Webthority How To Proxy Microsoft Outlook Web Access
Webthority How To Proxy Microsoft Outlook Web Access This guide describes how to configure Webthority to protect Microsoft Outlook Web Access (OWA) 2003 and 2007. There are three main mechanisms through which Webthority can authorize access to OWA: Direct mapping to an OWA Login Form Automatic Back-End Authentication with OWA (via automatic login form filling) Automatic Back-End Authentication with OWA (via HTTP authentication) The mechanisms are arranged here in increasing order of complexity and each should be successfully completed before the next is attempted. Each mechanism requires a different level of user experience, configuration and Authentication Services (AS) constraints which are detailed in the following sections. OWA Login Form The most basic mechanism is simply a Webthority content server mapping with rewrite. The authentication procedure is as follows: 1. 2. 3. 4. User User AS) User User clicks the link to the Webthority proxied OWA. authenticates with the Webthority Authentication Service (not needed with VSJ or PKI is directed to the OWA login form. authenticates with OWA. Configuration Ensure that the Rewrite checkbox is selected on the Proxy Content Server Mapping tab, see Rewrite Note. Applicable Authentication Services All. Webthority How To Proxy Microsoft Outlook Web Access Automatic Back-End Authentication with OWA (via auto-login-form-filling) This mechanism allows for Single Sign-On access to OWA. The credentials used to authenticate to Webthority must be the same as those used to log into OWA. The authentication procedure is as follows: User clicks the link to the Webthority proxied OWA. User authenticates with Webthority Authentication Service User’s Webthority Authentication Service username/password/domain combination is used by Webthority to communicate with OWA User is automatically logged into OWA. Configuration Ensure that these checkboxes are selected on the Proxy Content Server Mapping tab: Back-End Auth Rewrite, see Rewrite Note. On the associated Web role Back-End Auth tab: Select the Auto-fill login forms checkbox Add a new row to the form filling table: URL: This is the exact URL for the login form (e.g. https://webmail.quest.com:443/CookieAuth.dll?GetLogon?curl=Z2F& reason=0&formdir=2 All other fields relate to assisting the form filling algorithm. They specify the: name of the HTML login form name of the username/password/domain HTML form input fields format of the username in the form (e.g. <username>@<domain>) If your Authentication Service doesn’t provide a domain, you can set a default domain to be used here as well. For Webthority to authenticate with OWA via forms, OWA must be configured to use forms-based auth. Applicable Authentication Services Authentication Services with username/password (a default domain can be configured) i.e. not the Vintela Single Sign-On for Java Authentication Service or PKI Authentication Service. Page 2 Webthority How To Proxy Microsoft Outlook Web Access Automatic Back-End Authentication with OWA (via HTTP authentication) This mechanism allows Webthority and the Content server to negotiate for the best authentication mechanism and then automatically log the user into OWA without using forms. The credentials used to authenticate to Webthority must be the same as those used to log into OWA. The authentication procedure is as follows: User clicks the link to the Webthority proxied OWA. User authenticates with Webthority (not applicable if the VSJ or PKI Authentication Agent is used) The configured automatic authentication schemes are negotiated by Webthority with OWA using SPNEGO and used in descending order of preference: Kerberos (VSJ or Authentication Service with username/password) NTLM (requires Authentication Service with username/password) User is automatically log into OWA. Configuration Ensure that the Back-End Auth and Rewrite checkboxes are checked on the Proxy Content Server Mapping tab. Ensure that the required HTTP Authentication checkboxes are checked on the associated Web role Back-End Auth tab. For Webthority to authenticate with OWA via HTTP, OWA must use Integrated Windows Authentication (IWA) (which uses SPNEGO to negotiate and then Kerberos and/or NTLM) Applicable Authentication Services Authentication Services with username/password (a default domain can be configured) i.e. not the Vintela Single Sign-On for Java Authentication Service or PKI. Rewrite Note: For the rewrite option to function correctly for OWA, the following change is required in the Proxy Service configuration file service.properties, located in ../webthority/webapps/<proxy name>/WEB-INF/config): xml.exclude=*tf_TwoLine.xsl *tf_Messages.xsl Quest, Quest Software and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc. in the United States of America and other countries. Other trademarks and registered trademarks are property of their respective owners. Page 3
© Copyright 2024