Novell Home

My Favorites

Close

Please to see your favorites.

Howto accelerate and single sign on (SSO) to Groupwise 6.5 WebAccess server with iChain 2.3

(Last modified: 28Sep2004)

This document (10092298) is provided subject to the disclaimer at the end of this document.

goal

Howto accelerate and single sign on (SSO) to Groupwise 6.5 WebAccess server with iChain 2.3

fact

Groupwise 6.5

Web Access services enabled

iChain 2.3

FormFill enabled

Single Sign On to WebAccess server required

fix

The following document outlines configuration steps to get a Groupwise Web Access services accelerated through iChain 2.3 using path based multi-homing.   If path-based multi-homing is NOT required, just set up as standard accelerator for the GrwopWise WebAccess server.

The path-based configuration below also includes the URLs required to access the services, implementation changes from iChain 2.2 to 2.3, sample formfill scripts, a list of known issues and workarounds to them if they exist.

Access URL’s:

 

User access to their Webaccess mailbox is similar  “http(s)://<DNSNameOf Server>/servlet/webacc”.

 

Accelerator configuration notes:

 

GroupWise Webaccess uses path names beginning with both “/servlet” and “/com”. To use pbmh accelerators with GroupWise WebAccess using default settings, two separate accelerators could be used to handle each path, or the new feature in iChain 2.3 that allows a single accelerator to handle multiple sub-path match strings could be used. For example, in the accelerator’s “Multi-Homing Options” page, radio button “Path-based multi-homing” would be enabled, “Sub-path match string” set to “/servlet”, and option “Remove sub-path from URL” not enabled. File sys:/etc/proxy/rewriter.cfg would contain the following entry:

 

[Alias Host Names]

gwise=/com

 

-where “gwise” is the name of the accelerator

-where /com is the additional sub-path match string used by WebAccess

 

Additional SSO notes:

 

GroupWise WebAccess can now process a username and password in the http Authorization header. The header can be populated with an LDAP formatted name by enabling the accelerator option  “Forward authentication information to web server” or by using OLAC to push the user’s common name (ICHAIN_UID/ldap/uid) or other attribute.

 

To enable GroupWise WebAccess to process the http Authorization header, it must be configured to “Trust” iChain. Basic steps to add iChain as a Trusted Application are below:

·         In ConsoleOne, under the GroupWise domain object, double-click the GroupWise WebAccess object

·         On the Application tab, select Security from the drop-down list

·         Under the “single sign-on” field, add the primary ip address of the iChain server

 

Note that iChain 2.2 and 2.3 differ in the way a Basic Authorization header received from a browser is handled. This change affects the use of a Basic authentication enabled profile for use with SSO to WebAccess:

 

In iChain 2.2 with an accelerator configured to use an LDAP authentication profile that has options “Allow authentication through HTTP authorization header” and “Use basic/proxy authentication” enabled, the Authorization header that is used for iChain authentication was also passed to the web server. This could provide a means of Single Sign On to Webaccess.

 

In iChain 2.3, the Authorization header used for proxy authentication is NOT passed to the web server. However, if the web application then returns a 401 Unauthorized packet requesting user credentials from the browser, credentials entered by the user in the browser login pop-up dialog will then be passed to the web server. SSO to WebAccess no longer works with this configuration. Use either the “Forward authentication information to web server” to send the user’s LDAP credentials or also enable OLAC and configure it with the appropriate parameters to be passed to WebAccess.

 

Form Fill script examples:

<urlPolicy>

<name>Groupwise-Language-Selection</name>

<url>1300e.gwise.novell.com/*</url>

    <formCriteria>

          <title>Novell Web Services</title>

    </formCriteria>

    <actions>

        <fill>

        <select name="User.lang" type="listbox" value="~">

      </fill>

      <maskedPost/>

     </actions>

</urlPolicy>

 

<urlPolicy>

       <name>GroupWiseWebAccessLoginFailure</name>

       <url>1300e.gwise.novell.com/servlet/webacc</url>

       <formCriteria>

            <TITLE>Novell WebAccess</TITLE>

            Please login again. You may have typed your name or password incorrectly.

            loginForm

       </formCriteria>

   <actions>

      <deleteRemembered>gwise</deleteRemembered>

      <redirect>1300e.gwise.novell.com/servlet/webacc</redirect>

  </actions>

</urlPolicy>

 

<urlPolicy>

       <name>gwise</name>

       <url>1300e.gwise.novell.com/servlet/webacc</url>

       <formCriteria>

            <TITLE>Novell WebAccess</TITLE>

            loginForm

       </formCriteria>

<actions>

<fill>

<INPUT NAME="User.id"                 value="~">

<INPUT NAME="User.password"     value="~">

</fill>

<maskedPost/>

</actions>

</urlPolicy>

 

Miscellaneous Information:

 

Users with IE browsers may be unable to Open or Save email attachments if Secure Exchange is enabled and GroupWise Webaccess is configured to NOT allow caching. This is a general issue with IE and is covered in TID10075939. To allow caching so that this problem does not occur, use ConsoleOne and go to properties on the GroupWise Webaccess object (a child of the Domain object, NOT using the GroupWise view). On the Application tab, select Security in the drop-down list. Uncheck the Disable Caching option for each template in use for which caching is to be allowed.

 

Known Issues:

 

SecureLogin  script for WebAccess thru iChain gets recorded without /servlet/webacc in path. Script can be fixed manually or a proper script distributed by the Administrator. To correct an improperly recorded script, comment out type $Optional line from the script so that it ignores the destination field.

 

Missing .gif file on GroupWise Webaccess Monitor Help pages thru iChain path-based multi-home.

 

 

 

.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10092298
  • Solution ID: NOVL96385
  • Creation Date: 05Apr2004
  • Modified Date: 28Sep2004
    • NetIQiChain

Did this document solve your problem? Provide Feedback