Child pages
  • CASifying Outlook Web Access 2010
Skip to end of metadata
Go to start of metadata

Intro

This document is a small overview on how to casify Outlook Web Access 2010. The instructions are very similar to that of previous versions of Exchange (2007, 2003) and should work just as well. A small section at the end highlights the changes introduced in the 2010 version.

This work is entirely based on Bill Thompson's original CasOwa module and is only adjusted to account for new changes and configuration options in 2010. 

Setup

OS: Windows 2008 R2 x86_64

Exchange Version: 2010

CAS: 3.4.11, 3.4.12, 3.5.0

ClearPass: 1.0.8 GA, 3.5.0

Java Version: Sun JDK 1.6.0_27

Dev Environment: Visual Studio 2010 Professional

Steps

Target Framework

Icon

The project target framework is set to address the .NET framework 3.5. This is required by IIS to be able to load the module. (You may have to configure the IIS application pool to adjust for the proper target framework)

  • Modify the Web.config file with the appropriate settings for your environment:
Web.Config
  • Publish the project to "c:\casowa". 
  • In IIS, create a Web Application with the name "coa" and point it to the path above. 

Permissions

Icon

You'll need to make sure IIS has read/execute access to the project directory.

  • Add the IIS server certificate to the Java keystore. 

  • Add the CAS server certificate to the Microsoft Management Console using MMC.exe. The certificates must be installed into the Trusted Root Certification Authorities for Current User and Local Computer.

 

Trust Chain

Icon

If any of the certificates are issued by second certificate, you'll need to make sure ALL certs in the path are properly installed and are available in both the Java keystore and MMC. For CAS certificates that are installed in MMC, check the status of the certificate to make it has no issues and test the certificate in your browser by navigating to the address associated with it.

 

  • Finally you have to allow this proxy in CAS's web.xml by adding this to CAS Validation Filter. (Note: See the ClearPass configuration on the wiki for CAS v3.5.0

    web.xml

    Now when you go to https://owa-server-address/coa/auth you should be redirected to the CAS Login Page and after a successful authentication you should be redirected to your mailbox https://owa-server-address/owa

Troubleshooting

  • You can configure the log4net debug level and location of the log in the Web.config file:
Log4net Settings in Web.config
  • You can configure the trace output location and level in the Web.config file:
Trace Output Settings
  • To examine the status of IIS requests, browse to "C:\inetpub\logs\LogFiles\W3SVC1" and locate the proper log file.
  • On the OWA server, you could use the following script to examine authentication issues. The script attempts to issue a login request to OWA with the right set of credentials and will redirect to the user's inbox if successful.
OWA Login script

Troubleshooting

If you receive the following error:

SecurityPermission Error

Icon

System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Inside IIS, bring up the Advanced Settings for the Application Pool of the "coa" virtual application. Set the "Load User Profile" to "True".  Also, on the "casowa" directory, you may want to allow the "IIS_IUSRS" process sufficient permissions to read, modify and execute. 

What Changed

  • A valid user agent must also be passed as a post parameter. Otherwise a "400 - Bad Request" server error is received when examining the response.

 

  • No labels

3 Comments

  1. Any where to get some help on this?

  2. Daryn DeBoer commented:   "Haven't seemed to have much luck on the mail list or maybe I'm being just being impatient and since you replied I was hoping you might have a quick answer, actually my boss is being impatient.  I just had one quick question, after setting this up as above, I'm getting a redirect loop reported by my browser, any idea what could cause this by chance.  I'm the Exchange, know little about CAS, CAS admin knows nothing about Exchange.  Thanks."

     

    Redirect loops sometimes are caused by SSL cert issues.

    See: https://groups.google.com/forum/#!topic/jasig-cas-user/_k8cRpfK2gQ%5B1-25%5D

    If you need more direct help or guaranteed response, you could consider Cooperative Support: http://www.unicon.net/services/cas/support