Forum Discussion
OWA 2010 and SSO
Hi,
I am trying to setup form based authentication with OWA 2010 and the APM. But it seems I am using the wrong start uri and/or form action.
In the APM logging I see the following:
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header *[:method][GET] (len=3)
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header *[:uri][/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fxyz.gvb.nl%2fowa%2f] (len=79)
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header *[:version][HTTP/1.0] (len=8)
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header *[:custommeta][Z] (len=314)
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header *[Host][xyz.gvb.nl] (len=14)
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header *[session-key][*******] (len=32)
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header *[Cookie][PBack=0; BIGipServerexch_owa_pool_lan=rd2o00000000000000000000ffff0a770065o80; OutlookSession=26cf7096b06645b78d98e98f2ca4a7ac] (len=126)
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header [Referer][https://webmail.xyz.nl/owa/auth/logon.aspx?url=https://webmail.xyz.nl/owa/&reason=0] (len=83)
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: init webssoConfig from data: 0x89985a4, len: 314
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: different sso config object received, name: /Common/ntlm_sso, method: 4
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: ssoMethod: ntlmv2 usernameSource: session.sso.token.last.username passwordSource: session.sso.token.last.password ntlmdomain: XXXXXX
Could someone point me in the right directions for my owa sso configuration?
Thanx,
Kees
9 Replies
kunjanNimbostratus
I am trying to setup form based authentication with OWA 2010
.... different sso config object received, name: /Common/ntlm_sso, method: 4It seems like you have attached ntlm SSO instead of form based SSO. You can verify with,
tmsh list apm sso form-basedv2The default sso profile for this policy is NTLM but i have configured an owa formbased sso profile and it is attached to the owa resource items.
- kunjan
Okay. Are you trying with "Form based -Client Initiated" ?
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-4-0/3.html
I am using form based with the OWA 2010 template.
- kunjan
May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header *[:uri][/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fxyz.gvb.nl%2fowa%2f] (len=79)
Here it doesn't match the start uri - /owa/auth/logon.aspx?url=https://webmail.xyz.nl/owa/&reason=0
See the request before this how SSO respond.
Also, SSO applied for portal does it match the following:
host webmail.xyz.nl order 2 paths /owa/auth/logon.aspx* port https scheme https sso " " subnet 0.0.0.0/0If possible provide tmsh list apm sso form-based and tmsh list apm resource portal-access
- kunjan
Somehow above formatting screwed up.
*May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header [:uri][/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fxyz.gvb.nl%2fowa%2f] (len=79)
Here it doesn't match the start uri - /owa/auth/logon.aspx?url=https://webmail.xyz.nl/owa/&reason=0
See the request before this how SSO respond.
Also, SSO applied for portal does it match the following:
host webmail.xyz.nl order 2 paths /owa/auth/logon.aspx* port https scheme https sso "SSO Name" subnet 0.0.0.0/0If possible, provide tmsh list apm sso form-based and tmsh list apm resource portal-access
tmsh list apm sso form-based apm sso form-based owa-sso-test { form-action /owa/auth/logon.aspx\?replaceCurrent=1&url=https%3a%2f%2fwebmail.xxx.nl%2fowa%2f form-field "destination https://webmail.xxx.nl/owa/ flags 0 forcedownlevel 0 isUtf8 1 trusted 4" form-password password form-username username start-uri /owa/auth/logon.aspx\?replaceCurrent=1&url=https%3a%2f%2fwebmail.xxx.nl%2fowa%2f }And
config tmsh list apm resource portal-access webmail-test apm resource portal-access webmail-test { acl-order 15 application-uri https://webmail.xxx.nl/owa customization-group webmail-test_resource_web_app_customization items { item { home-tab false host webmail.xxx.nl order 1 paths /owa/attachment.ashx* port https scheme https sso owa-sso-test subnet 0.0.0.0/0 } item1 { host webmail.xxx.nl order 2 paths /owa/auth/logon.aspx* port https scheme https sso owa-sso-test subnet 0.0.0.0/0 } item2 { host webmail.xxx.nl order 3 paths /* port https scheme https sso owa-sso-test subnet 0.0.0.0/0 } } publish-on-webtop true scheme-patching true }- kunjan
This is working for me, can try this:
apm sso form-based owa-sso-test { form-action /owa/auth/owaauth.dll form-field "destination https://webmail.xxx.nl/owa/ flags 0 forcedownlevel 0 isUtf8 1 trusted 0" form-password password form-username username start-uri /owa/auth/logon.aspx\?url=https://webmail.xxx.nl/owa/&reason=0 success-match-type cookie success-match-value *OutlookSession* } kunjan,
I have found the issue why it didn't work.
I was testing this on a test webmail portal access. But on the live webmail portal access a ntlmv2 SSO configuration was applied. (different sso config object received, name: /Common/ntlm_sso, method: 4). That's why it didn't match. After removing it and applying the form based SSO to it, it did.
Thanks for your help, it pointed me in the right direction (the form based SSO profile was also wrong, I was redirected from /owa to another uri)
