OWA 2010 and SSO

I am trying to setup form based authentication with OWA 2010

It seems like you have attached ntlm SSO instead of form based SSO. You can verify with,

tmsh list apm sso form-basedv2

The default sso profile for this policy is NTLM but i have configured an owa formbased sso profile and it is attached to the owa resource items.

Okay. Are you trying with "Form based -Client Initiated" ?

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-4-0/3.html

I am using form based with the OWA 2010 template.

May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header *[:uri][/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fxyz.gvb.nl%2fowa%2f] (len=79)

Here it doesn't match the start uri - /owa/auth/logon.aspx?url=https://webmail.xyz.nl/owa/&reason=0

See the request before this how SSO respond.

Also, SSO applied for portal does it match the following:

        host webmail.xyz.nl
        order 2
        paths /owa/auth/logon.aspx*
        port https
        scheme https
        sso " "
        subnet 0.0.0.0/0

If possible provide tmsh list apm sso form-based and tmsh list apm resource portal-access

Somehow above formatting screwed up.

*May 20 12:06:02 loadb01 debug websso.3[12389]: 014d0001:7: http header [:uri][/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fxyz.gvb.nl%2fowa%2f] (len=79)

Here it doesn't match the start uri - /owa/auth/logon.aspx?url=https://webmail.xyz.nl/owa/&reason=0

See the request before this how SSO respond.

Also, SSO applied for portal does it match the following:

host webmail.xyz.nl
order 2
paths /owa/auth/logon.aspx*
port https
scheme https
sso "SSO Name"
subnet 0.0.0.0/0

If possible, provide tmsh list apm sso form-based and tmsh list apm resource portal-access

tmsh list apm sso form-based
apm sso form-based owa-sso-test {
    form-action /owa/auth/logon.aspx\?replaceCurrent=1&url=https%3a%2f%2fwebmail.xxx.nl%2fowa%2f
    form-field "destination https://webmail.xxx.nl/owa/
flags 0
forcedownlevel  0
isUtf8 1
trusted 4"
    form-password password
    form-username username
    start-uri /owa/auth/logon.aspx\?replaceCurrent=1&url=https%3a%2f%2fwebmail.xxx.nl%2fowa%2f
}

And

config  tmsh list apm resource portal-access webmail-test
apm resource portal-access webmail-test {
    acl-order 15
    application-uri https://webmail.xxx.nl/owa
    customization-group webmail-test_resource_web_app_customization
    items {
        item {
            home-tab false
            host webmail.xxx.nl
            order 1
            paths /owa/attachment.ashx*
            port https
            scheme https
            sso owa-sso-test
            subnet 0.0.0.0/0
        }
        item1 {
            host webmail.xxx.nl
            order 2
            paths /owa/auth/logon.aspx*
            port https
            scheme https
            sso owa-sso-test
            subnet 0.0.0.0/0
        }
        item2 {
            host webmail.xxx.nl
            order 3
            paths /*
            port https
            scheme https
            sso owa-sso-test
            subnet 0.0.0.0/0
        }
    }
    publish-on-webtop true
    scheme-patching true
}

This is working for me, can try this:

apm sso form-based owa-sso-test {
    form-action /owa/auth/owaauth.dll
    form-field "destination https://webmail.xxx.nl/owa/
flags 0
forcedownlevel  0
isUtf8 1
trusted 0"
    form-password password
    form-username username
    start-uri /owa/auth/logon.aspx\?url=https://webmail.xxx.nl/owa/&reason=0
    success-match-type cookie
    success-match-value *OutlookSession*
}

kunjan,

I have found the issue why it didn't work.

I was testing this on a test webmail portal access. But on the live webmail portal access a ntlmv2 SSO configuration was applied. (different sso config object received, name: /Common/ntlm_sso, method: 4). That's why it didn't match. After removing it and applying the form based SSO to it, it did.

Thanks for your help, it pointed me in the right direction (the form based SSO profile was also wrong, I was redirected from /owa to another uri)