When faced with the task of implementing authentication for Novell GroupWise, Web-based email frontend of the groupware solution from Novell, it is that many others before me have tried to implement a form-based authentication for the web application with different products already. Whatever the product as a gateway were used, all attempts seem to have failed unless heavy customizations were involved.
As with other enterprise applications and the protection features prevent the intermediate authentication systems on the login form via the form filling, where the user, after connecting to the login page AAA-TM is presented with Groupwise login screen and must authenticate again.
the login form displayed in the picture (pardon the German legends, please) contains the information you want to extract and generally send to the background using a form AAA-fill TM politics after the user successfully authenticated.
the login form contains the following information:
the problem here is the "value User.context" which is not static and therefore can not be passed by the AAA module GroupWise authentication. Therefore, there is a requirement for secure logon, the process fails and the user is prompted with Novell as logon and authenticate for a second time.
There is no simple solution to this problem, but dig in the excellent documentation provided by Novell, an alternative approach provides the solution. With a single line configuration change on the GroupWise system, it can be configured to accept HTTP authentication (HTTP 401 / basic) when accessed by the configured gateways. If this logic is for Novell Access Manager / LAG can be used with other systems such as Gateway and NetScaler. Details are described in the article Novell 7010088 (http://www.novell.com/support/kb/doc.php?id=7010088 href). Essentially, the WebAccess server the "Security.Authenticate.header" parameter in webacc.cfg configuration file must be modified. By default, it is disabled and must be activated by removing the pound sign. The following excerpt shows by example how to change it. The IP (or host name) to set here is the source IP for the incoming connection to GroupWise. In a NetScaler environment which is usually a MIP or SNIP IP address.
# --------------------------
# identifies that remote computers will be approved for the recieiving
# -tête authentication. Several addresses can be on the line, separated
# comma (can be mixure all IP addresses or domain names).
# ------------------ --------
# Security.Authenticate.header =
= 1.2 Security.Authenticate.header .3.4
On the NetScaler AAA configuration is very simple now. No political form-based authentication is required, the AAA-TM, if challenged for HTTP authentication, sends the Base64 encoded identification information automatically to the background system.
add tm trafficAction tmAct_sso_NGW -appTimeout 180 -SSO -persistentCookie ON OFF OFF -InitiateLogout
add tm trafficPolicy tmPol_sso_NGW true tmAct_sso_NGW
bind lb vserver vSrv_NGW -policyName tmPol_sso_NGW -priority 100 -gotoPriorityExpression kind END DEMAND
the following is an excerpt of the HTTP communication between the NetScaler and Groupwise systems. When presented with the HTTP 401 by Novell Groupwise WebAccess system, the NetScaler refer the request with the user credentials in the HTTP Authorization header
GET / gw / webacc HTTP / 1.1
Host :. Groupwise .example.com
HTTP / 1.1 401 Unauthorized
WWW-Authenticate: Basic realm = 'NovellWebApplication "
GET / gw / webacc HTTP / 1.1
host: groupwise. example .com
authorization :. ZnJlZGRlbW86ZnJlZDAz Basic
With this configuration in place, users will have a single sign-on access to Novell GroupWise through NetScaler AAA
0 Komentar