Solved: ASA WebVPN with SSO on Exchange OWA 2010

jmprats · ‎02-18-2011

Hi I was using WebVPN (clientless) with SSO on Exchange OWA 2003 and it was working fine with those SSO POST parameters:

URL: https://<mailserver>/exchweb/bin/auth/owaauth.dll

destination https://<mailserver>/exchange/
flags 0

username DOMAIN\CSCO_WEBVPN_USERNAME

password CSCO_WEBVPN_PASSWORD

SubmitCreds Log+On

forcedownlevel 0

trusted 0

Now, I'm trying to do the same with OWA 2010 and it doesn't work. I always receive an error about user credentials

For Exchange 2010, I use those parameters:

URL: https://<mailserver>/owa/auth.owa

destination https://<mailserver>/owa/
flags 0

username DOMAIN\CSCO_WEBVPN_USERNAME

password CSCO_WEBVPN_PASSWORD

SubmitCreds Log+On

forcedownlevel 0

trusted 0

Does anyone know how to fix?
Has anyone got it working?

Any help?

Thanks

alig.norbert · ‎03-04-2011

In this setup, I had to change it to HTTP (customer related). It works over HTTPS as well.

Get this tool http://www.fiddler2.com/fiddler2/.

URL: http://internal-mail-server-ip/owa/auth/owaauth.dll

post-parameter:

destination: http://internal-mail-server-ip/owa/

flags: 0

forcedownlevel: 0

trusted: 0

username: CSCO_WEBVPN_USERNAME

password: CSCO_WEBVPN_PASSWORD

isUtf8: 1

<![CDATA[webmail_sso]]>
post
yes
</span><a class="jive-link-external-small" href="http://internal-mail-server-ip/owa/auth/owaauth.dll">http://internal-mail-server-ip/owa/auth/owaauth.dll</a><span>
Single Sign On

no

http://internal-mail-server-ip/owa/
destination

0
flags

0
forcedownlevel

0
trusted

CSCO_WEBVPN_USERNAME
username

CSCO_WEBVPN_PASSWORD
password

1
isUtf8

Greets,

Norbert

Hope this help....please rate if helpful

View solution in original post

alig.norbert · ‎02-28-2011

Hi,

Have you tried "http capture"?

Here is my "Workaround" bookmark. I'll post the final bookmark (when I'm back in the office).....

http:///owa

destination: http:///owa/

flags: 0

forcedownloadlevel: 0

trusted: 0

username: CSCO_WEBVPN_USERNAME

password: CSCO_WEBVPN_PASSWORD

isUft8: 1

BUT, the weird think is, when I hit the bookmark, the OWA (2010) login screen appears.

After klicking (once) on the "sign in" button on the OWA login page, go back to the WebVPN portal and click a second time on the bookmark the

access to the mailbox account is granted.

The same with the post-plugin.

Greets,

Norbert

jmprats · ‎03-04-2011

it doesn't work for me. Incorrect credentials

http capture? how can i do that? does it works with https?

thanks

alig.norbert · ‎03-04-2011

In this setup, I had to change it to HTTP (customer related). It works over HTTPS as well.

Get this tool http://www.fiddler2.com/fiddler2/.

URL: http://internal-mail-server-ip/owa/auth/owaauth.dll

post-parameter:

destination: http://internal-mail-server-ip/owa/

flags: 0

forcedownlevel: 0

trusted: 0

username: CSCO_WEBVPN_USERNAME

password: CSCO_WEBVPN_PASSWORD

isUtf8: 1

<![CDATA[webmail_sso]]>
post
yes
</span><a class="jive-link-external-small" href="http://internal-mail-server-ip/owa/auth/owaauth.dll">http://internal-mail-server-ip/owa/auth/owaauth.dll</a><span>
Single Sign On

no

http://internal-mail-server-ip/owa/
destination

0
flags

0
forcedownlevel

0
trusted

CSCO_WEBVPN_USERNAME
username

CSCO_WEBVPN_PASSWORD
password

1
isUtf8

Greets,

Norbert

Hope this help....please rate if helpful

jmprats · ‎03-07-2011

Great!

This parameters works for me, too (and with https)

Thank you very much

netbin2009 · ‎10-28-2011

Hi!

Where can i set these parameter setting suggested? I´m using ASA5510 Version 8.4(1) and the post options i have in drop-down list is:

CSCO_WEBVPN_USERNAME

CSCO_WEBVPN_PASSWORD

Is this done via cli? If so how should i enter config mode for a specific bookmark and entry?

Regards,

Fredrik

alig.norbert · ‎10-28-2011

Hi there,

See

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1002989

under chapter "Configuring Post Parameters for SSO with Outlook Web Access".

Edit Bookmark, Advanced Options...

HTH,

Norbert