Forum Discussion
NimbostratusSingle Sign on with Exchange 2010
Hi Guys,
I'm struggling a little bit primarily because I'm not well experienced in F5 technologies. Given our existing configuration and posting this question up, I think I'll have to answers further questions about my setup from whoever is willing to respond inorder to get my question answered. So, here goes!
I already have a portal access page setup and working, with some applications in it. I would like to add my exchange OWA to this portal access site. So I tried doing that. I created a new resource under portal access list, an application URI and simply pointed it to my OWA url... https://exchnageCASserverIP/owa. Once I did that I edited my portal access profile to simply add access to this OWA resource once AD authentication successfully takes place. Then when I log into my portal, I see a link to OWA, I click it, it renders my OWA forms based auth page, and I can log in and check my email. That's pretty good, as I can access my email from outside the organization, through my BigIP. However this requires me to log in twice. Once into my portal and then once into OWA. On the exchange side, I cant change the auth to be anything other than forms based authentication.
So, if anyone can guide me into getting this working such that I log into my Portal with my AD credentials, see the OWA link, click it, and I go straight into my email that would be great.
I have been reading about exchange iApps... but I am concerned this may create a new virtual server in its entirety (not sure if that's an issue or not) or might affect the current setup as its working.... because I dont understand it well enough, I dont want to break it!
I have also been reading that I might need an SSO mapping, which I have no idea how to create.
17 Replies
Roo_150490Hi,
So I couldnt get the first command to work to get log-level to debug. I'm still learning this stuff, from a windows background, so thank you for your patience.
Here is what I have managed to capture:
[root@BigIPF5:Active:Standalone] / tail /var/log/apm Apr 15 09:21:19 BigIPF5 notice tmm1[10040]: 01490506:5: 9095a2f6: Received User-Agent header: Mozilla%2f5.0%20(Windows%20NT%206.1)%20AppleWebKit%2f537.36%20(KHTML%2c%20like%20Gecko)%20Chrome%2f34.0.1847.116%20Safari%2f537.36. Apr 15 09:21:19 BigIPF5 notice tmm1[10040]: 01490544:5: 9095a2f6: Received client info - Type: Mozilla Version: 5 Platform: Win7 CPU: unknown UI Mode: Fu ll Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1 Apr 15 09:21:19 BigIPF5 notice tmm1[10040]: 01490500:5: 9095a2f6: New session from client IP x.x.x.x at VIP 10.10.10.100 Listener /Common/SSL-Portal_vs (Reputation=Unknown) Apr 15 09:21:38 BigIPF5 notice apd[5882]: 01490010:5: 9095a2f6: Usernam 'test' Apr 15 09:21:38 BigIPF5 notice apd[5882]: 01490008:5: 9095a2f6: Connectivity resource '/Common/RDP' assigned Apr 15 09:21:38 BigIPF5 notice apd[5882]: 01490128:5: 9095a2f6: Webtop '/Common/SSL-Portal_webtop' assigned Apr 15 09:21:38 BigIPF5 notice apd[5882]: 01490005:5: 9095a2f6: Followingrule 'fallback' from item 'All SSL Portal Apps' to ending 'Allow' Apr 15 09:21:38 BigIPF5 notice apd[5882]: 01490102:5: 9095a2f6: Access policy result: Full Apr 15 09:22:14 BigIPF5 warning tmm[10040]: 014d0002:4: 9095a2f6: SSOv2 Logon failed, config /Common/OWA form tform
[root@BigIPF5:Active:Standalone] / tmsh list apm sso form-basedv2 apm sso form-basedv2 OWA { forms { tform { controls { password { secure true value "%{session.sso.token.last.password}" } username { value "%{session.sso.token.last.username}" } } request-value "/owa/auth/logon.aspx\?replaceCurrent=1&url= /owa/auth/logon.aspx\?url=" submit-javascript clkLgn() submit-javascript-type extra success-match-type cookie success-match-value sessionid } } } [root@BigIPF5:Active:Standalone] / tmsh show apm sso form-basedv2
Apm::SSO Form Based V2 Configuration: OWAHTTP requests 54 HTTP responses 33 HTML pages scanned 21 Logon forms found 12 Total SSO logons 12 Successful logons 0 Failed logons 12 Logons ignored due to size 0 Errors 0
- Roo_150490
well that didnt exactly upload how I pasted it in.
kunjanSSO is triggering, just that the authentication seems failing.
Failed logons 12
When you login OWA manually, do you have to use domain\user?
If yes, able to test by 'Variable Assign' before 'SSO Credential Mapping'?session.logon.last.username = return [mcget {session.logon.last.logonname} ]- Roo_150490
Hi Kunjan,
Thanks for the response above... I am currently away from the office. As soon as I get in I will test this out, and fingers crossed will have some good news. Thanks for your assistance.
- Roo_150490
Hi Kunjan,
I've just tested this and suddenly the OWA link presented on the portal page is working when I login to the APM using format domain\username... This is very good news!! Thanks for your time getting me this far. One issue though, because I'm logging in as domain\username other links presented on my portal page are now not working as I guess they are expecting just a username rather than domain\username.... Have you seen this in your implementations?
- kunjan
Not sure why those portal which was working without SSO now breaks. May be can try to assign the SSO created for OWA specific to OWA portal(Under Portal ›› Resource Item ›› SSO Configuration), instead of the whole policy.
- kunjan
If we continue where we left, the 'split domain from full username' is it set no currently? and you can login to owa with domain\username?
