How to to run Form Fill with Microsoft Outlook Web App (OWA) 2010

  • 7006961
  • 30-Sep-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1
Microsoft Outlook Webaccess 2010 (OWA)

Situation

  • A protected resource has been configured for users accessing the OWA service from the Internet.
  • Intranet users are accessing the OWA server directly and the preferred login process has been configured  to prompt for user credentials processing a HTML login form
  • For Single Sign On Novell Access Manager needs to run a Form Fill policy

Resolution

Create a Form Fill policy similar to the following one:

Do Form Login Failure
   Form Selection
      CGI  Matching Criteria:  reason=2
      Page Matching Criteria:
   Login Failure Processing
      Redirect to URL:
     (Checked) Clear Shared Secret Values From Policy:
      Policy:<name_of_your_policy>

And Form Fill Form Selection
              
CGI  Matching Criteria:
              
Page Matching Criteria: <title>Outlook Web App</title>

               Form Name: logonForm
                            Fill Options

              Input Field NameInput Field TypeInput Field Value     
              username         Text            <your_choice>
               password         Password        <your_choice>
             
             Submit Options
               
(checked) Auto Submit
                 (checked) Enable JavaScript Handling

                 Functions to Keep: function clkLgn()
                                     function clkBsc()
                                    function clkRtry()
                                     function clkSec()

                  Statements to Execute on Submit:
                   document.cookie="PBack=0; path=/"
                      

Additional Information

1) The standard login page for OWA references several JavaScript functions used to process the login form including the generation of a cookie called "PBack" which is required for a successful login. These functions are included in a file called "flogon.js". The event handler for the submit event actually calls the function"clkLgn();" that should generate the required "PBack" cookie, however, this seems not able to complete successfully and the"PBack" cookie is not set, causing the login to fail.

For this reason the "PBack" cookie is manually set in the policy configuration.


2) The login failure will reload the login page with the CGI Parameter "reason=2" which can be used for the Form Fill policy to match a login failure event. If this is not done, you may notice Form Fill causing loops on the login process.

PLEASE NOTE

The suggested way to have NAM to SSO to OWA 2010 is not the usage of Form Fill policy, but instead to set the OWA login process to use Basic Authentication (forcing SSL) and then to configure an Identity Injection policy to provide user credentials in the basic authentication header.

The reason of this recommendation is that a Form Fill policy configured for a specific version of OWA 2010 is very likely to fail when a new patch or service pack is applied to the system, while Injection in the basic authentication header should sill be working as expected even after system updates.