cancel
Showing results for 
Search instead for 
Did you mean: 

OWA 2010 with RSA & Kerberos

Highlighted
Frequent Contributor

OWA 2010 with RSA & Kerberos

Has anybody configured OWA 2010 on the SA to use kerberos/SSO in conjunction with RSA two-factor at the VPN login? Having problems getting it to work.

 

Getting "401 Unauthorized: Access is denied due to invalid credentials" in the DS record log.

 

In IIS on the Exchange server I have Windows Integrated Auth enable only. I get kerberos/SSO pass-through on our LAN when the site is in Trusted Sites and Outlook connects with kerberos.

 

It also looks like the SA is trying to drop back to NTLM, even though it is disabled in the Web Profile.

 

Am I missing something?

 

EDIT: I have switched to NTLMv2 and v1 and still fails. I'm wondering if the problem is in Exchange/IIS?

6 REPLIES 6
Highlighted
Super Contributor

Re: OWA 2010 with RSA & Kerberos

Hi,

 

SSO is not possible to backend web applications with RSA two-factor authenticaton on the SA.

 

You will need to configure AD or LDAP as a secondary authentication server and use  <USERNAME> variable in the SSO configuration if the username for RSA and AD/LDAP are the same and <PASSWORD[2]> for the password variable.

 

Kerberos SSO will work if configured corectly.

 

Regards,

Jay

Highlighted
Frequent Contributor

Re: OWA 2010 with RSA & Kerberos

Ok, I am very unexperienced with Kerberos. Can you elaborate? I really want this to work for OWA with RSA.

 

RSA is using LDAP for username.

Respected Contributor

Re: OWA 2010 with RSA & Kerberos

have you followed the sample outline on the support site? do you have any/all servers that should be used for the constrained delegation configured successfully?

Highlighted
Frequent Contributor

Re: OWA 2010 with RSA & Kerberos


@zanyterp wrote:

have you followed the sample outline on the support site? do you have any/all servers that should be used for the constrained delegation configured successfully?


No offense, but this was pretty unhelpful. Maybe you could throw a bone (aka a hyperlink) to a pretty frustrated fellow? I;'ve been searching on this and trying to familiarize myself with kerberos more and the IVE's configuration of it, without much success.

 

JTAC was not very helpful either other than to say "maybe it can be done with contrained delegation."

 

Highlighted
Respected Contributor

Re: OWA 2010 with RSA & Kerberos

if you are only doing RSA, then, yes, constrained delegation to send the kerberos credentials is your only option. if you use  an auth mechanism that allows users to have a password, kerberos SSO should be fine.

 

For constrained delegation, the sample is found at http://www.juniper.net/techpubs/software/ive/guides/howtos/SSLConstrainedDelegation.pdf; is there a specific query you have that is failing?

Highlighted
Frequent Contributor

Re: OWA 2010 with RSA & Kerberos

Yes, we are concerned about key loggers. So, while users do technically have a password in AD, we only are allowing remote users to access with RSA token. However, even with Kerberos SSO, it still asks for the user's password.

 

Bottom line is, we do not want users putting in their password on an unmanaged machine.