OWA access via NetScaler is getting stuck at /cgi/selfauth?params= after authentication

OWA access via NetScaler is getting stuck at /cgi/selfauth?params= after authentication

book

Article ID: CTX209060

calendar_today

Updated On:

Description

  • Customer has Exchange deployment configured via Content Switching virtual server on NetScaler. 
  • One of the rule on content switching server was to match the expression "HTTP.REQ.URL contains "owa"" and then send to the load balancing virtual server that is configured for OWA. This LB Vserver for OWA also has AAA Vserver of forms based authentication type mapped to it. 
  • When we try to connect to OWA from browser we get authenticated to AAA Vserver and after that the page gets stuck at https://<exchangeFQDN>/cgi/selfauth?<ecnrypted and encoded text> 

Resolution

The flow is the following format: 
===

* User accesses https://mail.example.com from his browser 
* NetScaler has a responder policy configured for requests coming for mail.example.com from browser to redirect them to /owa
* Now user sends a new request for "https://mail.example.com/owa" and this hits the CS Vserver on NetScaler 
* CS Vserver evaluates the CS policy for owa and then forwards this request to LB Vserver that is configured for owa 
* LB has AAAVserver with forms based authentication enabled so it redirects the user to https://aaamail.example.com/cgi/tm
* Now the browser loads the required images and scripts after which the logon page is presented to user. 
* When the user provides username and password a post request is sent to https://aaamail.example.com/cgi/login
* If the authentication is success then the AAA Vserver would now again redirect the user back to https://mail.example.com/owa and after that the request is sent to https://mail.example.com/cgi/selfauth?params=xxxxxx
* After this validation mail box can be seen and the mails start to load up. 

Note: For above flow I am assuming that I have a exchange FQDN mail.example.com and a AAA FQDN aaamail.example.com 

Solution for this issue was as below:
===

In this scenario we had to create another CS policy expression "HTTP.REQ.URL contains "cgi" and map the owa load balancing virtual server as the the target LB in CS. After this configuration addition the deployment started to work. 

 

Problem Cause

This was a configuration issue on Content Switching virtual server.

In the configuration there was no default virtual server configured on the CS Vserver and neither there was any CS policy to accept the traffic that comes in the format https://<exchangeFQDN>/cgi/selfauth?
Powered by Wolken Software