Forum Discussion
OK - After putting in some significant time, I've figured out how to solve this issue. We faced multiple symptoms that led to this particular problem, BUT I sincerely welcome the folks that write the Exchange iApp and associated documentation to provide feedback if I'm incorrect with my statements below.
ISSUE 1
Our Exchange CAS servers were configured to only accept Basic authentication in order to function properly with Forefront TMG. This has now been re-configured to utilize Forms-Based Auth as the Exchange iApp expects.
ISSUE 2
We have multiple internal domains within a single forest, so we cannot login with only a username. The username for OWA MUST be presented in a %DOMAIN%\%USERNAME% or %USERNAME%@%DOMAIN% format. Since the iApp has configured the Access Policy to Split Domain from Username, I reconfigured the Form Parameters field of the Forms-Client Initiated SSO Configuration to POST %{session.ldap.last.attr.userPrincipalName} instead of %{session.sso.token.last.username} for the username field. Obviously, you'll need to make sure you're running the prerequisite Query within the Access Policy to pull this variable so it can be leveraged.
ISSUE 3
The documented SSO Select iRule within the Exchange iApp Deployment Guide for OWA had a couple clarifications we had to modify (see p87 in the http://www.f5.com/pdf/deployment-guides/microsoft-exchange-iapp-v1_3-dg.pdf guide):
when RULE_INIT {
replace exchange_forms_sso here with your forms-based SSO name
set static::OWA_FORM_BASE_SSO_CFG_NAME "exchange_forms_sso"
}
when ACCESS_ACL_ALLOWED {
set req_uri [HTTP::uri]
selects the forms-based SSO when Outlook Web Access is detected
if { $req_uri contains "/owa/&reason=0" } {
WEBSSO::select $static::OWA_FORM_BASE_SSO_CFG_NAME
}
unset req_uri
}
When you modify line 3 to set the forms_sso configuration you created, MAKE SURE to use the full path ("/Common/exchange_forms_sso" instead of "exchange_forms_sso"). We couldn't get to anything further without it configured that way.
Also; using the IE Developer tools, I noticed that the /owa/&reason=0 URI noted on line 8 of the iRule was never presented to us from our Exchange 2010 environment. Therefore, the Forms SSO was never invoked. I changed this value from "/owa/&reason=0" to "/owa/auth" and everything was perfect after that.
To sum up, here's what my iRule looked like after all was said and done:
when RULE_INIT {
replace exchange_forms_sso here with your forms-based SSO name
set static::OWA_FORM_BASE_SSO_CFG_NAME "/Common/exchange_forms_sso"
}
when ACCESS_ACL_ALLOWED {
set req_uri [HTTP::uri]
selects the forms-based SSO when Outlook Web Access is detected
if { $req_uri contains "/owa/auth" } {
WEBSSO::select $static::OWA_FORM_BASE_SSO_CFG_NAME
}
unset req_uri
}
Again, I am BRAND NEW to this, so I ask any of the moderators/experts to provide feedback to this answer. While this solution works, I am still concerned that I could be causing more issues downstream that I haven't uncovered yet. For those who are also seeing this issue, I hope this helps you out!
Thanks all, Cory