Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

SSO for OWA exchange 2016


does anyone have any experience with this? I have set up most services, but i am struggling with the SSO for OWA, which is a feature the customer requires. I have tried setting up SSO as forms-client initiated, but guess i have done something wrong. Username is populated correctly, but it doesnt seem to populate the password field correctly, or there are some other parameters i have gotten wrong.

Any input on this would be appreciated:)

Rate this Question

Answers to this Question



when working with APM and exchange, I always change the OWA / ECP authentication to kerberos.

I had some trouble with forms-client initiated and Exchange. it was working but sometimes, the user was promoted again on Exchange.

Comments on this Answer
Comment made 25-Sep-2017 by Kai M. 358

Is it a lot of hassle setting up kerberos authentication? I dont think im far away from getting the forms to work, but something is preventing the population of the password field, or im editing some other paramerters incorrectly. I have tried following the iapp default settings for sso towards owa using client-initated, and have tried different variables here in order to try and "provoke" a result.

Comment made 25-Sep-2017 by Stanislas Piron 10640

when publishing OA, EWS, OAB and Autodiscover exchange services, most of customers want NTLM authentication on client side allowing seamless authentication without password saved for domain computers.

NTLM authentication on client side requires Kerberos SSO on server side.

I never configured a exchange with APM without Kerberos SSO for these services, so adding Kerberos for OWA is more difficult.

Here are sample configuration commands to configure Kerberos SSO

AD Powershell commands

All these commands create one account used for kerberos delegation. to rollback, only remove the account.

Create the F5 delegation account

New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)

Create a Service Principal Name attribute for this account (mandatory to request kerberos ticket for another user).This is Not the same as exchange SPN

Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"} 

Assign the delegation right to the site app1.demo.local (this is the SPN of exchange server)

Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/app1.demo.local"} 

Change delegation right to mode : Trust this user for delegation to specific service only / Use any authentication Protocol

Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false
Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true 

F5 APM commands

Select one of these kerberos profiles depending on your exchange deployment (try both, one will work)

Machine account kerberos SSO

create apm sso kerberos SSO_KRB_machine { account-name svc_f5_krb account-password P@ssw0rd kdc realm DEMO.LOCAL user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }

Web App pool kerberos SSO

create apm sso kerberos SSO_KRB_AppPool { account-name svc_f5_krb account-password P@ssw0rd kdc realm DEMO.LOCAL spn-pattern HTTP/%h user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username } 
Comment made 25-Sep-2017 by Kai M. 358

hi, thanks for the info. i will take this into consideration.

I just took a look at the apm logs, and grepped for sso, and saw the following:

Could not find SSO username, check SSO credential mapping agent setting Could not find SSO password, check SSO credential mapping agent setting Master Decyrpt failed for ckDecrypt: Ciphertext does not begin with master key prefix

there is no mention of the sso being executed at all, so it seems that maybe the form isnt identified correctly..

im also awaiting some feedback from the customer, to see if he sees anything in the logs on the exchange server.

Comment made 25-Sep-2017 by Stanislas Piron 10640

did you create a VPE box "sso credential mapping"?

Comment made 25-Sep-2017 by Kai M. 358

Yes. The only thing that i have changed on the login page is to split domain from username, and edit the descriptive texts for page. the variables have remained unchanged.

So, either the sso credential mapping agent isnt picking this up correctly, or the sso forms isnt detecting the page correctly...

also, the customer saw in the exchange logs that the password was sent in cleartext, but not sure if this is decrypted on the exchange server. As far as i know, the password field on the logon page is always encrypted.

Comment made 25-Sep-2017 by Stanislas Piron 10640

default sso profiles requires session.sso.token.last.usernameandsession.sso.token.last.password which are created with SSO Credential mapping.

The APM store password encrypted but send it as expected by the server form.

so yes, the password is sent in cleartext to the server. that's another improvement with kerberos SSO (password-less SSO)

Comment made 25-Sep-2017 by Kai M. 358

ok. didnt know about the cleartext, so at least i have learned something new today:-)

if everything is default, then why isnt the sso credential mapping agent picking this up?

is there some misconfigurations in forms setup that could cause this?

Comment made 26-Sep-2017 by Kai M. 358

Finally got the SSO to work with forms-client initiated.

The problem was in the username being picked up, that was incorrect. i had to create a custom variable here, in order to add the domain\ in front of whatever the user typed in..

im now faced with a different issue regarding AD queries, but will see what Devcentral has on this before i start creating new questions here..

thanks for the input during this case, as it did help me find a solution in the end:-)

Comment made 5 months ago by Rosieodonell 368

Hi Kai M.,

I am having the same issue. I go the custom variable to work for the username so when I go to the login page, the username is populated correctly but the password is blank for some reason.