Microsoft OWA 2010 IIS Integration
From Swivel Knowledgebase Wiki
Contents |
Introduction
PINsafe allows users to authenticate users of Outlook Web Access (OWA) 2010 with Microsoft Exchange Server running on Microsoft 2008 server. Active Sync users are able to receive email without PINsafe authentication as this uses a separate URL. This article describes how to integrate PINsafe with OWA 2010.
Compatibility
| Microsoft Exchange Version | Compatibility Status |
|---|---|
| Exchange Server 2010 | Compatible |
| Exchange Server 2010 SP1 | Compatible |
| Update Rollup 1 for Exchange Server 2010 SP1 | Compatible |
| Update Rollup 2 for Exchange Server 2010 SP1 | Compatible |
| Update Rollup 3 for Exchange Server 2010 SP1 | Compatible |
| Update Rollup 4 for Exchange Server 2010 SP1 | Compatible |
| Update Rollup 5 for Exchange Server 2010 SP1 | Compatible |
Note: Updates may result in the login page customisation being removed. In this case, you must select the option "Reapply Logon Page Changes" from the PINsafe filter start menu. Updates to the 2010 server may also require changes to the Excluded paths. See the Troubleshooting and Known Issues and Limitations sections before updating.
Prerequisites
Microsoft Exchange 2010 with OWA using IIS7
Microsoft 2008 Server
PINsafe 3.7
Users are able to login using standard OWA
IIS Filter for OWA 2010 no service pack
IIS Filter for OWA 2010 with service pack 1
Beta release for SP1 with support for multiple PINsafe servers
Architecture
The Exchange server makes authentication requests against the PINsafe server by XML authentication
Installation
Software Installation
Run the executable to install it on the Exchange Server. If your Exchange Server instance is not installed in the default location (C:\Program Files\Microsoft\Exchange Server\V14), you will need to modify the installation path. The installation path should be the root Exchange path.
Configuration of the IIS Filter
After installation modify the settings. The Filter Configuration should start after installation or can be started through the Start Menu. If the Exchange Server installation is not in the default location, select the OWA directory as above in which to modify the web.config file.
- PINsafe Settings
Server Name/IP: The PINsafe server IP address or hostname
Port: PINsafe server port, for a PINsafe appliance use 8080 (not 8443)
Context: PINsafe install name, for a PINsafe appliance use pinsafe (not proxy)
Secret: The shared secret that must be entered also on the PINsafe server Administration Console under Server/Agents
Use SSL Select tick box if SSL is used, for a PINsafe appliance tick this box. This also ignores other certificate errors, such as site names not matching.
Accept self-signed certificates Where SSL is used with self signed certificates, for a PINsafe appliance tick this box until a valid certificate is installed.
- OWA Settings
Server URL: Exchange Server URL, Example: https://<exchange.mycompany.com>
OWA Path: OWA path, usually /owa, unless this has been explicitly changed
Logon Path: Logon path Usually /owa/auth/Logon.aspx
Logoff Path: Logoff path /owa/auth/Logoff.aspx
Auth. URL: This is the URL for OWA authentication and the is usually https://<exchange.mycompany.com>/owa/auth/owaauth.dll
- Authentication Settings
Cookie Secret: This should be set to a random string, which is used to encrypt/decrypt the PINsafe authentication cookie.
Idle Time: The length of time in seconds that the authentication cookie is valid, provided you make no OWA requests in that time. If you do, the cookie is refreshed and the countdown starts again.
Allow non-PINsafe Users If this option is ticked, non PINsafe users are allowed to authenticate using standard OWA authentication. This requires PINsafe 3.5 or higher.
Filter Enabled The filter enabled option is mainly for testing, but also to handle situations such as enabling mobile access to the same Exchange Server i.e. ActiveSync and Windows Mobile Device Center. If the filter is disabled, you still need to authenticate through PINsafe if you use the standard login page, but it is possible to authenticate using only AD credentials if you have a way to call the AD authentication filter directly.
- Excluded Settings
Excluded Paths: This allows paths to be set for which authentication is not required to reach them. Required paths are /owa/auth and /owa/14.0.639.21 (The standard version is 14.0.639.21 different updates may require different paths).
Configure The PINsafe Server
Configure a PINsafe Agent (For standard XML Authentication)
1. On the PINsafe Management Console select Server/Agent
2. Enter a name for the Agent
3. Enter the Exchange IP address
4. Enter the shared secret used above on the Exchange Filter
5. Click on Apply to save changes
Configure Single Channel Access
1. On the PINsafe Management Console select Server/Single Channel
2. Ensure ‘Allow session request by username’ is set to YES
Additional Installation Options
Modifying the login Page to stop the Single Channel Image automatically appearing
By default the single channel authentication will appear when the username and AD password is entered and the user selects the OTC field. As a single channel session has started the PINsafe server is expecting an OTC to be entered from the Single Channel TURing image. If dual channel authentication is required then the automatic display of the Single Channel Turing image needs to be turned off. This can be done by modifying the login.asp file which by default is located in C:\Program Files\Exchsrvr\exchweb\bin\auth. The following needs to be removed from the username attribute field:
onblur=”checkUser()”
Modifying the login Page to allow Dual Channel On Demand Delivery
If you want to use only dual-channel on-demand and no other method, then you can manage this by a simple change to image.asp (under /exchweb/bin/auth). Edit this file, search for "SCImage" and replace it with "DCMessage". Leave the onblur attribute as it was. Dual channel authentication for the user and also On Demand Delivery should be enabled on the PINsafe Administration console under Server/Dual Channel.
Verifying the Installation
Enter a username and AD password then the PINsafe OTC for dual channel authentication. For single channel authentication enter the username, AD password then click on the button to generate a Single Channel Turing Security String, enter the OTC and login.
Uninstalling the PINsafe Integration
Uninstall the PINsafe IIS filter, this should restore all the original files. If it does not work then find the file Logon.aspx.sav located in ClientAccess\owa\auth\ which can be restored to the original Login.aspx.
Troubleshooting
Check the PINsafe and 2010 server logs
No login page, check the Exchange version. The filter needs to match the Exchange version number, and the file login.aspx needs to be modified so that it references the correct exchange install version.
Red Cross instead of Turing image, right click on red cross and look at its properties. Ensure PINsafe server is running.
If you do not see a Turing image when using start session then in a web browser test the following link from the IIS server. If an image is not seen, then there is a problem either with communicating with the PINsafe server or the Allow Image request by username may be set to No.
For PINsafe appliances and software installs:
http://<pinsafe_server_ip>:8080/pinsafe/SCImage?username=<username>
User regularly times out after a short interval
The session is kept open by user activity. If this is insufficient then increase the cookie idle timeout value.
Turing image appears but user cannot authenticate.
Verify that the OWA is configured to use port 8080 and context pinsafe. port 8443 and context proxy will cause problems with authenticating users but allow the Turing image to be displayed.
Name resolution issue
The Exchange server may be looking for exchange.company.com from the internal network but cannot resolve it. Edit the hosts file mapping the name to 127.0.0.1.
Known Issues and Limitations
Updates may result in the login page customisation being removed. In this case, you must select the option "Reapply Logon Page Changes" from the PINsafe filter start menu.
Updates to the 2010 server may also require changes to the Excluded paths.
Beta Release
The beta release (link above) includes the option to add multiple PINsafe servers. Then, if the first one is unavailable, the filter will try the other servers in the order listed. The filter will always remember the last PINsafe server successfully contacted and try that one first.
To support multiple servers, there is an additional button on the PINsafe tab of the configuration program, which brings up a secondary dialog containing a list of available servers. Use this to add or delete PINsafe servers, and to select one to modify (the details are modified on the main dialog).
As this version is a beta release, we would appreciate any feedback users may have on it.
Additional Information
For assistance in the PINsafe installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com
