CASifying Outlook Web Access 2010
- Misagh Moayyed
Intro
This document is a small overview on how to casify Outlook Web Access 2010. The instructions are very similar to that of previous versions of Exchange (2007, 2003) and should work just as well. A small section at the end highlights the changes introduced in the 2010 version.
This work is entirely based on William G. Thompson, Jr.'s original CasOwa module and is only adjusted to account for new changes and configuration options in 2010.
Setup
OS: Windows 2008 R2 x86_64
Exchange Version: 2010
CAS: 3.4.11, 3.4.12, 3.5.0
ClearPass: 1.0.8 GA, 3.5.0
Java Version: Sun JDK 1.6.0_27
Dev Environment: Visual Studio 2010 Professional
Steps
- Download the source and open up the project in Visual Studio.
Target Framework
The project target framework is set to address the .NET framework 3.5. This is required by IIS to be able to load the module. (You may have to configure the IIS application pool to adjust for the proper target framework)
- Modify the Web.config file with the appropriate settings for your environment:
<appSettings>
<add key="CasOwa.ClearPassUrl" value="https://cas.sso.edu/cas/clearPass" />
<add key="CasOwa.OwaUrl" value="https://webmail.exchange.edu/owa" />
<add key="CasOwa.skipOwaUrlCertificateValidation" value="false" />
</appSettings>
<casClientConfig casServerLoginUrl="https://cas.sso.edu/cas/login"
casServerUrlPrefix="https://cas.sso.edu/cas/"
serverName="https://webmail.exchange.edu"
redirectAfterValidation="true"
gateway="false"
renew="false"
singleSignOut="false"
ticketTimeTolerance="5000"
ticketValidatorName="Cas20"
proxyTicketManager="CacheProxyTicketManager"
serviceTicketManager="CacheServiceTicketManager"
gatewayStatusCookieName="CasGatewayStatus" />
<authentication mode="Forms">
<forms loginUrl="https://cas.sso.edu/cas/login" timeout="90" defaultUrl="~/Default.aspx"
cookieless="UseCookies" requireSSL="true"
slidingExpiration="true" path="/" />
</authentication>
- Publish the project to "c:\casowa".
- In IIS, create a Web Application with the name "coa" and point it to the path above.
Permissions
You'll need to make sure IIS has read/execute access to the project directory.
Add the IIS server certificate to the Java keystore.
$JAVA_HOME/bin/keytool -import -file <path-to-cert-file> -keystore $JAVA_HOME/jre/lib/security/cacerts -alias owa-server-cert
- Add the CAS server certificate to the Microsoft Management Console using MMC.exe. The certificates must be installed into the Trusted Root Certification Authorities for Current User and Local Computer.
Trust Chain
If any of the certificates are issued by second certificate, you'll need to make sure ALL certs in the path are properly installed and are available in both the Java keystore and MMC. For CAS certificates that are installed in MMC, check the status of the certificate to make it has no issues and test the certificate in your browser by navigating to the address associated with it.
Finally you have to allow this proxy in CAS's web.xml by adding this to CAS Validation Filter. (Note: See the ClearPass configuration on the wiki for CAS v3.5.0)
web.xml<init-param> <param-name>allowedProxyChain</param-name> <param-value> https://webmail.exchange.edu/coa </param-value> </init-param> or <init-param> <param-name>acceptAnyProxy</param-name> <param-value>true</param-value> </init-param>Now when you go to https://owa-server-address/coa/auth you should be redirected to the CAS Login Page and after a successful authentication you should be redirected to your mailbox https://owa-server-address/owa
Troubleshooting
- You can configure the log4net debug level and location of the log in the Web.config file:
<log4net>
<appender name="RollingFile" type="log4net.Appender.RollingFileAppender">
<file value="c:\\casowa\\casowa.log" /> <appendToFile value="true" />
<maximumFileSize value="1000KB" /> <maxSizeRollBackups value="2" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger %ndc - %message%newline" />
</layout>
</appender>
<root>
<level value="DEBUG" /> <appender-ref ref="RollingFile" />
</root>
</log4net>
- You can configure the trace output location and level in the Web.config file:
<switches> <add name="Config" value="Verbose"/> <add name="HttpModule" value="Verbose"/> <add name="Protocol" value="Verbose"/> <add name="Security" value="Verbose"/> </switches>
- To examine the status of IIS requests, browse to "C:\inetpub\logs\LogFiles\W3SVC1" and locate the proper log file.
- On the OWA server, you could use the following script to examine authentication issues. The script attempts to issue a login request to OWA with the right set of credentials and will redirect to the user's inbox if successful.
<script>
function LoginToOWA (server,username,password) {
var url = server + "/auth/owaauth.dll";
var p = {destination:server,username:username,password:password,trusted:0,flags:0,forcedownlevel:1};
var myForm = document.createElement("form");
myForm.method="post" ;
myForm.action = url ;
for (var k in p) {
var myInput = document.createElement("input") ;
myInput.setAttribute("name", k) ;
myInput.setAttribute("value", p[k]);
myForm.appendChild(myInput) ;
}
document.body.appendChild(myForm) ;
myForm.submit() ;
document.body.removeChild(myForm) ;
}
</script>
<body onload="javascript:LoginToOWA('https://owa-server-addr/owa','owa-usr','owa-pswd');">
<h3>Redirecting to OWA...</h3>
</body>
Troubleshooting
If you receive the following error:
SecurityPermission Error
System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
Inside IIS, bring up the Advanced Settings for the Application Pool of the "coa" virtual application. Set the "Load User Profile" to "True". Also, on the "casowa" directory, you may want to allow the "IIS_IUSRS" process sufficient permissions to read, modify and execute.
What Changed
- A valid user agent must also be passed as a post parameter. Otherwise a "400 - Bad Request" server error is received when examining the response.