Forum Discussion
NimbostratusSingle Sign on with Exchange 2010
Hi Guys,
I'm struggling a little bit primarily because I'm not well experienced in F5 technologies. Given our existing configuration and posting this question up, I think I'll have to answers further questions about my setup from whoever is willing to respond inorder to get my question answered. So, here goes!
I already have a portal access page setup and working, with some applications in it. I would like to add my exchange OWA to this portal access site. So I tried doing that. I created a new resource under portal access list, an application URI and simply pointed it to my OWA url... https://exchnageCASserverIP/owa. Once I did that I edited my portal access profile to simply add access to this OWA resource once AD authentication successfully takes place. Then when I log into my portal, I see a link to OWA, I click it, it renders my OWA forms based auth page, and I can log in and check my email. That's pretty good, as I can access my email from outside the organization, through my BigIP. However this requires me to log in twice. Once into my portal and then once into OWA. On the exchange side, I cant change the auth to be anything other than forms based authentication.
So, if anyone can guide me into getting this working such that I log into my Portal with my AD credentials, see the OWA link, click it, and I go straight into my email that would be great.
I have been reading about exchange iApps... but I am concerned this may create a new virtual server in its entirety (not sure if that's an issue or not) or might affect the current setup as its working.... because I dont understand it well enough, I dont want to break it!
I have also been reading that I might need an SSO mapping, which I have no idea how to create.
17 Replies
kunjanYes, you need do configure the SSO, that will auto login for you by auto-submitting the form by APM
Create SSO object: Access Policy ›› SSO Configurations : Forms - Client Initiated
Refer: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-4-0/3.html See - OWA 2010 and 2007 form-based client-initiated SSO example
On your VPE, need to insert the SSO credential mapping, before assign the resources.
Refer: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-4-0/6.html
Roo_150490Hi Kunjan,
Will check these out and report back. Thanks for the pointers, hopefully this wont prove too difficult
- Roo_150490
Hi Kunjan,
I think I managed to configure the Client Initiated SSO Form as per the first link, simply copied the same config in the example...
Now, do I need to link the Client Initiated SSO Form I created, in my VPE? if so how do I do this? within the VPE before assigning the Portal Access OWA URI I created, I added the SSO credential mapping under assignments, left it at default values, but I still get presented with my Exchange Forms Based Auth page?
- kunjan
Roo, have you attached the OWA SSO created to the Access Profile?
Access Policy ›› Access Profiles : Access Profiles List ››
SSO / Auth Domains ›› SSO Configuration ››
- Roo_150490
Hi kunjan,
Yes... I added this to my already existing Portal Access page in the location you mention above. On closer look... its the seems OWA forms based auth page, is actually giving me an error after I have clicked it from the portal page... like you would get when manually making an incorrect login attempt... This error is:
The user name or password you entered isn't correct. Try entering it again.
Could this be, because I don't log into my portal with a domain specified? I just log into portal page with my AD account and password, whereas the OWA forms based auth page is expecting domain\username?
let me know what you think and whether you have any ideas... Thanks for your time so far.
- kunjan
May be can try on the Logon page 'Split domain from full Username list, select Yes' and key in domain\username.
- Roo_150490
Hi Kunjan,
tried that. I get the option to set yes on 'split domain from full username'. but I cant see how to key in domain\username. However I have set the setting to 'Yes' but it still doesnt work.
- kunjan
On your login page when you login.
- Roo_150490
okay, yes... thats what I thought.. and unfortunately this doesnt work... still get the same, as though its passing incorrect credentials through.
- kunjan
Seems like need to do some more troubleshooting.
- Enable debug on SSOv2
tmsh modify apm sso form-basedv2 log-level debug
Check logs at /var/log/apm - Do packet capture at client side and decrypt or HTTPwatch trace and analyse, if the above step doesn't yield anything.
- If you could share:
tmsh list apm sso form-basedv2 (config)
tmsh show apm sso form-basedv2 (Stats)
- Enable debug on SSOv2
