Follow

I am unable to access the Options menu in OWA after configuring SSO

Issue

After configuring OWA with AuthAnvil Single Sign On, users cannot access the Options menu to change their password or set automatic replies. Instead, it redirects the user to an OWA login.

 

Cause

In Outlook Web, there are 2 portals. The /OWA portal is the primary mail portal where most of your tasks are done. The Options menu (Change Password, Set Automatic Replies, Create an Inbox Rule) is a separate portal called the Exchange Control Panel (ECP). If you are able to log into OWA using AuthAnvil SSO but you cannot access the Options, there is a configuration issue with the ECP web.config file.

 

Resolution

Update ECP (Requires SSO v4.1 or higher)

The Exchange Control Panel (ECP) is the section of Outlook Web that manages user details such as changing a password, setting an Inbox rule, or configuring automatic replies. This panel requires an additional configuration change which is almost identical to the /owa/web.config in Step 5, but this configuration file has a different use so do not copy the owa/web.config into the ecp/web.config folder.

    1. Run notepad elevated (Run as Administrator) and open C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ecp\Web.config
    2. At the top of the file, after <configuration> add the following lines:

      <!-- SSO -->
      <configSections>
      <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      </configSections>
      <!-- /SSO -->

    3. Find the <modules> tag and update it to reflect <modules runAllManagedModulesForAllRequests="true">
    4. Inside the <modules> section, after the <remove name="ServiceModel" /> line and immediately before <add name="PerformanceConsoleModule" />, add the following lines:

      <!-- SSO -->
      <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />

      <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
      <!-- /SSO -->

    5. Get the certificate “Thumbprint” from the AuthAnvil SSO signing certificate in the Outlook Web application. Download the certificate from the Outlook Web application in AuthAnvil Single Sign On. Open the certificate, click on the Details tab, scroll to the bottom and look for the Thumbprint item. Copy out this value, removing all spaces and changing all letters to UPPERCASE. A simple way to do this is to open a Powershell window and execute the following command:
      "<paste thumbprint here>".ToUpper().Replace(" ", "")

      If the result has a ? in front of it, remove it. You will need this uppercase Thumbprint value for the next step.
    6. Add the following lines right after </runtime> (near the end of the file). Note that the values in red must be entered to match your OWA and AuthAnvil SSO server configuration:

      <!-- SSO -->
      <microsoft.identityModel>
      <service>
      <audienceUris>
      <add value="https://<OWA FQDN>/owa/" />
      </audienceUris>
      <securityTokenHandlers>
      <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
      </add>
      </securityTokenHandlers>
      <federatedAuthentication>
      <wsFederation passiveRedirectEnabled="true" issuer="https://<SSO FQDN>/sso/federation/passive/wsfed" realm="https://<OWA FQDN>/owa/" reply="https://<OWA FQDN>/ecp/" requireHttps="true" />
      <cookieHandler requireSsl="true" />
      </federatedAuthentication>
      <applicationService>
      </applicationService>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <trustedIssuers>
      <add thumbprint="A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6ABCD" name="uri:authanvil:sso:site1" />
      </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode="None" />
      </service>
      </microsoft.identityModel>
      <!-- /SSO -->

      (NOTE: “uri:authanvil:sso:site1″ represents the Token Issuer Name in the AuthAnvil Manager -> Single Sign On -> Server Settings)

    7. Save the file.

 


Updating the AuthAnvil Database to allow for access to /ecp/

  1. Open SQL Management Studio and connect into the AuthAnvil SQL instance
  2. Expand Databases > Anvil > Tables
  3. Right-click on SSO_ServiceProviderProperty and select “Edit Top 200 Rows” or “Open Table”
  4. There should be two “Outlook Web App” entries. Look for the one that has data in the “ProtocolConfiguration” column.
  5. In the “ProtocolConfiguration” column there should be some text similar to this:

    {
    "Properties":
    [
    {"Key":"WSFedProtocolVersion","Value":"WS 1.3"},
    {"Key":"SignatureAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256"},
    {"Key":"DigestAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmlenc#sha256"}
    ]
    }

    (It will look a little bit different all on one line)

  6. First, copy it out into Notepad so you have a backup of the text. Next, we will add one more {Key,Value} pair into these Properties. Copy this with the comma:

    {"Key":"ReplyToOption","Value":"SameDomain"},

    Add that code immediately after:

    {"Properties":[

    and immediately before:

    {"Key":"WSFedProtocolVersion","Value":"WS 1.3"},

    The end result looks something like this when it's all crammed on one line:

    {"Properties":[{"Key":"ReplyToOption","Value":"SameDomain"},{"Key":"WSFedProtocolVersion","Value":"WS 1.3"},{"Key":"SignatureAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256"},{"Key":"DigestAlgorithm","Value":"http:\/\/www.w3.org\/2001\/04\/xmlenc#sha256"}]}

  7. Hit “Enter” to save the configuration, then let’s test it. You might want to run an IISreset on AuthAnvil and restart your browser, but it should just work once you refresh the page.


Update Exchange

  1. Open the Exchange Management Console.
  2. Under Server Configuration -> Client Access, open the owa configuration under the “Outlook Web App” tab.
  3. In the Authentication tab and make sure “Use forms-based authentication” is not checked. Select “Use one or more standard authentication methods:” and leave the checkboxes blank.
  4. Open up Internet Information Services (IIS) Manager.
  5. Expand the site where OWA is installed and click on the “owa” application.
  6. Double-click the Authentication icon and verify that Anonymous Authentication is set to Enabled


Verifying Functionality

Once the configuration is complete, you should test that everything is working as expected. Log into the SSO portal with a user that is authorized to access OWA and attempt to click on the “Outlook Web” application. You should automatically be redirected to your OWA inbox.

You can test the ECP menu by going into OWA and clicking Options > See All Options. If the Options portal loads with no errors or other authentication, both the OWA and ECP configurations are successful.

 

Affects

AuthAnvil SSO configuration with Outlook Web Access 2010

 

Questions?

If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk