11-25-2009 11:10 AM
6.4 Changed a lot of things with SSO information, and while it's nice that Juniper expanded the functionality I really wish they hadn't also managed to destroy most SSO configurations from previous versions.
In 6.2R5 I had a Web Profile set up for accessing OWA 2003 and it worked perfectly. Now I'm on 6.4R4 and it starts requiring users to re-enter their credentials to log in. I've tried Kerberos, NTLM, and Remote SSO, Basic Auth all to no avail. As far as I can tell I have them each configured correctly as well... shouldn't be too hard since users log into the IVE with their AD credentials to begin with.
I searched the forum and saw a thread about OWA 2007 which talks about using Remote SSO, but the IVE only fills in the information for Remote SSO for OWA 2007, not OWA 2003, and it's not backwards compatible.
Has anyone gotten this to work? These new SSO settings are so confusing and poorly documented it gets a little more than frustrating.
Thanks in advance,
11-25-2009 01:41 PM
I am using 6.5 and have no issues with OWA and SSO. My setup is just Basic Auth. I would be glad to share some screen shots or log data if it would help. Just let me know.
11-25-2009 03:10 PM
You need to check if you had configured any SSO policies before in 6.2R5 version for example Basic auth,NTLM,Form post SSO policies under Web-->resource policies-->Basic Auth/NTLM or Form Post.
For basic auth/NTLM SSO, in the new version 6.4, you can try going to Resource Policies-->Web-->General and then create a Basic auth SSO policy with variable username and password, you can also try with system credentials if that does not work.
If the old version had NTLM configured, create an NTLM policy as above.
Create a test resource profile for OWA 2003 and under single sign on, try applying the basic and NTLM SSO policies one by one and check if that fixes the issue.
If the old version had form post SSO , Copy all the variables and post URL and when you create the resource profile, for SSO, select remote SSO and enter the same post URL and variables and it should work.
Let me know how this goes.
Note: when you access the OWA directly, if you see the windows logon and password instead of a form for sign on, you can be sure the backend is configured for basic/NTLM SSO.
11-30-2009 04:17 PM
I report SSO working with IVE OS 6.4R4 & OWA 2003 with Basic Auth, NTLM and Form POST
It is true that a few changes came in 6.4, especially Constrained Delegation and the admin UI layout also changed.
Regarding your problem, here are some ideas:
1. Run a policy trace with "Kerberos/NTLM/Basic Auth" enabled to check if the correct policies are being applied
2. On the SSO > General Tab:
- Make sure Kerberos/NTLM/Basic Auth SSO Settings... of your choice is enabled, if not enable it.
- Create a Kerberos/NTLM/Basic entry.
- If Credential Type = System isn't working for you, try Credential Variable = Variable and enter <USERNAME> and <PASSWORD> in the Username and Variable Password columns.
- For Kerbeors, define first the Realm, and then add an entry under "IVE Intermediation".
- Step by Step Guide on Setting up Constrained Delegation in IVE OS 6.4.
Has nice hints on setting up SSO with Kerberos and NTLM in general (not just Constrained Delegation) in 6.4:
3. Take a tcpdump with filter: host <ip.of.backend.server> and check what's going out to the server during SSO and what is the response from the server. If you do NTLM/Kerberos you need to filter traffic to the KDC as well.
4. If all this doesn't help, suggest you open a case with JTAC
01-04-2010 06:31 AM
I had the exact same problem as the original poster. I just had a web bookmark that pointed to my Front-End 2003 Exchange server. It always passed through before with versions 6.3Rx and earlier. I upgraded to 6.4R4.1 over the weekend and its asking for credentials.
I fixed it by just enabling Basic Auth in the General tab of SSO.
01-05-2010 08:21 AM
I was able to fix my issue by using <USERNAME> variable in Basic Auth instead of <USER>. Juniper confirmed apparently there's a bug with basic auth properly passing domain information in <USER> or something like that.
02-01-2010 02:28 AM - edited 02-01-2010 02:30 AM
I would really like some screen shoots of the configuration. We are also running 6.5 and can't get basic Auth or NTLM SSP working.
I'm looking forward to hear from you
02-01-2010 11:39 AM
Drop me a private message and I will send you a zip file with screenshots.