60.4 Setting Up Impersonation for Outlook Web Application (OWA)

In a distributed Exchange/OWA single sign-on environment, each server needs Access Manager to impersonate the current user. When you enable Impersonation, you need to include additional HTTP headers in the "Response" tab of the Authorization Policy of your impersonation application domain.

The following solution has been tested in both standalone and distributed OWA environments.

  1. Install Access Manager 11g, as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
  2. Install a 11g WebGate on all OWA client servers, as described in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
  3. On the WebGate registration page, Disable IP Checking for Webgates on the back-end server using the AccessGate (because the request comes from the front-end server, not from the user's browser).
  4. Ensure that OWA is not using Integrated Windows Authentication, as described in "Prerequisites to Setting Impersonation for Outlook Web Application".
  5. Create a trusted user account for only impersonation in the Active Directory, as described in "Creating a Trusted User Account for Outlook Web Application".
  6. Give the trusted user the special right to act as part of the operating system, as described in "Assigning Rights to the Outlook Web Application Trusted User".
  7. Bind the trusted user to the WebGate by supplying the authentication credentials for the trusted user, as described in "Binding the Trusted Outlook Web Application User to Your WebGate".
  8. Add a header variable named impersonate to the Authorization Policy Response tab (in the impersonation application domain), as described in, as described in "Adding an Impersonation Action to an Application Domain for Outlook Web Application".
  9. Configure IIS by adding IISImpersonationModule.dll to your IIS configuration, as described in "Adding an Impersonation dll to IIS".
  10. Test Impersonation, as described in "Testing Impersonation for Outlook Web Application".

See Also:

"Enabling Impersonation With a Header Variable".

60.4.1 Prerequisites to Setting Impersonation for Outlook Web Application

Before you proceed with impersonation setup for Outlook Web Application, ensure that OWA is not using Integrated Windows (or any other) Authentication.

If it is not, you can use the following steps to set up OWA with Windows Authentication.

  1. Open Exchange Management console.
  2. Go to Server Configuration and click Client Access.
  3. Select Outlook Web Access and click Properties.
  4. In the Properties dialog box, click the Authentication tab.
  5. Clear (unselect) all the authentication methods.
  6. Click Apply, and click OK.
  7. Restart the IIS server.
  8. Proceed with "Creating a Trusted User Account for Outlook Web Application."

60.4.2 Creating a Trusted User Account for Outlook Web Application

The special user should not be used for anything other than impersonation. Oracle recommends that you chose a very complex password, because your trusted user is being given very powerful permissions.

Also, be sure to check the box marked Password Never Expires. Since the impersonation module should be the only entity that ever sees the trusted user account, it would be very difficult for an outside agency to discover that the password has expired.

To create a Trusted User Account for Outlook Web Application:

  1. On the Windows 2008 machine, select Start; Programs; Administrative tools, Active Directory Users and Computers.
  2. In the Active Directory Users and Computers window, right-click Users on the tree in the left pane, then select New; User.
  3. In the First name field of the pane entitled New Object - User, enter an easy-to-remember name such as OWAImpersonator.
  4. Copy this same string to the User logon name field, then click Next.
  5. In succeeding panels, you will be asked to choose a password and then retype it to confirm.
  6. Proceed to "Assigning Rights to the Outlook Web Application Trusted User".

60.4.3 Assigning Rights to the Outlook Web Application Trusted User

You need to give the trusted user the right to act as part of the operating system.

To assign rights to the Outlook Web Application trusted user:

  1. Select Control Panel, Administrative Tools; and click either the Domain Controller Security Policy (if the computer is a domain controller) or Local Security Policy.
  2. On the tree in the left pane, click the plus icon (+) next to Local Policies.
  3. Click User Rights Assignment on the tree in the left pane.
  4. Double-click "Act as part of the operating system" in the right pane.
  5. Click Add User or Group.
  6. In the Add User or Group panel, type the User logon name of the trusted user (OWAImpersonator in our example) in the User and group names text entry box, then click OK to register the change.
  7. Proceed to "Binding the Trusted Outlook Web Application User to Your WebGate."

60.4.4 Binding the Trusted Outlook Web Application User to Your WebGate

You need to bind the trusted user to the WebGate by supplying the authentication credentials for the trusted user.

When the bind has been created for the WebGate and the trusted user, WebGate is ready to provide impersonation on demand. The demand is created by a Response set in the Authorization Policy of application domain created for impersonation.

The following procedure presumes that you have registered a 11g WebGate (ImpersonateAgent) with Access Manager. The values in the following procedure are provided as an example only. Your environment will be different.

See Also:

Registering and Managing OAM 11g Agents in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management

  1. In the Oracle Access Management Console, click Application Security at the top of the window.
  2. in the Launch Pad tab, click Agents.
  3. Find the desired 11g WebGate registration to modify for this integration. For example: ImpersonateAgent.

    • Find All Enabled: Select State All, click the Search button, click the desired Webgate name in the results list.

  4. Open the Webgate registration page and enter the SharePoint username and password for the trusted user account, which you created earlier.
  5. Click Apply to commit the changes.

    A bind has been created for the Webgate and the trusted user. The Webgate is now ready to provide impersonation on demand. The demand is created by an Authorization Success Action in the application domain created for impersonation.

60.4.5 Adding an Impersonation Action to an Application Domain for Outlook Web Application

You must create or configure a application domain to protect your OWA resources (/owa and /ecp only).

Ensure that IISImpersonation Module.dll is applied only to "owa" and "ecp" applications in IIS7.x, and removed from the site level. The Authorization policy must set several HTTP Header variables (Header type Responses in the Authorization policy).

This procedure presumes that you have an existing application domain for the 11g WebGate (ImpersonateAgent) you registered with Access Manager.

See Also:

The chapter on managing policies to protect resources and enable SSO in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

  1. In the Oracle Access Management Console, click Application Security at the top of the window.
  2. Click Application Domains in the Access Manager section.
  3. Search for and open the OWA2010 Application Domain (the relevant application domain for impersonation).

    Navigate as follows:

    •         Authorization Policies
    •              Protected Resource Policy
    •                   Responses
  4. Click the Add button, then Add Response.

    Complete the form as follows:

    • From the Type list, choose Header.

    • In the Name field, type a unique name for this response. For example, IMPERSONATE.

    • In the Value field, type a value for this response. For example, $user.userid.

  5. Click Add, then click Apply to submit the changes.
  6. Go to the next section, "Adding an Impersonation DLL to IIS."

This Response is used for the second Webgate request (for authorization).

60.4.6 Adding an Impersonation dll to IIS

You are ready to configure IIS by adding the IISImpersonationModule.dll to your IIS configuration.

You also need to set Enable Anonymous Access because this is required for impersonation of a user.

  1. Select Start, Administrative Tools, Internet Information Services (IIS) Manager.
  2. In the left pane of IIS 7.x, click the hostname.
  3. In the middle pane, under the IIS header, double click on Modules.
  4. In the right pane, click Configure Native Modules and click Register.
  5. In the window, provide a module Name (for example, Oracle Impersonation Module).
  6. In the Path field, type the full path to IISImpersonationModule.dll.

    By default, the path is:

    Webgate_install_dir\webgate\iis\lib\IISImpersonationModule.dll

    Where Webgate_install_dir is the directory of your WebGate installation.

    Note:

    If any spaces exist in the path (for example, C:\Program Files\Oracle\...) surround the entire string with double quotes (" ").

  7. Click OK to register the module.
  8. Check the name of the newly created module and click OK to apply the module across the Web sites.

60.4.7 Configuring IIS Security

Be sure to configure IIS Security before you continue. Figure 60-4 shows an example.

Figure 60-4 Impersonation Authentication

Description of Figure 60-4 follows
Description of "Figure 60-4 Impersonation Authentication"
  1. Select Start, Administrative Tools, Internet Information Services (IIS) Manager.
  2. Click the plus icon (+) to the left of the local computer icon on the tree in the left pane.
  3. Click Web Sites on the tree in the left pane.
  4. In the center pane, double-click Authentication under IIS.
  5. Ensure that Anonymous Authentication is enabled and Windows Authentication is disabled.

60.4.8 Testing Impersonation for Outlook Web Application

The following options are provided to test the Impersonation configuration for OWA.

60.4.8.1 Testing Impersonation Using the Event Viewer

You can test impersonation through the Event Viewer.

To test:

  1. Select Start Menu; Event Viewer.
  2. In the left pane, right-click Security, then click Properties.
  3. Click the Filter tab on the Security property sheet.
  4. Verify that all Event Types are checked, and the Event Source and Category lists are set to All, then click OK to dismiss the property sheet.
  5. Your Event Viewer is now configured to display information about the headerVar associated with a resource request.
  6. Create a new IIS virtual server (virtual site).
  7. Place a target Web page anywhere in the tree on the virtual site.
  8. From your browser, enter the URl to the Web page.

    If impersonation is working correctly, the Event Viewer will report the success of the access attempt.

60.4.8.2 Testing Impersonation using a Web Page

You can test impersonation using a dynamic test page that can return and display information about the request.

To test:

  1. Create a.asp page or Perl script that will display the parameters AUTH_USER and IMPERSONATE.

    It can resemble this sample page:

    <TABLE border=1>
<TR>
<TD>Variable</TD>
<TD>&nbsp&nbsp</TD>
<TD>Value</TD></TR>
<%for each servervar in request.servervariables%>
<TR>
<TD><%=servervar%></TD>
<TD>&nbsp&nbsp</TD>
<TD><%=request.servervariables(servervar)%>&nbsp</TD>
</TR>
  2. Create an IIS virtual site, or use the one you created for the previous task.
  3. Place the a.asp page or Perl script (such as the sample in the preceding listing) anywhere in the tree of the new virtual site.
  4. Point your browser at the page, which should appear, with both AUTH_USER and IMPERSONATE set to the name of the user making the request.

60.4.8.3 Conducting Negative Testing for Impersonation

You can conduct negative testing for impersonation by unbinding the trusted user from the WebGate.

To conduct:
  1. In the Oracle Access Management Console, click Application Security at the top of the window.
  2. In the Launch Pad tab, click Agents.
  3. Search for the desired WebGate and open it for editing.
  4. In the WebGate registration page, remove the credentials for the trusted user.
  5. Click Apply to save the change.
  6. Restart the IIS server and in a browser window, go to a protected code page (previously accessible to the trusted user).
  7. Confirm that you receive a message page. Values for AUTH_USER and IMPERSONATE are necessary for impersonation credentials to be bound to a Webgate.
  8. Restore the trusted user to the WebGate registration page.