Jump to content


Photo

Exchange OWA 2013 AAA SSO with basic authentication

Started by Service INFORMATIQUE , 26 January 2017 - 05:11 PM
5 replies to this topic

Service INFORMATIQUE Members

Service INFORMATIQUE
  • 1 posts

Posted 26 January 2017 - 05:11 PM

hi all,

 

i'm struggling with a really basic stuff, let me explain:

 

2 exchange 2012 servers, 2 netscaler in HA pair in DMZ (11.1, build 51.21)

 

i'm load balancing Exchange 2013 web services with a CS, unaddressable VS for every services, servicegroups and monitors, 101 Exchange config. I checked many howto from the web, all like this:

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/microsoft-exchange-2013-citrix-netscaler-deployment-guide.pdf

everything works good.

 

Now i need to protect OWA access with an AAA vServer.

I created everything as from the book:

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/microsoft-exchange-2013-with-netscaler-authentication-and-optimization.pdf

Except for the token/radius strong auth aprt, only LDAP auth. I tried also many howto from the web, with some different details, but actually all alike.

 

Here is the thing:

when I hit https://exch.mydomain.com/owa, I get redirected well to the AAA vServer. I get authenticated and then redirected to my OWA mailbox. i'm logged in and I can see the mail.

But I have 401 pop up for authenticate again... I can log in again, or I can cancel them - in this case I get 4 pop-ups in a row, and then I can work in OWA.

 

in my Exchange servers,  I only have "basic authentication" activated in the OWA virtual directory properties. If I enable "integrated Windows" the pop-ups disappear.

Thing is my customer can't enable it. I have to deal with "basic auth" only. And I got the annoying "man, it works with my TMG you're replacing, what the...?"

 

any ideas? please help me beat TMG :P

sincerely,

 

Bertrand

 

 

 

 

 

 



Ronny Lier Members

Ronny Lier
  • 35 posts

Posted 16 March 2017 - 12:01 PM

Hi Bertrand,

 

I have the same trouble. Do you have found a solution?

 

Best regards,

 

Ronny

 



Joe Brozzetti Members

Joe Brozzetti
  • 180 posts

Posted 16 March 2017 - 04:49 PM

How are you setting the AAA for OWA?  Are you pointing the LBVS to a form URL (AAA login page) or using a traffic policy/sso profile?



Ronny Lier Members

Ronny Lier
  • 35 posts

Posted 16 March 2017 - 07:28 PM

Yes, I pointing the LB vServer to AAA vServer with form based authentication. If I enable "integrated Windows authentication" or "form based authentication" on the OWA virtual directory then the authentication pop-ups disappear.



Joe Brozzetti Members

Joe Brozzetti
  • 180 posts

Posted 16 March 2017 - 08:56 PM

I think you need to do a Traffic SSO policy/profile for the 401 Basic Auth.

 

This is the Citrix doc:  https://docs.citrix.com/en-us/netscaler/10-5/ns-gen-appsec-wrapper-10-con/ns-aaa-app-trafc-wrapper-con-10/ns-aaa-setup-traffic-setting-con/ns-aaa-form-sso-prfl-tsk.html

 

I think they make reference to the Form SSO in the guide you were looking at, AAA would need Windows Auth to work without the profile I believe.  

 

We have Exchange and point our OWA to just the AAA URL but we have Basic and Windows enabled.



Ronny Lier Members

Ronny Lier
  • 35 posts

Posted 16 March 2017 - 09:16 PM

Thanks for the guide. I have tried the Traffic SSO policy/profile (without Form SSO) but it didn´t work.

 

The Form SSO is only required if we use the form based authentication on the backend service (OWA).

 

As I have said, if we configure on the OWA virtual directory "Basic and integrated Windows authentication" or "form based authentication" it works.