SSL VPN
Reply
Contributor
Tessian
Posts: 77
Registered: ‎07-07-2008
0

6.4 SSO for OWA 2003

6.4 Changed a lot of things with SSO information, and while it's nice that Juniper expanded the functionality I really wish they hadn't also managed to destroy most SSO configurations from previous versions.

 

In 6.2R5 I had a Web Profile set up for accessing OWA 2003 and it worked perfectly.  Now I'm on 6.4R4 and it starts requiring users to re-enter their credentials to log in.  I've tried Kerberos, NTLM, and Remote SSO, Basic Auth all to no avail.  As far as I can tell I have them each configured correctly as well... shouldn't be too hard since users log into the IVE with their AD credentials to begin with.

 

I searched the forum and saw a thread about OWA 2007 which talks about using Remote SSO, but the IVE only fills in the information for Remote SSO for OWA 2007, not OWA 2003, and it's not backwards compatible.

 

Has anyone gotten this to work?  These new SSO settings are so confusing and poorly documented it gets a little more than frustrating.

 

Thanks in advance,

Distinguished Expert
muttbarker
Posts: 2,370
Registered: ‎01-29-2008
0

Re: 6.4 SSO for OWA 2003

I am using 6.5 and have no issues with OWA and SSO. My setup is just Basic Auth. I would be glad to share some screen shots or log data if it would help. Just let me know.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Recognized Expert
jayLaiz
Posts: 416
Registered: ‎11-25-2009
0

Re: 6.4 SSO for OWA 2003

Hi,

 

You need to check if you had configured any SSO policies before in 6.2R5 version for example Basic auth,NTLM,Form post SSO policies under Web-->resource policies-->Basic Auth/NTLM or Form Post.

For basic auth/NTLM SSO, in the new version 6.4, you can try going to Resource Policies-->Web-->General and then create a Basic auth SSO policy with variable username and password, you can also try with system credentials if that does not work.

If the old version had NTLM configured, create an NTLM policy as above.

Create a test resource profile for OWA 2003 and under single sign on, try applying the basic and NTLM SSO policies one by one and check if that fixes the issue.

If the old version had form post SSO , Copy all the variables and post URL and when you create the resource profile, for SSO, select remote SSO and enter the same post URL and variables and it should work.

Let me know how this goes.

Note: when you access the OWA directly, if you see the windows logon and password instead of a form for sign on, you can be sure the backend is configured for basic/NTLM SSO.

Jay L

Juniper Employee
123go
Posts: 52
Registered: ‎11-06-2007
0

Re: 6.4 SSO for OWA 2003

I report SSO working with IVE OS 6.4R4 & OWA 2003 with Basic Auth, NTLM and Form POST

 

It is true that a few changes came in 6.4, especially Constrained Delegation and the admin UI layout also changed.

 

Regarding your problem, here are some ideas:

 

1. Run a policy trace with "Kerberos/NTLM/Basic Auth" enabled to check if the correct policies are being applied

 

2. On the SSO > General Tab:

- Make sure Kerberos/NTLM/Basic Auth SSO Settings... of your choice is enabled, if not enable it.

- Create a Kerberos/NTLM/Basic entry.

- If Credential Type = System isn't working for you, try Credential Variable = Variable and enter <USERNAME> and <PASSWORD> in the Username and Variable Password columns.

- For Kerbeors, define first the Realm, and then add an entry under "IVE Intermediation".

- Step by Step Guide on Setting up Constrained Delegation in IVE OS 6.4.

Has nice hints on setting up SSO with Kerberos and NTLM in general (not just Constrained Delegation) in 6.4:

http://www.juniper.net/techpubs/software/ive/guides/howtos/SSLConstrainedDelegation.pdf

 

3. Take a tcpdump with filter: host <ip.of.backend.server> and check what's going out to the server during SSO and what is the response from the server. If you do NTLM/Kerberos you need to filter traffic to the KDC as well.

 

4. If all this doesn't help, suggest you open a case with JTAC

 

Good luck...

Contributor
DeaconZ
Posts: 136
Registered: ‎01-14-2009
0

Re: 6.4 SSO for OWA 2003

I had the exact same problem as the original poster. I just had a web bookmark that pointed to my Front-End 2003 Exchange server. It always passed through before with versions 6.3Rx and earlier. I upgraded to 6.4R4.1 over the weekend and its asking for credentials.

 

I fixed it by just enabling Basic Auth in the General tab of SSO.

 

 

Contributor
Tessian
Posts: 77
Registered: ‎07-07-2008
0

Re: 6.4 SSO for OWA 2003

I was able to fix my issue by using <USERNAME> variable in Basic Auth instead of <USER>.  Juniper confirmed apparently there's a bug with basic auth properly passing domain information in <USER> or something like that.

Contributor
DeaconZ
Posts: 136
Registered: ‎01-14-2009
0

Re: 6.4 SSO for OWA 2003

I've seen the username vs. user bug before in the Auth Servers section of the config too.

 

Visitor
olejak
Posts: 4
Registered: ‎07-21-2009
0

Re: 6.4 SSO for OWA 2003

[ Edited ]

Hi muttbarker,

 

I would really like some screen shoots of the configuration. We are also running 6.5 and can't get basic Auth or NTLM SSP working.

 

I'm looking forward to hear from you

 

 

Cheers
Ole
Distinguished Expert
muttbarker
Posts: 2,370
Registered: ‎01-29-2008

Re: 6.4 SSO for OWA 2003

Drop me a private message and I will send you a zip file with screenshots.

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.