Continuing from my previous post on MOS...
I didn't really mention this in the previous post, but MOS is designed to provide a hosted alternative to the server-side applications. One of the goals is to continue working with existing native clients and client access methods, so (for example) you can access your Exchange Online mailbox through OWA (running from MOS), through Outlook, or even through EAS/Windows Mobile. In order to do this, though, your client applications need to know how to talk to MOS and provide the proper credentials.
You can do this the hard way or the easy way. The hard way is running around and reconfiguring each application by hand and teaching your users how to use a separate set of credentials. The easy way is to use the MOS Sign-In tool, a little .NET 3.0 application that runs on the client desktop. It interacts with Outlook 2007 RTM/SP1, LiveMeeting 8, and IE7+.
When this application is run, it will invite the user to logon to MOS. The first time they do so, they're required to change their password. It then detects the apporpriate applications, offers to configure them to work with MOS, and then just sits quietly on the desktop, providing a seamless SSO experience.
To be continued...
I'm at an airlift here in Redmond for the new Microsoft Online Services (MOS), Microsoft's hosted services platform. Right now, MOS offers a combination of hosted Exchange (OWA, Outlook, and even EAS!), hosted SharePoint, and Live Meeting. We've just gone through an overview of the service, and it looks cool -- enough so that I'm now seriously considering switching my personal domains over to it (especially since they offer the ability to synchronize with your Active Directory deployment).
MOS is currently in beta and you can go sign up for a time-limited trial. There's only a certain number of trial accounts active at any given time, so your trial request may not be provisioned immediately; however, you can go to https://mocp.microsoftonline.com and sign up for one. You'll need a Windows Live account.
As you might imagine, MOS allows you to associate one or more DNS domains with your online account. When you register for your account, you're asked for a domain. This domain is not verified and, in fact, seems to be used simply as an internal administrative tag -- once your account and service is set up, you have to specifically add DNS domains. Adding them is a fairly simple process:
- Register your domain name with a registrar.
- Provision your domain with a DNS provider (often combined with step 1).
- Add the domain name to your MOS Admin Center.
- Run the verification wizard and add the auto-generated CNAME to your domain's DNS zone.
- Validate the domain in the MOS Admin Center.
- Start provisioning users with this domain, enable inbound e-mail on this domain, etc.
The verfication step is an important piece, because this helps MOS make sure that you're using a domain you're actually in control of. Otherwise, malicious people could sign in and hijack your domain, which would suck. The way Microsoft does this is actually simple and elegant: they generate a unique CNAME record (that looks very much like a GUID), and ask you to add this CNAME record, pointing back to a server under their control, to your zone. This has lots of advantages:
- It's pragmatic. If you can add a CNAME record to a zone file, you effectively control the domain.
- It avoids the nastiness that can result in WHOIS-based verification and allows people who register domains to continue using proxy companies, hiding their personal info from WHOIS spammers.
- It's relatively easy. You simply have to add a simple record to your DNS; if you can't do this (or your DNS hoster can't do it for you), then you have much bigger problems managing your DNS and verifying your DNS domain under MOS is the least of your problems.
- It's low-impact. The generated CNAME is highly unlikely to be queried during normal operations by your users; only MOS is likely to be looking for it. It doesn't require you to repoint your MX records or otherwise make major modifications to your infrastructure if all you want to do is start using online SharePoint and Live Meeting.
Note that just because you add a domain to MOS doesn't mean you have to use it for email! That's a separate operation, which is a two-step process of enabling inbound email for that domain and then updating your MX records appropriately.
More on other MOS functionality coming later...big thanks to the event staff for their kind permission for me to blog!