Casifying OWA 2

dev hetbaken dev.hetbaken at live.nl
Fri Jan 9 08:47:00 EST 2009 

Adam,
 
Thanks for your reply.
 
1. Are you trying to get everything working on one box?
- Yes, they want me to do everything on 1 computer (without enough ram for multiple virtual machines). I'm not happy with it, but it's just for testing purposes.
 
2.CAS and OWA should go through Apache proxy
- I have 3 hosts. cas and owa are going through apache proxy.
 
3.  I see that CAS has issued a service ticket for /exchweb
- Indeed, Cas issued a service ticket for /exchweb. I think it was the last try in my brute force method to get it to work. It's coming from the rewrite rule in the apache config file. I also tried /exchange, /exchange/, /exchweb/, ****owaauth.dll,  etc, etc.
 
I have some questions:
- I used 2 different manuals. The one with the patch (current) and the previous one. The configuration in the xml files is slightly different, so its a little confusing. I tried with a brute force method all/most possible combinations.
On the end of this mail you find the way thats the most logical to me (Only the parts where it can go wrong). Is it correct?
- Do I need some specific settings in IIS, or is redirecting to apache enough?
- I'm using different certificates for each webserver, can that be a problem?
- The manual says "In the DNS system I had a CNAME entry : www.domain.com pointing to cas.domain.com" Do I really need this? I only configured Hosts
 
The files:
 
Apache Config File
RewriteCond %{QUERY_STRING} logoffRewriteRule ^/exchange/.+ https://apache.hetbaken.lokaal:444/cas/logout?service=https://apache.hetbaken.lokaal:444/cas [R]RewriteRule ^/exchweb/bin/auth/owalogon.asp https://apache.hetbaken.lokaal:444/cas/login?service=https://apache.hetbaken.lokaal:444/exchange [R]
 
Cas-servlet.xml
 <bean id="OWAConnection" class="org.jasig.cas.support.owa.OwaConnector"  p:host="owa.hetbaken.lokaal"  p:port="443"  p:scheme="https"  p:owaauth="ExchWeb/bin/auth/owaauth.dll"  p:owalogon="ExchWeb/bin/auth/owalogon.asp"  p:destination="/exchange/"  />
OWASession/CAdataCookieGenerator.xml
  p:cookieSecure="true"  p:cookieMaxAge="-1"  p:cookieName="cadata"  p:cookieDomain="hetbaken.lokaal"  p:cookiePath="/" />
 
OWARealSession/CAdataCookieGenerator.xml
  p:cookieSecure="true"  p:cookieMaxAge="-1"  p:cookieName="cadata"  p:cookieDomain="apache.hetbaken.lokaal"  p:cookiePath="/" />
 
Regards,
Dave
 
 



Date: Thu, 8 Jan 2009 15:43:50 -0800From: arybicki at unicon.netTo: cas at tp.its.yale.eduSubject: Re: Casifying OWA 2Dave,Are you trying to get everything working on one box?  It should be possible, though this is not how I have gotten it to work.  You have two different hostnames: "owa" and "apache."  Can I assume that they are both one and the same box?  Using this method, the browser should only be connecting to the host "apache" on port 444 and access to CAS and OWA should go through Apache proxy.  I see that CAS has issued a service ticket for /exchweb.  Is that an artifact of your testing method or is some service expected to actually validate that ticket?Since this method does not really use CAS protocol to authenticate to OWA, it's a stretch to call this "CASifying."  But that's the type of extremes that you have to resort to when dealing with closed applications like OWA.Adamdev hetbaken wrote: 


Dear CAS community, First of all, thanks for the good documentation. Setting up CAS with ldap and spnego authentication was a piece of cake. I only needed a couple of days (except spnego, that's not working when you use the browser on the same computer where cas is installed). But I have problems with OWA. I'm using the manual Casifying OWA 2.http://www.ja-sig.org/wiki/display/CAS/CASifying+Outlook+Web+Access+2I combined the information on version 5 and the current version (the patch didn't work very well).It looks like CAS isn't able to connect to owaauth.dll. When I'm authenticated and try OWA, then CAS is sending unlimited Service Tickets.the cas.log says: IOException when trying to connect to OWA Server I have the feeling that some very important information is missing on the manual. Like IIS configuration or something.- I'm almost sure that the owa client.jar is the same as the patch should create.- The xml files are changed as described (I looked at the patch to make sure the files changed correctly)- I configured the apache Virtual hosts. When I go to cas, the IP is changing correctly to 127.0.0.2:444- The default website in IIS is redirected to 127.0.0.2:444 This is my architecture: - Windows Server 2003 (domain controller)- CAS 3.3.1 with LDAP & SSL (port 8443)- Clean installation of IIS with Exchange 2003, Form Based Authentication (FBA) and SSL (port 443)- Apache 2.2 with SSL (port 444) The CAS.log file:2009-01-07 16:36:12,189 INFO [org.jasig.cas.support.owa.SendOwaTicketAction] - FormObjectClass not set.  Using default class of org.jasig.cas.authentication.principal.UsernamePasswordCredentials with formObjectName credentials and validator org.jasig.cas.validation.UsernamePasswordCredentialsValidator.2009-01-07 16:36:14,793 INFO [org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass not set.  Using default class of org.jasig.cas.authentication.principal.UsernamePasswordCredentials with formObjectName credentials and validator org.jasig.cas.validation.UsernamePasswordCredentialsValidator.2009-01-07 16:36:28,934 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - Starting cleaning of expired tickets from ticket registry at [Wed Jan 07 16:36:28 CET 2009]2009-01-07 16:36:28,944 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - 0 found to be removed.  Removing now.2009-01-07 16:36:28,944 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - Finished cleaning of expired tickets from ticket registry at [Wed Jan 07 16:36:28 CET 2009]2009-01-07 16:37:08,078 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - Setting path for cookies to: /cas2009-01-07 16:37:25,063 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: administrator]2009-01-07 16:37:25,093 DEBUG [org.jasig.cas.support.owa.SendOwaTicketAction] - Action 'SendOwaTicketAction' beginning execution2009-01-07 16:37:25,093 DEBUG [org.jasig.cas.support.owa.SendOwaTicketAction] - Found existing form object with name 'credentials' of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow2009-01-07 16:37:25,474 DEBUG [org.jasig.cas.support.owa.OwaConnector] - Connecting to OWA Service (https://owa.hetbaken.lokaal/ExchWeb/bin/auth/owaauth.dll)2009-01-07 16:37:25,844 DEBUG [org.jasig.cas.support.owa.OwaConnector] - IOException when trying to connect to OWA Server2009-01-07 16:37:25,844 DEBUG [org.jasig.cas.support.owa.SendOwaTicketAction] - Action 'SendOwaTicketAction' completed execution; result is 'success'2009-01-07 16:37:25,854 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-taXzKczagqEJYF1M2gfA-cas] for service [https://apache.hetbaken.lokaal:444/exchweb/] for user [administrator]I hope someone can help me.Regards, Dave

Plan je feest, nodig mensen uit en deel je foto's met Windows Live Events 
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
  
_________________________________________________________________
Blijf altijd op de hoogte van wat jouw vrienden doen
http://home.live.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090109/33933097/attachment.html

More information about the cas mailing list