Portal Access doesn't SSO to Exchange 2010 OWA

Question

I'm running Big-IP v11 and licensed for APM and I'm trying to load balance Exchange 2010 OWA.  When I login to the F5 forms-based Portal Access site, it redirects me to OWA, but I get prompted to login to OWA before I can view my webmail.  It seems like the single sign-on isn't working.&nbsp;
&nbsp;Also when I'm on a AD domain computer and login to the F5 Portal Access, OWA will not prompt for another login screen and open my webmail instantly.  The catch is, no matter what valid AD username/password I use on the F5 portal, it always opens my webmail because I'm logged into my computer on the domain.&nbsp;
&nbsp;Any help would be great!

michael_koyfma1 · Answer

Todd, 
&nbsp;  
&nbsp; Do you already have a support case open with F5 on this?  How is your OWA authenticated?   Based on the behavior you described, it appears that you might be using NTLM and/or Kerberos-based authentication for OWA internally instead of forms--based - is that true?

todd_90577 · Answer

Hi Michael, 
&nbsp; My Exchange Engineer viewed the properties of the CAS server and it was set for "Integrated authentication" or "Basic authentication".  We switched the CAS server to Forms-based and the SSO worked.  However, my Exchange Engineer wants to switch it back to the two previous methods because OWA is working thru the ISA server this way.  We are trying to replace out ISA with the F5.  Now if I change the F5 SSO, the login will only work using HTTP Basic, but i still get prompted twice to login.  Since only the HTTP basic would work (or forms based), it seems to rule out that NTLM or Kerberos is being used.  Is there something I'm missing to get HTTP Basic to work with single sign-on? &nbsp;

todd_90577 · Answer

Since the HTTP Basic is in "clear text", I think we're going to stick with the Forms based method on the CAS server.&nbsp;
&nbsp;Thanks for your help identifying the source of the issue!&nbsp;
&nbsp;Todd

michael_koyfma1 · Answer

Todd, 
&nbsp;  
&nbsp; I hope you don't mind if I take this opportunity to correct a somewhat common misconception.  It is true that for Basic auth credentials are passed in cleartext.  However, forms-based auth is also being transmitted in clear.  What's securing both Basic auth and forms-based auth is the SSL layer - encryption of the POST parameters in SSL and Basic Auth credentials are equivalent to each other in terms of security of the transmitted password.  NTLM is obviously a different animal, as the password never crosses the wire.

chris_15705 · Answer

Todd,  
&nbsp;  
&nbsp; You might sync up with your Exchange engineer and propose a second Exchange IIS site.  This can be done on any CAS server and is actually one of Microsoft's supported means of dealing with the need for different INSIDE/OUTSIDE auth needs.  The only real requirement is a second IP address for the second site and to unbind the current one from 0.0.0.0 to the current IP.  Once done you would point ISA to one site and the F5 to the other. 
&nbsp;  
&nbsp; Hope that is helpful. 
&nbsp;  
&nbsp; Chris

Forum Discussion

Portal Access doesn't SSO to Exchange 2010 OWA

6 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

access portal with redirect URL

Exchange 2016

Two-Factor Authentication – Captive Portal

MS Exchange ProxyNotShell block implemented via iRules

Exchange 2019