Another solutions to CASify OWA.

CAS and OWA at Arts et Métiers ParisTech (France)

Goal

My problem was to be able to use CAS with my network architecture in which there was an OWA server. There were two solutions, but they were for me not good : I did not want to store all users passwords in a local database, and I did not want to use the cas2owa ISAPI filter which is for me a working hack, but a hack.

My idea is simple : when a user connect to OWA, he get a cookie which let him connect again to OWA without authenticating again (it will be boring to authenticate to each page he want to see). So, if I want to get this cookie, I need the user login and password. I don't want to store user's login and password nowhere. So, the only way to get the OWA cookie is to use the user's login and password when I got it, when the user is authenticating against CAS server. I can't change OWA, but I can change CAS. So I did.

? Cas is working like this :

 1. User is connecting to login page

 2. User is entering login and password

 3. CAS is checking login and password

 4. If ok, then CAS return the CAS cookie containing the Granting Ticket.

? My change are :

 1. User is connecting to login page

 2. User is entering login and password

 3. CAS is checking login and password

 4. If ok, then CAS use login and password to authenticate against OWA service and retrieve OWA cookie

 5. If ok, then CAS return the CAS cookie containing the Granting Ticket and the OWA cookie.

So I opened Eclipse and starting to read CAS code

 Prerequesite

OWA must be running in Form Authentication Based, so when users are connecting to OWA, there must have first a page with an authentication form.

URL to access OWA must be like : https://owa.domain.com/exchange/? to access mailboxes and https://owa.domain.com/exchweb/.../? to access Form Authentication Page.

Change in CAS 3.2 and CAS 3.3.1

You can get the patchfor CAS 3.2 in Attachments : filename is cas-3.2.1-owa.patch

You can get the patchfor CAS 3.3.1 in Attachments : filename is cas-3.3.1-owa.patch

 I used Cygwin to create the patch (diff), and to apply the patch (patch).

Apply the patch and compile using maven.

Architecture

The system architecture must be strict in order to make the system work. The goal is that either cas server and owa server have the same hostname (so cookies can be accepted by your web browser). So to do, I use Apache and mod_proxy. If you are using Windows system, download the Apache + SSL package.

Let's have two server : cas.domain.com and owa.domain.com. In the DNS system I had two entry : webmail.domain.com and cas.domain.com. User will use https://webmail.domain.com/ to access OWA mailboxes, and https://cas.domain.com/cas/ to authenticate. Webmail.domain.com point to apache+mod_proxy service which redirect all request to OWA server. Cas.domain.com point to tomcat service. Cas will generate OWA cookies in domain domain.com.

Why using a reverse proxy server ? to be able to change some configuration without changing the OWA server (for example to delete the cookies made by OWA when the user  connect to OWA webmail interface, or to redirect the user to the CAS logout page when user click on "disconnect" in OWA webmail interface).

Webmail.domain.com

In Apache, I configured a SSL Virtual Hosts and activated the mod_proxy, mod_proxy_http, , mod_proxy_connect and mod_rewrite

In the SSL Virtual Hosts definition, add the following directives for the webmail service :

<VirtualHost *:443>
    [...]
    SSLProxyEngine on
    ProxyPreserveHost on
    ServerSignature Off
    AllowCONNECT 443

    RewriteEngine on
    # redirect the user to the CAS logout page when he click on "logout" button in OWA interface
    RewriteCond %{QUERY_STRING} logoff
    RewriteRule ^/exchange/.+/ https://cas.domain.com/cas/logout?service=https://cas.domain.com/cas? [R]
    # redirect the user to the CAS login page when he want to access OWA interface without authentication information (OWA cookies)
    RewriteRule ^/exchweb/bin/auth/owalogon.asp https://cas.domain.com/cas/login?service=https://owa.domain.com/? [R]

    ProxyRequests off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    Header unset Set-Cookie
    
    ProxyPass /            https://real-owa-server/
    ProxyPassReverse /        https://real-owa-server/
        
    SetEnv force-proxy-request-1.0 1
    SetEnv proxy-nokeepalive 1
</VirtualHost>

"Header unset Set-Cookie" is important.OWA Cookies generated by CAS OWA module are for .domain.com domain. When connecting to OWA webmail interface, OWA Server will resend back cookies in domain.com domain (without .dot). The unset Set-Cookie directive will delete the cookie sent back by OWA Server. Otherwise, client will have two same cookies in different domain.

Cas.domain.com

You must install CAS server with cas-server-support-owa (compile with maven).

New files are :

WEB-INF\lib\cas-server-support-owa-3.3.1.jar
WEB-INF\spring-configuration\OWACadataCookieGenerator.xml
WEB-INF\spring-configuration\OWASessionCookieGenerator.xml

Modified file are :

WEB-INF\login-webflow.xml
WEB-INF\cas-servlet.xml

OWACadataCookieGenerator.xml (and OWASessionCoookieGenerator.xml)

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
    <bean id="OWACadataCookieGenerator"
        p:cookieSecure="true"
        p:cookieMaxAge="-1"
        p:cookieName="cadata"
        p:cookieDomain="domain.com"
        p:cookiePath="/" />
</beans>

This two file are used to generate the two OWA cookies. You need to change p:cookieDomain in the two file according to your system. Make sure p:cookieDomain value include owa et cas server (domain.com include webmail.domain.com and cas.domain.com, so web browser will accept the cookies).

login-webflow.xml

Changed are made by the patch.

<action-state id="submit">
 <action bean="authenticationViaFormAction" method="submit" />
  <transition on="warn" to="warn" />
  <transition on="success" to="sendOwaTicket" />
  <transition on="error" to="viewLoginForm" />
</action-state>

<action-state id="sendOwaTicket">
 <action bean="sendOwaTicketAction" method="submit" />
  <transition on="success" to="sendTicketGrantingTicket" />
</action-state>

<action-state id="sendTicketGrantingTicket">
  <action bean="sendTicketGrantingTicketAction" />
  <transition on="success" to="serviceCheck" />
</action-state>

The action-state sendOwaTicket is included between submit(success) and sendTicketGrantingTicket.

cas-servlet.xml

The logout mapping is changed to include OWA logout (which delete OWA cookies)

<bean id="handlerMappingC" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
 <property name="mappings">
    <props>
       <prop key="/logout">
            logoutControllerSupportOWA
       </prop>
\[...\]

<bean id="logoutControllerSupportOWA" class="org.jasig.cas.support.owa.LogoutControllerSupportOWA"
     p:centralAuthenticationService-ref="centralAuthenticationService"
     p:logoutView="casLogoutView"
     p:warnCookieGenerator-ref="warnCookieGenerator"
     p:OWASessionCookieGenerator-ref="OWASessionCookieGenerator"
     p:OWACadataCookieGenerator-ref="OWACadataCookieGenerator"
     p:followServiceRedirects="true"
     p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator" />

The OWAConnection bean is configured in this file too :

<bean id="OWAConnection"
   p:host="real-owa-server"
   p:port="443"
   p:scheme="https"
   p:owaauth="/exchweb/bin/auth/owaauth.dll"
   p:owalogon="/exchweb/bin/auth/owalogon.asp"
   p:trusted="4"
   p:flags="4"
   p:destination="/exchange/"
/>

Change the p:host according to your system (put your OWA real server). The p:flags configuration with value 4 means that the connection is a public connection (to be sure that the OWA cookie will expire after the CAS cookie).

How to debug ?

I use Firefox, Firebug (to see urls call, http header and OWA response) and AnEC Cookie Editor (to play with cookies).