Child pages
  • CASifying Outlook Web Access 2010
Skip to end of metadata
Go to start of metadata


This document is a small overview on how to casify Outlook Web Access 2010. The instructions are very similar to that of previous versions of Exchange (2007, 2003) and should work just as well. A small section at the end highlights the changes introduced in the 2010 version.

This work is entirely based on Bill Thompson's original CasOwa module and is only adjusted to account for new changes and configuration options in 2010. 


OS: Windows 2008 R2 x86_64

Exchange Version: 2010

CAS: 3.4.11, 3.4.12, 3.5.0

ClearPass: 1.0.8 GA, 3.5.0

Java Version: Sun JDK 1.6.0_27

Dev Environment: Visual Studio 2010 Professional


Target Framework

The project target framework is set to address the .NET framework 3.5. This is required by IIS to be able to load the module. (You may have to configure the IIS application pool to adjust for the proper target framework)

  • Modify the Web.config file with the appropriate settings for your environment:
    <add key="CasOwa.ClearPassUrl" value="" />
    <add key="CasOwa.OwaUrl" value="" />
    <add key="CasOwa.skipOwaUrlCertificateValidation" value="false" />
  <casClientConfig casServerLoginUrl=""
                   gatewayStatusCookieName="CasGatewayStatus" />
<authentication mode="Forms">
      <forms loginUrl="" timeout="90" defaultUrl="~/Default.aspx" 
             cookieless="UseCookies" requireSSL="true" 
             slidingExpiration="true" path="/" />
  • Publish the project to "c:\casowa". 
  • In IIS, create a Web Application with the name "coa" and point it to the path above. 


You'll need to make sure IIS has read/execute access to the project directory.

  • Add the IIS server certificate to the Java keystore. 

$JAVA_HOME/bin/keytool -import -file <path-to-cert-file> -keystore $JAVA_HOME/jre/lib/security/cacerts -alias owa-server-cert
  • Add the CAS server certificate to the Microsoft Management Console using MMC.exe. The certificates must be installed into the Trusted Root Certification Authorities for Current User and Local Computer.


Trust Chain

If any of the certificates are issued by second certificate, you'll need to make sure ALL certs in the path are properly installed and are available in both the Java keystore and MMC. For CAS certificates that are installed in MMC, check the status of the certificate to make it has no issues and test the certificate in your browser by navigating to the address associated with it.


  • Finally you have to allow this proxy in CAS's web.xml by adding this to CAS Validation Filter. (Note: See the ClearPass configuration on the wiki for CAS v3.5.0


    Now when you go to https://owa-server-address/coa/auth you should be redirected to the CAS Login Page and after a successful authentication you should be redirected to your mailbox https://owa-server-address/owa


  • You can configure the log4net debug level and location of the log in the Web.config file:
Log4net Settings in Web.config
 <appender name="RollingFile" type="log4net.Appender.RollingFileAppender"> 
 <file value="c:\\casowa\\casowa.log" /> <appendToFile value="true" /> 
 <maximumFileSize value="1000KB" /> <maxSizeRollBackups value="2" /> 
 <layout type="log4net.Layout.PatternLayout"> 
    <conversionPattern value="%date [%thread] %-5level %logger %ndc - %message%newline" /> 

   <level value="DEBUG" /> <appender-ref ref="RollingFile" /> 

  • You can configure the trace output location and level in the Web.config file:
Trace Output Settings
 <add name="Config" value="Verbose"/> 
 <add name="HttpModule" value="Verbose"/> 
 <add name="Protocol" value="Verbose"/> 
 <add name="Security" value="Verbose"/> 
  • To examine the status of IIS requests, browse to "C:\inetpub\logs\LogFiles\W3SVC1" and locate the proper log file.
  • On the OWA server, you could use the following script to examine authentication issues. The script attempts to issue a login request to OWA with the right set of credentials and will redirect to the user's inbox if successful.
OWA Login script
  function LoginToOWA (server,username,password) {
   var url = server + "/auth/owaauth.dll";
   var p = {destination:server,username:username,password:password,trusted:0,flags:0,forcedownlevel:1};
   var myForm = document.createElement("form");
   myForm.method="post" ;
   myForm.action = url ;
   for (var k in p) {
     var myInput = document.createElement("input") ;
     myInput.setAttribute("name", k) ;
     myInput.setAttribute("value", p[k]);
     myForm.appendChild(myInput) ;
   document.body.appendChild(myForm) ;
   myForm.submit() ;
   document.body.removeChild(myForm) ;
<body onload="javascript:LoginToOWA('https://owa-server-addr/owa','owa-usr','owa-pswd');">
<h3>Redirecting to OWA...</h3>


If you receive the following error:

SecurityPermission Error

System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Inside IIS, bring up the Advanced Settings for the Application Pool of the "coa" virtual application. Set the "Load User Profile" to "True".  Also, on the "casowa" directory, you may want to allow the "IIS_IUSRS" process sufficient permissions to read, modify and execute. 

What Changed

  • A valid user agent must also be passed as a post parameter. Otherwise a "400 - Bad Request" server error is received when examining the response.


  • No labels


  1. Any where to get some help on this?

  2. Daryn DeBoer commented:   "Haven't seemed to have much luck on the mail list or maybe I'm being just being impatient and since you replied I was hoping you might have a quick answer, actually my boss is being impatient.  I just had one quick question, after setting this up as above, I'm getting a redirect loop reported by my browser, any idea what could cause this by chance.  I'm the Exchange, know little about CAS, CAS admin knows nothing about Exchange.  Thanks."


    Redirect loops sometimes are caused by SSL cert issues.


    If you need more direct help or guaranteed response, you could consider Cooperative Support: