- I’ve been asked about this a few times recently so thought it worth a post.
As of version 10.69.4.nc NetScaler Gateway and AAA features support OWA 2010
In order to provide SSO when authentication on OWA is form based additional configuration is required.
Create a formSSOAction, this provide the NetScaler with the following information:
- The page in which to complete the Form based SSO (/owa/auth.owa)
- The field names to pass the username and password values to (username and password)
- The cookie that deals with authentication for OWA (cadata)
- The method in which to submit form data (post)
add vpn formSSOAction SSOPro_OWA -actionURL “/owa/auth.owa” -userField username -passwdField password -ssoSuccessRule “http.RES.SET_COOKIE.COOKIE(“cadata”).VALUE(“cadata”).LENGTH.GT(70)” -responsesize 15000 -submitMethod POST
Create a VPN traffic action that specifies SSO as well as the name of the formSSOAction created above.
add vpn trafficAction TrafAct_OWA HTTP -appTimeout 1 -SSO ON -formSSOAction SSOPro_OWA
add a VPN traffic Policy to specify at when this traffic action should be applied
add vpn trafficPolicy TrafPol_OWA “HTTP.REQ.URL.CONTAINS(“owa/auth/logon.aspx”)” TrafAct_OWA
bind this traffic action globally so as to apply to all NetScaler Gateway Vservers (alternatively this could be bound specifically to a single VPN VServer if more then one version of OWA was to be supported from an appliance)
bind vpn global -policyName TrafPol_OWA -priority 100
or
bind vpn vserver VSERVERNAME -policyName TrafPol_OWA -priority 1000
The PBack cookie value is usually set to zero when the user manually selects submit in OWA so a rewrite action is created to simulate this
add rewrite action set_pback_cookie insert_after “http.REQ.COOKIE.VALUE(“OutlookSession”)” “”;PBack=0″” -bypassSafetyCheck YES
A policy is created to specify when this rewrite policy should apply
add rewrite policy set_pback_cookie “http.REQ.URL.CONTAINS(“logon.aspx”)” set_pback_cookie
This is then bound globally as it should not effect other versions of OWA operating
bind rewrite global set_pback_cookie 100 END -type REQ_DEFAULT
I need to pass dynamically the original parameters flags and trusted as users can select on the original logon.aspx page. To do so I have rewritten and merged the original logon.aspx page with the tmindex.html page used on NetScaler. Everything works pretty well. If I put action=”https://myServer.myDomain/showRequest.php” into the FORM, I get also the parameters the users chooses. But if I let the call go through NetScaler’s /cgi/login the parameters are either overridden with the -nameValuePair “flags=4&trusted=4” you can set in the Form SSO Profiles. Despite choosing EXTRACTION = DYNAMIC, the parameters are simply overridden and not really taken from the FORM.
Any suggestion? Thanks a lot Rosario
Edit: I found a good way to implement parameter passing based on the client IP or other criteria here:
http://www.jeffsani.com/downloads/owa_attachment_config.txt
But I want our users also to be able to choose the light or full GUI version of OWA
Hello Sir ,
appreciate if some one can help me !
I am trying to configure an LDAP authentication through netscaler in order to get a SSO to OWA 2013.
noting that i have also create a SSO session policy bounded to a AAA server with LDAP authentication .
after that i Have create a rewrite and TM policy same as describe in this link : http://support.citrix.com/article/CTX134724
but unfortunately i am not able to have a direct SSO 🙁
any idea ??
thanks