Frank Löppert Posted February 26, 2016 Share Posted February 26, 2016 Good Morning, I have successfully configured the Unified Gateway with OWA 2016 and SSO. But when the User opens OWA, the Content of the Site is Missing (see Attach). With ECP there are no problems. When I open the OWA directly on the Exchange, everything is fine. My config is: Unified gateway -> Loadbalancer vServer -> 2x Exchange 2016 Server Can anyone please help me to troubleshooting this Issue ? Kind regards Frank Loeppert Link to comment Share on other sites More sharing options...
Sebastian Reichl1709156058 Posted March 2, 2016 Share Posted March 2, 2016 Same problem with v11.0.64.34. The Content-Part doesn't load. Link to comment Share on other sites More sharing options...
Frank Löppert Posted March 3, 2016 Author Share Posted March 3, 2016 Same problem with v11.0.64.34. The Content-Part doesn't load. Hi, I've taken a closer look on that. The NetScaler is manipulationg the URLs: The Netscaler places an string like "*/cpvn/XXXXXXXXXXXX" after "/owa/#path=" in the URL. When you manually delete this string -> "*/owa/#path=/mail", the Content-part is loading. So, why does the NetScaler this, and how can we stopp it ? Link to comment Share on other sites More sharing options...
Sebastian Reichl1709156058 Posted March 3, 2016 Share Posted March 3, 2016 With normal Content Switching everything is fine. By the way, I've removed <add key="LogonSettings.SignOutKind" value="LegacyLogOff" /> in owa/web.config to bring the Logoff page back. :) Link to comment Share on other sites More sharing options...
Frank Löppert Posted March 3, 2016 Author Share Posted March 3, 2016 With normal Content Switching everything is fine. By the way, I've removed <add key="LogonSettings.SignOutKind" value="LegacyLogOff" /> in owa/web.config to bring the Logoff page back. :) Yes, with normal CS its fine. But with UG not.. Thanks for the Logoff Know-How :) Can anybody help us with the UG Issue ? Link to comment Share on other sites More sharing options...
Frank Löppert Posted March 3, 2016 Author Share Posted March 3, 2016 I got it ! :-) Here is the Solution: 1. Configure your App in UG as Intranet Application: 2. Create your Traffic and Form SSO Profiles and Policies at Security->AAA->Policys like this: add tm formSSOAction AAA_profile_OWA_sso_form -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -r add tm trafficAction AAA_pol_OWA_sso_trafic -appTimeout 1 -SSO ON -formSSOAction AAA_profile_OWA_sso_form -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE add tm trafficPolicy aaa_pol_OWA_sso_traffic "HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.asp\")" AAA_pol_OWA_sso_trafic 3. Bind the Traffic Policy to your LB vServer, not to the UG vServer! bind lb vserver srv_cas_owa -policyName aaa_pol_OWA_sso_traffic -priority 100 -gotoPriorityExpression END -type REQUEST 4. At the LB vServer for OWA set the Authentication Options to: 5. It Works :) Best regard Frank Link to comment Share on other sites More sharing options...
Frank Löppert Posted March 3, 2016 Author Share Posted March 3, 2016 I got it ! :-) Here is the Solution: 1. Configure your App in UG as Intranet Application: 2. Create your Traffic and Form SSO Profiles and Policies at Security->AAA->Policys like this: add tm formSSOAction AAA_profile_OWA_sso_form -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -r add tm trafficAction AAA_pol_OWA_sso_trafic -appTimeout 1 -SSO ON -formSSOAction AAA_profile_OWA_sso_form -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE add tm trafficPolicy aaa_pol_OWA_sso_traffic "HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.asp\")" AAA_pol_OWA_sso_trafic 3. Bind the Traffic Policy to your LB vServer, not to the UG vServer! bind lb vserver srv_cas_owa -policyName aaa_pol_OWA_sso_traffic -priority 100 -gotoPriorityExpression END -type REQUEST 4. At the LB vServer for OWA set the Authentication Options to: 5. It Works :) Best regard Frank Link to comment Share on other sites More sharing options...
Christian Tinello Posted July 22, 2016 Share Posted July 22, 2016 Hi floeppert, i think you missed one important parameter in your "add tm formSSOAction AAA_profile_OWA_sso_form" It's the -submitMethod POST In any case , following this document https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/microsoft-exchange-2013-with-netscaler-authentication-and-optimization.pdf you should be able to achieve the SSO with Exchange from Unified Gateway. This workerd for me add tm formSSOAction Exchange_owa_sso_form -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -responsesize 60000 -submitMethod POST add tm trafficAction Exchange_2013_owa_sso_profile -appTimeout 1 -SSO ON -formSSOAction Exchange_owa_sso_form -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE add tm trafficAction Exchange_2013_owa_logout_profile -appTimeout 10 -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE Regards Link to comment Share on other sites More sharing options...
Jared Hamilton1709156035 Posted March 9, 2018 Share Posted March 9, 2018 Has anyone been able to get this to work in the clientless vpn iframe? I am defining email access (OWA Url) in my session policy. Have a traffic policy in place to log me into OWA. Log in and click on the Email tab in the CVPN portal and I am logged into OWA however I only see the OWA tool bar. If I click on the settings icon and click display then my inbox and the rest of OWA renders. If I click on Applications then back into Email same thing. I need to click on the settings icon and then display to render my mailbox. Opened a case up with Citrix and the response I got was for CVPN 2013 is only supported that OWA 2016 is not. Anyone come across this? Link to comment Share on other sites More sharing options...
Dennis Reimer1709157751 Posted December 17, 2018 Share Posted December 17, 2018 Hi Jared, I had the exact same issue. The fix was easier as i thought. You only have to change the URL for Web-based Email within the session profile. After changing the URL from: https://exchange.domain.local/owa to: https://exchange.domain.local/owa/#path=/mail the owa page was showing up correctly. Regards Dennis Link to comment Share on other sites More sharing options...
Stefano Baronio Posted January 24, 2019 Share Posted January 24, 2019 I got it working by setting "Clientless Access URL Encoding" to "Encrypt" in the gateway session profile. Now the OWA content is loading properly (given the traffic policy above from Tinello). Ste Link to comment Share on other sites More sharing options...
Jared Shippy Posted February 6, 2019 Share Posted February 6, 2019 Step 4 at the following link resolved the content issue for my OWA 2016 vServer implementation. https://www.smali.net/netscaler-unifiedgateway-owa-sso-clientless-access-application-type/ Link to comment Share on other sites More sharing options...
Rahul U S Posted February 14, 2019 Share Posted February 14, 2019 On 3/9/2018 at 2:06 PM, Jared Hamilton1709156035 said: Has anyone been able to get this to work in the clientless vpn iframe? I am defining email access (OWA Url) in my session policy. Have a traffic policy in place to log me into OWA. Log in and click on the Email tab in the CVPN portal and I am logged into OWA however I only see the OWA tool bar. If I click on the settings icon and click display then my inbox and the rest of OWA renders. If I click on Applications then back into Email same thing. I need to click on the settings icon and then display to render my mailbox. Opened a case up with Citrix and the response I got was for CVPN 2013 is only supported that OWA 2016 is not. Anyone come across this? Hey, I have almost a similar setup like your's. Gateway vserver configured with session policy and clientless policy for OWA 2016 and SharePoint2016. OWA 2016 and SharePoint 2016 bound as bookmarks. SharePoint 2016 works fine, OWA 2016 lands on the tool bar page. Did you manage to fix this? Cheers, Rahul U S Link to comment Share on other sites More sharing options...
Jeff Riechers Posted February 5, 2021 Share Posted February 5, 2021 Hey everyone, I have a client seeing this as well. Is there a permanent fix? I see some people are saying that 2019 doesn't have the issue. It looks like it is doubling the cvpn/token url both in the initial request, and then again after the #path prompt. Just putting the #path/mail is not an option as you can't get to calendar or other entities from the toolbar., Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now