Environment
Novell iChain 2.3
Novell Access Manager 3.0
Microsoft Outlook Web Access (OWA) 2003 Web server
Novell Access Manager 3.0
Microsoft Outlook Web Access (OWA) 2003 Web server
Authentication enabled
Users successfully authenticate
Single sign on to OWA successful
Everything works with Firefox
Users successfully authenticate
Single sign on to OWA successful
Everything works with Firefox
Situation
OWA quickview window displays login page with Internet
Explorer
Cannot view OWA email contents going through iChain or Access Manager with IE
OWA users prompted to authenticate when selecting an email in IE from user's Inbox
Authentication page presented when right clicking an email and selecting OPEN with IE
Cannot view OWA email contents going through iChain or Access Manager with IE
OWA users prompted to authenticate when selecting an email in IE from user's Inbox
Authentication page presented when right clicking an email and selecting OPEN with IE
Resolution
There are two known methods of resolving this problem.
- Set the BrowseNewProcess registry setting to NO. This setting is located in"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess". The
default (YES) is such that IE will not share cookies between IE sessions but if that value is changed, you will most likely not be asked to reauthenticate when accessing the Web resource from a new browser session, assuming that the idle session timeout has not expired. - Create an additional Protected Resource that does not require authentication for the "/exchweb/*" path. In iChain this is done on the ISO by creating an additional Protected Resource of type Public. In Access Manager this is done by creating a new Protected Resource with no specified authentication Contract.
Note: As an alternative, it is possible to create a Public Protected Resource for the path:"/exchweb/6.5.7226.0/controls/blank.htm" However, as the second portion of the path relates to the version of OWA, this PR path would likely need to change each time an update is applied to the server.
Additional Information
The reason we need to set this is that the OWA application sends
back a page with frames. Looking at the following content, which is
part of the response to the following GET request (GET
/Exchange/mif/Indbakke/TEST%202.EML?cmd=preview HTTP/1.1):
The security attribute (security="restricted") indicate
that the users security settings should be applied to the source
file of the frame (="/exchweb/6.5.7226.0/controls/blank.htm). When
this was done, in this particular environment, the result was that
the actual GET request for this frame did not include the iChain
authentication cookie, even though the user has already
authenticated to iChain for this domain and path, as shown:
GET /exchweb/6.5.7226.0/controls/blank.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash, */*
Referer: https://webmail.novell.com/Exchange/mif/ncashell/TEST%202.EML?cmd=preview
Accept-Language: da
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: webmail.novell.com
Connection: Keep-Alive
NovINet: v1.2
There is no IPCZQX01 (iChain authentication) cookie that
the previous request in this session had, because the iFrame tag
above caused it to behave as an independent session and not inherit
the attributes of the other sessions on the box. Setting the above
registry attribute would allow us to inherit the session info from
open IE browsers.
GET /exchweb/6.5.7226.0/controls/style30.css
HTTP/1.1
Accept: */*
Referer: https://webmail.novell.com/Exchange/mif/ncashell/TEST%202.EML?cmd=preview
Accept-Language: da
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: webmail.novell.com
Connection: Keep-Alive
Cookie:
IPCZQX01ae4daf26=000000007e481900d31f9931
NovINet: v1.2
Formerly known as TID# 10099030
Formerly known as TID# 10099030