How to Accelerate and Single Sign-On to GroupWise 6.5 WebAccess Server with iChain 2.3
Novell Cool Solutions: Tip
Digg This -
Posted: 8 Apr 2004
Novell Technical Support: 10092298
This TID outlines configuration steps to get Groupwise WebAccess services accelerated through iChain 2.3. It also includes the URLs required to access the services, implementation changes from iChain 2.2 to 2.3, sample formfill scripts, a list of known issues and workarounds to them if they exist.
User access to their Webaccess mailbox is similar http(s)://<DNSNameOf Server>/servlet/webacc.
Accelerator configuration notes:
GroupWise Webaccess uses path names beginning with both /servlet and /com. To use pbmh accelerators with GroupWise WebAccess using default settings, two separate accelerators could be used to handle each path, or the new feature in iChain 2.3 that allows a single accelerator to handle multiple sub-path match strings could be used. For example, in the accelerator's Multi-Homing Options page, radio button Path-based multi-homing would be enabled, Sub-path match string set to /servlet, and option Remove sub-path from URL not enabled. File sys:/etc/proxy/rewriter.cfg would contain the following entry:
[Alias Host Names]
gwise=/com-where gwise is the name of the accelerator
-where /com is the additional sub-path match string used by WebAccess
Additional SSO notes:
GroupWise WebAccess can now process a username and password in the http Authorization header. The header can be populated with an LDAP formatted name by enabling the accelerator option Forward authentication information to web server or by using OLAC to push the user's common name (ICHAIN_UID/ldap/uid) or other attribute.
To enable GroupWise WebAccess to process the http Authorization header, it must be configured to Trust iChain. Basic steps to. add iChain as a Trusted Application are below:
- In ConsoleOne, under the GroupWise domain object, double-click the GroupWise WebAccess object
- On the Application tab, select Security from the drop-down list
- Under the single sign-on field, add the primary ip address of the iChain server
Note that iChain 2.2 and 2.3 differ in the way a Basic Authorization header received from a browser is handled. This change affects the use of a Basic authentication enabled profile for use with SSO to WebAccess:
In iChain 2.2 with an accelerator configured to use an LDAP authentication profile that has options Allow authentication through HTTP authorization header and Use basic/proxy authentication enabled, the Authorization header that is used for iChain authentication was also passed to the web server. This could provide a means of Single Sign On to Webaccess.
In iChain 2.3, the Authorization header used for proxy authentication is NOT passed to the web server. However, if the web application then returns a 401 Unauthorized packet requesting user credentials from the browser, credentials entered by the user in the browser login pop-up dialog will then be passed to the web server. SSO to WebAccess no longer works with this configuration. Use either the Forward authentication information to web server to send the user's LDAP credentials or also enable OLAC and configure it with the appropriate parameters to be passed to WebAccess.
Form Fill script examples:
<urlPolicy> <name>Groupwise-Language-Selection</name> <url>1300e.gwise.novell.com/*</url> <formCriteria> <title>Novell Web Services</title> </formCriteria> <actions> <fill> <select name="User.lang" type="listbox" value="~"> </fill> <maskedPost/> </actions> </urlPolicy> <urlPolicy> <name>GroupWiseWebAccessLoginFailure</name> <url>1300e.gwise.novell.com/servlet/webacc</url> <formCriteria> <TITLE>Novell WebAccess</TITLE> Please login again. You may have typed your name or password incorrectly. loginForm </formCriteria> <actions> <deleteRemembered>gwise</deleteRemembered> <redirect>1300e.gwise.novell.com/servlet/webacc</redirect> </actions> </urlPolicy> <urlPolicy> <name>gwise</name> <url>1300e.gwise.novell.com/servlet/webacc</url> <formCriteria> <TITLE>Novell WebAccess</TITLE> loginForm </formCriteria> <actions> <fill> <INPUT NAME="User.id" value="~"> <INPUT NAME="User.password" value="~"> </fill> <maskedPost/> </actions> </urlPolicy>
Users with IE browsers may be unable to Open or Save email attachments if Secure Exchange is enabled and GroupWise Webaccess is configured to NOT allow caching. This is a general issue with IE and is covered in TID10075939. To allow caching so that this problem does not occur, use ConsoleOne and go to properties on the GroupWise Webaccess object (a child of the Domain object, NOT using the GroupWise view). On the Application tab, select Security in the drop-down list. Uncheck the Disable Caching option for each template in use for which caching is to be allowed.
SecureLogin script for WebAccess thru iChain gets recorded without /servlet/webacc in path. Script can be fixed manually or a proper script distributed by the Administrator. To correct an improperly recorded script, comment out type $Optional line from the script so that it ignores the destination field.
Missing .gif file on GroupWise Webaccess Monitor Help pages thru iChain path-based multi-home.
For more tips see:
submit a tip
Here's a chance to share your experiences using GroupWise. Just send us a tip about using (or installing, deploying, troubleshooting, etc.) GroupWise, and if it looks like something we can use, we'll send you a Novell t-shirt, post your tip, and make you famous beyond your tamest dreams. Submit your tip here: http://www.novell.com/coolsolutions/forms/submit_a_tip.html
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com