed support for Microsoft Exchange Server 2010
-
Renamed installer: The installer name is changed to SafeNet Agent for Microsoft Outlook Web App 2013-2016-2019.exe.
| Issue | Synopsis |
|---|---|
| SASNOI-16594 | The UI issues while accessing OWA through mobile and tablet devices are now fixed. |
| SASNOI-15708 | After enabling the OWA agent, users were prompted for 2FA for shared or public calendar. This issue is now fixed and after enabling the OWA agent, the calendar is now visible without 2FA. |
| SASNOI-15480 | Performance enhancement. |
| SASNOI-13612 | Enabling Download Domains for OWA resulted in removing images from the emails. After the fix, the images are properly visible in the emails (with the agent being enabled). |
| SASNOI-14249 | Users were not able to view or download the attachments using OWA. This issue is now fixed and the end user can now successfully view or download the attachments without re-login to OWA. |
| SASNOI-10816 | The OTP field was visible even if the IP address was added to the exclusion list in the OWA agent management console. After the fix, if the IP is added to the exclusion list, the OTP field is not visible on the login page. |
| SASNOI-3887 | While accessing Outlook Web App from a mobile device such as an Android device, the OTP field was not labeled. The OTP field is now labeled as otp. |
SafeNet Agent for Microsoft OWA 2.1.3
This release introduces the following features and resolves the issue listed below:
-
Support for Windows Server 2019
-
Support for Microsoft Exchange Server 2019
| Issue | Synopsis |
|---|---|
| SASNOI-8003 | The agent now generates the challenge for the MobilePass challenge-response token. |
SafeNet Agent for Microsoft OWA 2.1.2
This release introduces the following features and resolves the issues listed below:
-
Office Online Server support: SafeNet Agent for Microsoft OWA now supports Office Online Server (OOS) with Microsoft Exchange Server 2016. The Office online server support enables the agent to deliver browser-based viewing, editing, and downloading of Office documents attached to OWA email messages.
This feature enables document collaboration and editing in real-time, as the Office documents attached to OWA emails can be viewed and edited from within Outlook on the web interface without requiring to download the file to a local computer.
-
Enhanced security: The AES-GCM encryption algorithm is now used to provide faster and a more secure way to protect data exchange between SafeNet Agent for Microsoft OWA and the SafeNet solution. Enabled by enhanced security, the agent delivers a more robust, and dependable authentication experience. A more secure key standard, like AES-GCM, can also help you comply with your organization's security policy requirements.
This feature is supported on SAS Cloud and SAS PCE/SPE v3.9.1 onwards.
Note
To use the AES-GCM key standard, the administrator has to download a new
Agent.bsidkeyfile from SAS and update the same (in the agent) at Configuration Management > Communications > Agent Encryption Key File.
| Issue | Synopsis |
|---|---|
| SASNOI-8856 | The agent now correctly bypasses the SafeNet authentication for users added to the group exceptions policy. These users are thus not prompted for OTP, meaning AD username and password are sufficient to log in. |
| SASNOI-8699 | SThe HTTP 400 Error encountered on the OWA login page (for user accounts excluded from the OTP group) is now resolved. As a result, the impacted users will now be able to successfully login to the OWA application using their Windows credentials. |
SafeNet Agent for Microsoft OWA 2.1.1
This release introduces the following feature and resolves the issues listed below:
-
Users and groups: Supports group exclusions for child domains.
A check box, Select if users and groups exist in the same domain, is added to ensure that the child domain is also searched for users and groups. If selected, the group exclusions functionality will search and apply authentication exceptions even if both users and groups exist in the child domain.
Earlier, the exceptions were applied only if both users and groups existed in the parent domain.
| Issue | Synopsis |
|---|---|
| SASNOI-8524 | The group exclusions feature now works correctly for Windows Server 2016 and Outlook Exchange Server 2016. A check box, Select if users and groups exist in the same domain, is added to enhance the search capability to effectively include the child domain. |
| SASNOI-8481 | The login page of OWA now renders correctly (without any error) while working with SafeNet Agent for Microsoft OWA. |
| SASNOI-8457 | SafeNet Agent for Microsoft OWA, when working on the Outlook Exchange Server 2016 now loads the login page (to enter user credentials), only once. |
| SASNOI-6514 | The group exclusions feature now works correctly for domains having tree-root relationships in a multi-domain setup. |
| SASNOI-6253 | The agent now correctly enforces the SafeNet authentication even for users having different usernames for UPN and samAccountName. |
SafeNet Agent for Microsoft OWA 2.1.0
This release introduces bug fixes and security enhancements at the infrastructure and agent level.
SafeNet Agent for Microsoft OWA 2.0.0
This release introduces the following feature and resolves the issue listed below:
- Auto Exchange selection: During installation, the agent's InstallShield Wizard now searches for, and selects the applicable Exchange Server version automatically.
| Issue | Synopsis |
|---|---|
| SASNOI-7305 | The login page of Exchange Control Panel (ECP) now renders correctly (without any error) while working with the SafeNet OWA Agent. |
SafeNet Agent for Microsoft OWA 1.2.3
This release of SafeNet Agent for Microsoft OWA resolves the issues listed below:
| Issue | Synopsis |
|---|---|
| SASNOI-6716 | The group exclusions feature now works correctly for Microsoft Outlook Exchange Server 2010 deployed in a forest environment with multiple domains. Child domains are now getting added correctly to the User or Group list ensuring that the agent correctly reads group of global catalog in the AD. |
| SASNOI-6559 | Outlook Exchange 2010 is now running correctly with Exchange 2016 when the OWA agent is enabled. |
SafeNet Agent for Microsoft OWA 1.2.2
This release of SafeNet Agent for Microsoft OWA contains security enhancements at the infrastructure and agent level and resolves the issue listed below:
| Issue | Synopsis |
|---|---|
| SASNOI-6511 | The OWA Group exception now works even if only a username (without its domain name) is provided during the login process. The Domain Stripping functionality is fixed to ensure that exclusion groups are identified correctly and no valid groups are bypassed during the SafeNet's 2FA process. |
SafeNet Agent for Microsoft OWA 1.2
This release of SafeNet Agent for Microsoft OWA introduces the following features and resolves the issues listed below:
-
Support for Microsoft Exchange Server 2016
-
Domain stripping:
-
Strip realm from UPN: (
username@domain.comwill be sent as username) Select the added check box if the SafeNet server username is required without the suffix @domain. -
Strip NetBIOS prefix: (
domain\usernamewill be sent as username) Select the added check box if the SafeNet server username is required without the prefix \domain.
Note
The realm-stripping feature applies to SafeNet server usernames only. Active Directory (AD) usernames are not affected.
-
| Issue | Synopsis |
|---|---|
| SASNOI-6274 | The Internal Server Error encountered when accessing the OWA agent login page during uninstallation is now resolved. |
| SASNOI-6167 | Functionality to include a specific user group for 2FA now works on a single domain, applying 2FA, on top of domain credentials authentication. |
| SASNOI-6165 | Forcing the challenge response with SMS group in Split Authentication Mode now works as expected, forcing the challenge, after entering the username and the LDAP password. |
| SASNOI-6058 | Internet Information Services (IIS) now restarts normally after applying and saving configuration changes on the OWA agent. |
| SASNOI-6056 | The error encountered while logging new users to the SafeNet OWA Agent is now resolved. |
| SASNOI-2738 | The SafeNet OWA Agent now works correctly even if the default installation path is changed. |
| SASNOI-2148 | The SafeNet OWA Agent now works correctly with shared mailboxes. |
| SASNOI-2112 | The SafeNet OWA Agent's group exclusions feature now works correctly on multiple domains. |
| SASNOI-2096 | The OWA Group exception now works for external domains. Thus, the functionality to include specific, external MOTC user groups for 2FA now prompts for OTP, in addition to domain credentials. |
| SASNOI-2090 | Only one challenge is now generated if a user enters an incorrect OTP when logging in to the OWA agent. |
SafeNet Agent for Microsoft OWA 1.09
This release of SafeNet Agent for Microsoft OWA resolves the issues listed below:
| Issue | Synopsis |
|---|---|
| SASNOI-3776 | It is now possible to install SafeNet OWA Agent using any account with administrator permissions, even if a user named "Administrator" is not defined in the AD. |
| SASNOI-3851 | After logging in with an iOS device, logging out and then logging in again, the user is no longer able to log in without entering a new One Time Password (OTP). |
Known issues
| Issue | Synopsis |
|---|---|
| SASNOI-4090 SASNOI-3926 |
Summary: Group exclusions functionality does not work with nested groups. Workaround: None, will be resolved in a future release. |
| SASNOI-2301 | Summary: An extra Sign in page is displayed while authentication is already in progress. The page is only encountered when the user is authenticated for the first time, after enabling the agent. Workaround: Do not click Sign in on the displayed page. The user will be automatically redirected to the mailbox, after a few seconds. |
| SASNOI-3933 | Summary: The SafeNet OWA Agent cannot be installed on operating systems that are not in the English Language. Workaround: 1. Do one of the following: - If it is a Domain Controller (DC), navigate to Active Directory > Builtin and create a new group named Network Service. - If it is not a DC, navigate to Server Manager > Configuration > Local Users and Groups and create a new group named Network Service. 2. Install SafeNet OWA Agent. The SafeNet OWA Agent should now operate correctly. |
| SASNOI-2469 | Summary: The repair option in the Windows Control Panel Add\Remove Programs fails if it is not run as an administrator, even though the user is logged on as a Domain Administrator. Workaround: Run Add\Remove Programs as an administrator. |
| SASNOI-2631 | Summary: Active Sync mobile devices cannot be added when the SafeNet OWA Agent is enabled. The message "can't connect to the server" is displayed. Workaround: Disable the SafeNet OWA Agent. The device now contacts the server without issue and synchronizes correctly. Enable the agent; the device now proceeds to operate correctly. |
Advisory notes
Microsoft Exchange Server limitations
-
Following logout, the user is always removed from the User ID field on both private and public computers.
-
Changes to the public or private configuration in Microsoft Exchange Server have no effect on the SafeNet Agent for Microsoft OWA login window.
Upgrade information
SafeNet Agent for Microsoft OWA 2.1.5 supports upgrade from 2.1.2 (and later).
Direct upgrade from versions prior to 2.1.2 to the latest version of the agent is not supported. The earlier versions can be migrated to SafeNet Agent for Microsoft OWA 2.1.5. For migrating from one version to another, see Migrating SafeNet Agent for Microsoft OWA Using Previous Configurations (for 2013, 2016 and 2019 versions) sections in the Installation and Configuration Guide.
