Re: How to do SSO to OWA 2007?

hazeen_ · ‎10-24-2008

Hi,
Has anyone got SSO to owa2007 work using IVE 6.3R1.
I have read other posts in the forums and got SSO working with owa2003.
But 2007?
I tried basic-auth and NTLM but both are not working. I think remote-SSO is the only way.
Can anyone give me the parameters?
Thanks.

fuman_ · ‎10-25-2008

Hi hazeen,

i run OWA2007 with IVE OS 6.2 with no problems since version 6.0.

perhaps those parameters will help you: (excuse me if it is too detailed )

1. create a new resource profile (web) with type "Microsoft OWA 2007"

2. in this new web application ressource profile you choose a new name (e.g. OWA2007)

3. Insert your base URL (e.g. http://yourOWAserver.yourdomain.com/owa)

4. goto "QWA Settings"

5. Choose "managed Device" an make a decision if want to allow attachment upload/download or not

6. Choose "Autopolicy: Web Access Control" (Check the Box)

7. Enter the URL and port of your OWA-Server into the ressource field , choose "Action = Allow" and click "Add"

=> looks like "http://yourOWAserver.yourdomain.com:80/* allow

8. Activate Autopolicy: Caching and specifiy the following 3 rules (if not default):

a.) http://yourOWAserver.yourdomain.com:80/owa/attachment.ashx?attach=1* => "Unchanged"

b.) http://yourOWAserver.yourdomain.com:80/owa/WebReadyView.aspx?t=att&* => "No-Cache"

c.) http://yourOWAserver.yourdomain.com:80/* => "Unchanged"

9. Activate Autopolicy: Web Compression (if not default) with the following rule:

a.) http://yourOWAserver.yourdomain.com:80/* => Compress

10. Activate Autopolicy: Single Sign On

a.) Choose Basic Auth

b.) Insert your Ressource: "http://yourOWAserver.yourdomain.com:80/owa/*"

c.) Choose " User predefined Credentials...."

c 1.) For Username try this parameter: <[email protected]_Authentication_server.userPrincipalName>

c 2.) Choose Variable Password and try this parameter: <password>

Hint: c1 and c2 depends on your authentication scheme: for "your_Authentication_server" substitute with the name of the authentication server you created for activeDirectory Authentication, the variable password can also be defined with <password[1]> if you have more than one User/pass kombination (e.g when using additional One time token for authentication purposes or any other secondary authentication mechanism)

Hope this will help

hazeen_ · ‎10-25-2008

Hi fuman,

Thanks for your reply.

I tried the method u mentioned.

In username, i used <user>@mubadala.ae

and password, i used <password>

But it did not work.

I would like to mention that i have got this to work in 2 locations(running OWA 2003) using basic auth>use predefined credentials and it worked.. I faced problem with one particular location running OWA 2003. I found out through forums that using remote sso feature would do the trick and thus that got solved. But now i am facing problem with this new site which is running OWA 2007. I tried basic auth and it does not work. I also tried remote sso with the same paramenters to get owa 2003 work. I got a feeling that this is something to do with the way owa is setup.

Could you help me with settings for remote sso with OWA 2007?

Thanks.

fuman_ · ‎10-25-2008

Hi Hazeen

[email protected]mubadala.ae wont work because you have to use the userPrincipleName-attribute. To make sure to use the right credential, my advisory (e.g like a regular expression) is to use the string like i wrote it :

<[email protected]>

this means the IVE searches your ldap-directory (e.g ActiveDirectory) for an User-Attribute called "userPrincipalName" which is matching the user who has authenticated to the IVE. Then the IVE paste that userPrincipalName to the Username field and everything works fine. Thats it. If you read this carefully you will find out that the string

<[email protected]yourdomainldapserver.userPrincipalName> is not the same as

[email protected]mubadala.ae

Then BasicAuth should work perfectly - i have no idea how remote sso can work with OWA 2007.

The only tricky thing with basicAuth ist to use the correct authentication-Server Name in the string above....

hope this will help better....

Message Edited by fuman on 10-25-2008 09:53 AM

Message Edited by fuman on 10-25-2008 09:54 AM

hazeen_ · ‎10-25-2008

What exactly do i need to replace "yourdomainldapserver" with?

Is it the actual name of the domain controller or the domain name?

Should it be fqdn name like ex:hotmail.com?

hazeen_ · ‎10-25-2008

Hi Fuman,

For testing purpose, i also tried giving one of the test usernames and passwords directly in the basic auth.

I chose

basic auth:

username : [email protected]

password: #$#%##!

I tried putting the above directly and it did not work.

player_ · ‎01-04-2009

i'm facing some problems with the sso on owa 2007 :

first my url is a https url, (could this be an issue also?)

my authentication server is LDAP server.

my users sign in to their owa using domain\user or [email protected]

i have tried to use the userAttr as you suggested without any luck.

also tried the remote SSO without luck,

anyone please?

Message Edited by player on 01-05-2009 01:24 AM

hazeen_ · ‎01-07-2009

Hi Player,

I have fixed the issue of SSO to OWA 2007.

I used a browser plugin/tool called httpwatch to trace the parameters being sent when user logs into owa 2007.

I am posting below the setting i used in my sitiuation(SSO to OWA 2007).

Name :My email
Type : OWA 2007
Base URL http://servername.com/OWA
SSO parameters Ð REMOTE SSO Ð post the following data
Resource http://servername.com:80/OWA/auth/logon.aspx?*
Post URL http://servername.com:80/OWA/auth/owaauth.dll
Destination http://servername.com/OWA
Flags 0
Forcedownlevel 0
Trusted 0
Username <USERNAME>
Password <PASSWORD>
isUtf8 1

I hope this helps.

aterockz_ · ‎02-04-2009

@hazeen wrote:
Hi Player,
I have fixed the issue of SSO to OWA 2007.
I used a browser plugin/tool called httpwatch to trace the parameters being sent when user logs into owa 2007.
I am posting below the setting i used in my sitiuation(SSO to OWA 2007).
Name :My email
Type : OWA 2007
Base URL http://servername.com/OWA
SSO parameters Ð REMOTE SSO Ð post the following data
Resource http://servername.com:80/OWA/auth/logon.aspx?*
Post URL http://servername.com:80/OWA/auth/owaauth.dll
Destination http://servername.com/OWA
Flags 0
Forcedownlevel 0
Trusted 0
Username <USERNAME>
Password <PASSWORD>
isUtf8 1
I hope this helps.

I tried it a couple of tims with your very good description and failed!

I requested assistance from the support and first failed too.

The difference is that our OWA 2007 server is accessed with https, but this shouldn't be an issue at all.

Single Sign On still failed.

What brought the success was changing the destination post parameter from:

destination destination https://[SERVER.URL]/OWA

to

destination destination https://[SERVER.URL]/OWA/

also support requested me to change the order of the post parameters.

I am not sure if this might be relevent but just for completion I will post the order.

destination destination https://[SERVER.URL]/OWA/ User CAN change value
flags flags 0 User CAN change value
forcedownlevel forcedownlevel 0 User CAN change value
isUtf8 isUtf8 1 User CAN change value
password password <PASSWORD> User CAN change value
trusted trusted 0 User CAN change value
username username <USER> User CAN change value

Maybe anyone has experienced something similar.

Ate RocKz

Message Edited by aterockz on 02-04-2009 10:43 AM

cglanville_ · ‎02-05-2009

The key for us was making sure all of the variables were lower case. For example when I spelled username "Username" it did not work. Once I went to all lower case it worked.