Sun and Microsoft Interoperate for Web Authentication, Part 3

By Madan Ranganath and Marina Sum, September 5, 2007; updated: October 1, 2007

Microsoft Outlook Web Access is a Microsoft Exchange Active Server application that enables users to access their email accounts on Microsoft Exchange Server 2003 and to view their Inbox from any Web browser. In addition, users can browse their Exchange Server public folders and Address Books on the Web.

In Part 1 of this series, you saw how to extend authentication with Sun Java System Access Manager (henceforth, Access Manager) with Policy Agents. In Part 2, you learned how to integrate Microsoft SharePoint Portal Server with Access Manager for SSO.

Part 3 continues the integration story for SSO, this time with Microsoft Outlook Web Access (henceforth, OWA) and Access Manager. Afterward, once users have authenticated with Access Manager, they canwithout having to log in againperform email tasks in their Inbox in OWA.

Contents


-	Authentication for OWA
-	Deployment of Policy Agent for OWA
-	Installation and Configuration
-	Tests
-	Appendix A: Procedure for Configuring Earlier Access Manager Releases and Access Manager 7.1
-	Appendix B: Procedure for Obtaining the Cookie Domain Name
-	Conclusion
-	References

Authentication in OWA

In an OWA deployment, you can configure in the Microsoft Internet Information Services (IIS) Administration Console any authentication mechanism supported by IIS. The authentication choices are Basic, Digest, Windows Integrated, and Anonymous. The current OWA Agent supports basic authentication only. For tighter security, you can configure basic authentication with Secure Sockets Layer (SSL). Basic authentication is supported by most Web browsers.

Figure 1 shows the Authentication Methods dialog box in the IIS Administration Console. Just select "Basic authentication (password is sent in clear text)" and click OK.

Figure 1: Specifying the Authentication Method in IIS (Click image for larger view.)

In the absence of the OWA Agent, when you access OWA at https:// OWA_hostname : OWA_portnumber /exchange, the OWA login screen is displayed. See Figure 2.

Figure 2: Logging In to OWA

After successful authentication, OWA displays the user1 Inbox. Figure 3 is an example.

Figure 3: Viewing the user1 Inbox

Deployment of Policy Agent for OWA

The OWA Agent enables SSO for OWA with all the applications configured in Access Manager. When a user accesses OWA, its Agent displays an Access Manager login screen. Once authenticated, the user can access all the applications that are secured by Access Manager.

To deploy the OWA Agent, first configure a post-authorization plug-in, ReplayPasswd, with Access Manager (see the next section). An encryption key is shared between Access Manager and the OWA Agent.

Here is what transpires behind the scenes:

When an access request arrives at the OWA application through IIS, the OWA Agent intercepts the request and redirects it to Access Manager for authentication.
After successful authentication, ReplayPasswd encrypts the password with the shared key and stores the encrypted data in the Access Manager session, whose ID is then set in a special cookie in the form of an SSO Token ID.
The Policy Agent retrieves the encrypted password from the SSO Token and decrypts the information with the shared key. That way, the Policy Agent has in its possession the original credentials, which it then encodes according to the Base64 encoding method and places in the Basic Authentication HTTP header of the original HTTP request.
Now that the HTTP request has a valid Basic Authentication HTTP header, IIS does not prompt for authentication. Subsequently, the user is allowed access to the resource requested.

You must synchronize the user passwords in the Access Manager data store with those of OWA for Exchange Server. If the OWA user accounts are stored in Active Directory, you can configure Access Manager to use the same Active Directory as the data store and avoid having to synchronize passwords in two different LDAP servers.

Installation and Configuration

Before installing the OWA Agent, first configure Access Manager.

Configuring Access Manager
Important: Be sure to install Java 2 Platform, Standard Edition (J2SE platform) 1.4 or a later version.

Included in Access Manager 7.0 Patch 5 onward, except Access Manager 7.1, are ReplayPasswd.java, a plug-in, and DESGenKey.java, a key generator.

Note: For the procedure on how to configure the plug-in in earlier patches and generate the shared key, see Appendix A.

To configure ReplayPasswd.class as a post-authorization plug-in, follow steps 1-5 below.

Log in to the Access Manager Administration Console as amadmin.
Click the Access Control tab, click the realm, and then click the Authentication tab.
Under General, click Advanced Properties.
Scroll down to the Authentication Post Processing Class field. In the text field, type com.sun.identity.authentication.spi.ReplayPasswd.
Scroll up, click Save, and exit Access Manager.

Next, generate and add the shared key and the LDAP attribute to the AMConfig.properties file:

Go to the lib directory in the Access Manager installation location ( /opt/SUNWam/lib by default) and execute DESGenKey. Type (all on one line):

# java -classpath /opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ am_sdk.jar:/opt/SUNWam/lib/servlet.jar com.sun.identity.common.DESGenKey

Access Manager generates and outputs the key, for example: Key ==> bTGKXVs3WEk=
Add the key as the value of the com.sun.am.replaypasswd.key property in the AMConfig.properties file.

For example, add this line:

com.sun.am.replaypasswd.key = bTGKXVs3WEk=
Add this line to enable the OWA configurations:

com.sun.am.iis_owa_enabled = true
Restart Access Manager.

Installing and Configuring the OWA Agent
First, install and configure the OWA Agent by following steps 1-7 in the section Installing and Configuring the SharePoint Agent in Part 2 of this series.

Creating a Timeout Page for Local Idle Sessions
Next, create a timeout page for local idle sessions:

Create a new virtual server (a different Web site) in the IIS Administration Console and a corresponding application pool in a new folder called C:\Inetpub\test.
Install SSL on the new site and verify that the site is accessible from the browser.
Ensure that the OWA server runs does not run on port 444 and then define the site's port number as 444.

Enable the site to run scripts and executables: Open the site's Properties dialog box, click the Home Directory tab, and, under "Application settings," select Scripts and Executables from the "Execute permissions" pull-down menu. See Figure 4.

Figure 4: Enabling a Virtual Server to Run Scripts and Executables

Create a Web page called timeout.asp in C:\Inetpub\test with the following content.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<%
redirectvalue = Request.QueryString("owagoto")
posn=inStr( redirectvalue, "owalogon.asp?url=" )

If(posn > 1) then
    str2 = Split(redirectvalue,"owalogon.asp?url=")
    str3 = Split(str2(1),"&reason")
    redirectvalue=str3(0)
End If
%>
<meta http-equiv="Refresh" content="0;url=https://
<Access_Manager_hostname>:<Access_Manager_portnumber>/amserver/UI/
Login?goto=<%=redirectvalue%>">
</head>
</html>

Modifying the Logoff Page
To ensure that logouts are handled correctly, update the logoff page ( logoff.asp) as follows:

Back up the file C:\Program Files\Exchsrvr\exchweb\bin\usa\logoff.asp.

Replace the content of logoff.asp with the following:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<%
Response.Cookies("owaAuthCookie").Domain = ".iplanet.com"
Response.Cookies("owaAuthCookie").Path = "/"
Response.Cookies("owaAuthCookie")= "owaValue"
Response.Cookies("owaAuthCookie").Expires = "July 1, 1995"
%>
<meta http-equiv="Refresh" content="0;url= https://
<Access_Manager_hostname>:<Access_Manager_portnumber>/amserver/UI/Logout?goto
=https%3A%2F%2F<OWA_hostname>%3A<OWA_portnumber>%2F">
</head>
</html>

Edit logoff.asp and replace .iplanet.com with the appropriate domain name for the cookies. See Appendix B for the procedure on how to obtain the domain name from the Access Manager Administration Console.
Save the file.

Updating the AMAgent.properties File
Finally, update the AMAgent.properties file as follows:

Add the following line to enable the OWA-related configurations:

com.sun.am.policy.agents.config.iis.owa_enabled = true
Add the following line to point to the URL of the timeout page for local idle sessions:

com.sun.am.policy.agents.config.iis.owa_enabled_session_timeout_url = https:// OWA_hostname :444/timeout.asp
Save the file.
Restart IIS with the iisreset command.

Tests

To test the setup:

Start a new browser.

Go to the OWA login screen at https:// OWA_hostname : OWA_portnumber /exchange.

You are redirected to the Access Manager login screen. See Figure 5.

Figure 5: Logging In at Access Manager Login Screen

Tip: If the Access Manager login screen is not displayed, you might not have deployed the ISAPI filters properly. To view a list of the deployed ISAPI filters, on the right pane in the IIS Administration Console, select Web Sites > Default Web Site > Properties > ISAPI Filters. Figure 6 shows an example.

Figure 6: Viewing the Deployed ISAPI Filters

Enter the login credentials for user1.

Access Manager displays the Inbox of user1 (see Figure 7) instead of the OWA login screen (as shown in Figure 2)a testament that SSO is in action.

Figure 7: Inbox of user1 Upon Successful Login

Appendix A: Procedure for Configuring Earlier Access Manager Releases and Access Manager 7.1

For any release that is earlier than Access Manager 7.0 Patch 5 and for Access Manager 7.1, ReplayPasswd.java and DESGenKey.java are shipped separately. You must compile the two files and ensure that their class files are in Access Manager's lib directory ( /opt/SUNWam/lib by default), as follows:

As root, compile ReplayPasswd.java and DESGenKey.java by typing (all on one line):

# javac -classpath Access_Manager_install_dir /lib/am_services.jar: Access_Manager_install_dir /lib/am_sdk.jar: Access_Manager_install_dir /lib/servlet.jar ReplayPasswd.java DESGenkey.java

where Access_Manager_install_dir is the location in which you installed Access Manager. The default is /opt/SUNWam.

For example:

# javac -classpath /opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/am_sdk.jar: /opt/SUNWam/lib/servlet.jar ReplayPasswd.java DESGenkey.java
In the Access Manager Administration Console, click the Access Control tab, click the realm, and then click the Authentication tab. Under General, click Advanced Properties. Scroll down to the Authentication Post Processing Class field. In the text field, type ReplayPasswd.
Generate the shared key: Go to the lib directory of the Access Manager installation and type:

# java DESGenKey

Note: On the Solaris and Linux platforms, the class files must reside in Access Manager's lib directory; in Windows, in the WEB-INF\classes subdirectory of Access Manager's amserver directory.

Appendix B: Procedure for Obtaining the Cookie Domain Name

To obtain the name of the cookie domain:

Figure 8: Access Control Screen on Access Manager Administration Console (Click image for larger view.)

Click the Configuration tab. See Figure 9.

Figure 9: Configuration Screen on Access Manager Administration Console (Click image for larger view.)

Scroll down to System Properties and click Platform, the bottom link. See Figure 10.

Figure 10: System Properties on Access Manager Administration Console (Click image for larger view.)

A list of names is displayed under Cookie Domains. Figure 11 is an example, with only .iplanet.com listed.

Figure 11: Platform Screen on Access Manager Administration Console (Click image for larger view.)

Pick the appropriate name.

Conclusion

Thanks to the OWA Agent, when multiple applicationsemail, calendar, and suchare all interacting with Access Manager, enabling SSO for them takes only a few steps. Try it out yourself!

References

Sun Java System Access Manager
Previous articles on Access Manager
Sun developer services
- Support
- Training and certification

Rate and Review

Tell us what you think of the content of this page.

Excellent Good Fair Poor

Comments:

</td>
                    </tr>
                     <tr>
                       <td>                        <strong>Your email address (no reply is possible without an address):</strong>
                        <br/>
                         <a href="http://sun.com/privacy/" target="_new">Sun Privacy Policy</a>
                        <br/>
                         <input maxlength="60" name="custom_1" size="35" type="text" value=""/>                        <br/>
Note: We are not able to respond to all submitted comments.
                      </td>
                    </tr>
                     <tr>
                       <td>                        <input border="0" class="buttonblue" onmouseout="this.style.color='#FFF';" onmouseover="this.style.color='#fbe249';" type="submit" value=" Submit » "/>  
                        <input name="custom_0" type="hidden" value="Madan Ranganath, Marina Sum"/>  
                        <input name="custom_4" type="hidden" value="Sun and Microsoft Interoperate for Web Authentication, Part 3: Sun Java System Access Manager and Microsoft Outlook Web Access for Exchange Server 2003"/>  
                        <input name="custom_5" type="hidden" value="http://developers.sun.com/identity/reference/techart/owa.html"/>  
                        <input name="cf_Form_Name" type="hidden" value="Rate and Review - article feedback"/>  
                        <input name="cf_Form_Location" type="hidden" value="Registrations"/>  
                        <input name="cf_iso2" type="hidden" value="XH"/>  
                        <input name="charset" type="hidden" value="ISO-8859-1"/>
                      </td>
                    </tr>
                  </table>
                </td>
              </tr>
            </table>
          </form>
					
	</div>
</div>
<div class="orcl6w5"><div class="orcl6x0"></div><div class="orcl6x1"></div></div>
	<div class="orcl6w6">
		<div class="orcl6x0"></div>
		<div class="orcl6x1"></div>
	
</div>

</div>
<div id="Wrapper_FixedWidth_Rightnav">
<div style="background-color:#FFFFFF;">
    
                                      
       <style type="text/css">
body {font-family:Arial, Helvetica, sans-serif}
#downRSS {padding:0;position:absolute;top:3px;right:10px;}
#downWrapper {padding:0 0 0px 0;background-color:#ffffff;}
#downMain {padding:5px 0 0 0; margin: 0; font-size:12px; }
#downMain .downLoad {background-image:url(http://www.oracleimg.com/ocom/groups/public/@otn/documents/digitalasset/115899.gif); background-repeat:no-repeat; background-position:top left; padding:0 0 10px 16px; margin:0 0 0 5px;}
#downMain a:link {color:#000;text-decoration:underline;} 
#downMain a:visited {color:#999;text-decoration:underline;}
#downMain a:hover {color:#ff0000;text-decoration:underline;}
</style>
<table width="100%" cellspacing="0" cellpadding="0" border="0" bgcolor="#dddddd">
    <tbody>
        <tr>
            <td><img width="10" height="20" alt="Left Curve" src="/ocom/groups/public/@otn/documents/digitalasset/121830.gif" /></td>
            <td align="center">
            <div align="center"><span class="boldbodycopy">Java SDKs and Tools</span></div>
            </td>
            <td align="right"><img width="10" height="20" alt="Right Curve" src="/ocom/groups/public/@otn/documents/digitalasset/104150.gif" /></td>
        </tr>
        <tr>
            <td colspan="3">
            <div id="downWrapper">
            <div id="downMain">
            <div class="downLoad"><a target="" href="/technetwork/java/javase/downloads/index.html">Java SE</a></div>
            <div class="downLoad"><a target="" href="/technetwork/java/javaee/downloads/index.html">Java EE and Glassfish</a></div>
            <div class="downLoad"><a target="" href="/technetwork/java/javame/downloads/index.html">Java ME</a></div>
<div class="downLoad"><a target="" href="/technetwork/java/javafx/downloads/index.html">JavaFX</a></div>
            <div class="downLoad"><a target="" href="/technetwork/java/javacard/downloads/index.html">Java Card</a></div>
<div class="downLoad"><a target="" href="http://netbeans.org/downloads/index.html">NetBeans IDE</a></div>
            
            </div>
            </div>
            </td>
        </tr>
    </tbody>
</table>

</div>
</div>

</div>

<div id="Wrapper_FixedWidth_Footer">
            <div class="addThisPrintEmail">
                
	<a href="javascript:mailpage()"><img height="16" src="/ocom/groups/systemobject/@mktg_admin/@ocom_admin/documents/digitalasset/email.gif" width="19" border="0" /></a> <span style="MARGIN-BOTTOM: 2px">
	<a href="javascript:mailpage()">E-mail this page</a></span>   
	<a onclick="printerView()" href="javascript: void 0;"><img height="16" alt="Printer View" src="/ocom/groups/systemobject/@mktg_admin/@ocom_admin/documents/digitalasset/print_icon.gif" width="19" border="0" /> Printer View</a>
			
            </div>
 
				
		 <div data-trackas="ffooter" data-openff="Open Info" data-closeff="Close Info" class="u06v1" id="u06v1"><div class="u06v1z1"> </div> <div class="u06v1w1"><div class="u06v1w2"><ul>     <h5>Oracle Cloud</h5>     <li><a href="/us/solutions/cloud/overview/index.html" data-lbl="cloud:learn-about-oracle-cloud">Learn About Oracle Cloud</a></li>     <li><a href="https://cloud.oracle.com/mycloud/f?p=service:free_trial:0" data-lbl="cloud:get-a-free-trial" target="_blank">Get a Free Trial</a></li>     <li><a href="/us/solutions/cloud/platform/overview/index.html" data-lbl="cloud:learn-about-paas">Learn About PaaS</a></li>     <li><a href="/us/technologies/saas/overview/index.html" data-lbl="cloud:learn-about-saas">Learn About SaaS</a></li>     <li><a href="/us/solutions/cloud/infrastructure/overview/index.html" data-lbl="cloud:learn-about-iaas">Learn About IaaS</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Java</h5>     <li><a href="/us/technologies/java/overview/index.html" data-lbl="java:learn-about-java">Learn About Java</a></li>     <li><a href="http://java.com/download" data-lbl="java:download-java-for-consumers" target="_blank">Download Java for Consumers</a></li>     <li><a href="/technetwork/java/javase/downloads/index.html" data-lbl="java:download-java-for-developers">Download Java for Developers</a></li>     <li><a href="/technetwork/java/index.html" data-lbl="java:java-resources-for-developers">Java Resources for Developers</a></li>     <li><a href="https://cloud.oracle.com/mycloud/f?p=service:java:0" data-lbl="java:java-cloud-service" target="_blank">Java Cloud Service</a></li>     <li><a href="/technetwork/java/javamagazine/index.html" data-lbl="java:java-magazine">Java Magazine</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Customer and Events</h5>     <li><a href="/us/corporate/customers/index.html" data-lbl="customers-and-events:explore-and-read-customer-stories">Explore and Read Customer Stories</a></li>     <li><a href="http://events.oracle.com/search/search?group=Events&keyword=" data-lbl="customers-and-events:all-oracle-events" target="_blank">All Oracle Events</a></li>     <li><a href="http://www.oracle.com/openworld/index.html" data-lbl="customers-and-events:oracle-openworld" target="_blank">Oracle OpenWorld</a></li>     <li><a href="http://www.oracle.com/javaone/index.html" data-lbl="customers-and-events:javaone" target="_blank">JavaOne</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Communities</h5>     <li><a href="/us/corporate/blogs/index.html" data-lbl="communities:blogs">Blogs</a></li>     <li><a href="http://forums.oracle.com/forums/index.jspa?cat=1" data-lbl="communities:discussion-forums" target="_blank">Discussion Forums</a></li>     <li><a href="https://wikis.oracle.com" data-lbl="communities:wikis" target="_blank">Wikis</a></li>     <li><a href="/technetwork/community/oracle-ace/index.html" data-lbl="communities:oracle-aces">Oracle ACEs</a></li>     <li><a href="/us/corporate/customers/oracle-users-groups-192206.html" data-lbl="communities:user-groups">User Groups</a></li>     <li><a href="/us/social-media/twitter/index.html" data-lbl="communities:social-media-channels">Social Media Channels</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Services and Store</h5>     <li><a href="/us/support/software/premier/my-oracle-support-068523.html" data-lbl="services-and-store:log-in-to-my-oracle-support">Log In to My Oracle Support</a></li>     <li><a href="http://education.oracle.com/" data-lbl="services-and-store:training-and-certification" target="_blank">Training and Certification</a></li>     <li><a href="/partners/en/join-now/index.html" data-lbl="services-and-store:become-a-partner" target="_blank">Become a Partner</a></li>     <li><a href="/us/partnerships/solutions-catalog/specialized-partners/index.html" data-lbl="services-and-store:find-a-partner-solution">Find a Partner Solution</a></li>     <li><a href="https://shop.oracle.com/" data-lbl="services-and-store:purchase-from-the-oracle-store" target="_blank">Purchase from the Oracle Store</a></li>     <li><div class="u06callout"><h5>Contact and Chat</h5>     <a href="/us/corporate/contact/global-070511.html" data-lbl="contact-and-chat:global-contacts">Global Contacts</a><br />     <a href="/us/support/contact/index.html" data-lbl="contact-and-chat:oracle-support" target="">Oracle Support</a><br />     <strong>Phone:</strong> 800-633-0738<br />     </div></li> </ul></div></div> <div class="u06v1z2"> </div></div>   <div data-trackas="footer" id="u06"><hr /> <h3><a href="/us/corporate/index.html" data-lbl="hardware and software engineered to work together">Hardware and Software, Engineered to Work Together</a></h3> <ul class="u06-links">     <li><a href="/us/syndication/subscribe/index.html" data-lbl="subscribe">Subscribe</a></li>     <li><a href="/us/corporate/careers/index.html" data-lbl="careers">Careers</a></li>     <li><a href="/us/corporate/contact/index.html" data-lbl="contact us">Contact Us</a></li>     <li><a href="/us/sitemaps/index.html" data-lbl="site maps">Site Maps</a></li>     <li><a href="/us/legal/index.html" data-lbl="legal notices">Legal Notices</a></li>     <li><a href="/us/legal/terms/index.html" data-lbl="terms of use">Terms of Use</a></li>     <li><a href="/us/legal/privacy/index.html" data-lbl="privacy rights">Privacy</a></li>     <li><div style="*margin-top:5px;" id="teconsent"><script type='text/javascript' src='http://consent.truste.com/notice?domain=oracle.com&c=teconsent&language=en&text=true'></script></div>     </li>     <li class="u06-mobile"><a href="/us/corporate/mobile-application/index.html" data-lbl="oracle mobile"><span> </span></a></li> </ul> <ul class="scl-icons">     <li class="scl-facebook"><a title="Oracle on Facebook" href="/us/social-media/facebook/index.html" data-lbl="facebook">Facebook</a></li>     <li class="scl-linkedin"><a title="Oracle on LinkedIn" href="/us/social-media/linkedin/index.html" data-lbl="linkedIn">LinkedIn</a></li>     <li class="scl-twitter"><a title="Follow Oracle on Twitter" href="/us/social-media/twitter/index.html" data-lbl="twitter">Twitter</a></li>     <li class="scl-googleplus"><a title="Follow Oracle on Google+" href="https://plus.google.com/u/0/115607918987921226255" data-lbl="google plus" target="_blank">Google+</a></li>     <li class="scl-youtube"><a title="Watch Oracle on YouTube" href="http://www.youtube.com/oracle/" data-lbl="youtube" target="_blank">YouTube</a></li>     <li class="scl-feed"><a title="Oracle RSS Feeds" href="/us/syndication/feeds/index.html" data-lbl="oracle rss feed">Oracle RSS Feed</a></li> </ul></div> 
 
			
          </div>
        </div>

<script language="JavaScript" src="http://www.oracleimg.com/us/assets/metrics/ora_otn.js"></script>

</div>
    </div>
  </div>

Products and Services

Solutions

Downloads

Store

Support

Training

Partners

About

Oracle Technology Network

Sun and Microsoft Interoperate for Web Authentication, Part 3