This article contains information about configuring Single Sign-On (SSO) feature for Outlook Web Access (OWA) 2007 using form-based authentication.

Background

OWA 2007 must send an HTTP Form POST request to a specific address on the back end Client Access Server, to provide the credentials that are authenticated with the Authentication, Authorization, and Accounting (AAA) virtual server. The resource address differs for each product and each version of Exchange Server.

Requirements

You must configure the following virtual servers before you configure the SSO feature on a NetScaler appliance:

• A Secure Socket Layer (SSL) Offload virtual server

• A AAA virtual server to authenticate the user

Instructions

To configure the SSO feature for OWA 2007 by using form-based authentication, complete the following procedure:

1. Create a Form SSO Profile on the NetScaler appliance. Complete the following steps to create the profile:

   1. Expand the AAA – Application Traffic node of the Navigation pane on the appliance. In newer versions of NetScaler AAA - Application Traffic is available under Security Node.

   2. Expand the Policies node.

   3. Select the Traffic node.

   4. Activate the Form SSO Profiles tab in the Traffic Policies, Profiles and Form SSO Profiles page.

   5. Click Add.

   6. Specify the required details in the Create Form SSO Profile dialog box, as shown in the following screen shot:

      

   7. Click Create and then click Close.

2. Create a Traffic Profile. Complete the following steps to create the profile:

   1. Activate the Profiles tab of the Traffic Policies, Profiles and Form SSO Profiles page.

   2. Click Add.

   3. Specify the required details in the Create Traffic Policy dialog box, as shown in the following screen shot:

      

   4. Click Create and then click Close.

3. Create a Traffic Policy. Complete the following steps to create a traffic policy:

   1. Activate the Policies tab of the Traffic Policies, Profiles and Form SSO Profiles page.

   2. Click Add.

   3. Specify the required details in the Create Traffic Policy dialog box, as shown in the following screen shot:

      

   4. Click Create and then click Close.

4. Bind the Traffic Policy at the global level or to a Load Balancing virtual server.

To create the Traffic Policy similar to the one configured in the preceding procedure, run the following commands from the command line interface of the appliance:
add tm formSSOAction OWA_Form_SSO_SSOPro -actionURL "/owa/auth/owaauth.dll" -userField username -passwdField password -ssoSuccessRule "http.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -responsesize 15000 -submitMethod POST
add tm trafficAction OWA_2007_Prof -appTimeout 1 -SSO ON -formSSOAction OWA_Form_SSO_SSOPro
add tm trafficPolicy owa2k7_pol "HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.aspx\")" OWA_2007_Prof
bind tm global -policyName owa2k7_pol -priority 100

CTX126728 – How to Use the Authentication Feature of a NetScaler Appliance with a Load Balancing or Content Switching VServer on the Appliance
CTX128197 – How to Configure Single Sign-On for Exchange 2010
CTX124794 – How to Configure Single Sign-On to a Web Form
CTX233034 - [NetScaler Trace Study] - AAA Single-Sign On to OWA