test

Sun Java System Access Manager Policy Agent 2.2 Guide for Microsoft Internet Information Services 6.0

Appendix A Microsoft Office SharePoint or Outlook Web Access: Deploying Agent for Microsoft IIS 6.0

This appendix provides information that enables you to deploy Agent for Microsoft IIS 6.0 in a manner that provides protection and single sign-on (SSO) to Microsoft Office SharePoint or Outlook Web Access.

Tasks that are specific to Microsoft Office SharePoint or Outlook Web Access are presented in this appendix. The aspects of the installation and configuration of this agent that do not vary when Microsoft Office SharePoint or Outlook Web Access are involved are covered in the appropriate sections, such as Chapter 3, Installing Policy Agent 2.2 for Microsoft IIS 6.0. Therefore, use this appendix in conjunction with other sections of this guide. Cross references throughout this guide, direct you to and from this appendix as necessary.

This appendix contains the following sections:

Microsoft Office SharePoint and Outlook Web Access: Installing Agent for Microsoft IIS 6.0

You can use Agent for Microsoft IIS 6.0 to provide users with authenticated access to beyond that of web sites. Specifically, you can use this agent to protect Microsoft Office SharePoint or Outlook Web Access. However, to protect these particular resources additional configuration is required. That is to say, you must configure Access Manager as described in the instructions that follow.

Microsoft Office SharePoint and Outlook Web Access: Preparing to Install the Agent

This section focuses on pre-installation steps required for Microsoft Office SharePoint and Outlook Web Access. First, you need to perform the pre-installation steps that apply generally to Agent for Microsoft IIS 6.0, then you need to perform the pre-installation steps specific to Microsoft SharePoint and Outlook Web Access.

To Prepare to Install the Agent

Implement the general pre-installation steps regarding Agent for Microsoft IIS 6.0 as covered in Preparing To Install Agent for Microsoft IIS 6.0 before completing the task that follows.

ProcedureMicrosoft SharePoint and Outlook Web Access: To Prepare for Installation

The steps described in this task are required after you perform the pre-installation steps for the basic installation on Microsoft IIS 6.0 as described in Preparing To Install Agent for Microsoft IIS 6.0.

These additional pre-installation steps are necessary to deploy a post-authentication module on Access Manager. In order to achieve SSO with Microsoft SharePoint or Outlook Web Access using Agent for Microsoft IIS 6.0, Access Manager must send the password to the agent. This requires a post-authentication module to be deployed on Access Manager. The post-authentication module encrypts users' passwords and sends them to Agent for Microsoft IIS 6.0.

Perform the steps in this task on the Access Manager host.

Before You Begin
Caution – Caution –

If you are installing Agent for Microsoft IIS 6.0 to protect Outlook Web Access, prior to installing the agent, ensure that the user repositories in Access Manager and Microsoft Exchange Server are synchronized. For this scenario, Microsoft Exchange Server and the Access Manager LDAP v3 plug-in can point to the same Active Directory.

The following information about Access Manager is helpful for this task:

AccessManager-base represents the Access Manager base installation directory. On Solaris systems, the default base installation directory is /opt/SUNWam.

The following is the default location of the AMConfig.properties file:

/etc/opt/SUNWam/config

  1. Set the JAVA_HOME variable to the location used to install Access Manager.

  2. (Conditional) If the files DESGenKey.java and ReplayPasswd.java are not bundled with the Access Manager binaries (see the explanation within this step for details) obtain and compile them. Otherwise, skip to the next step.

    The DESGenKey.java file is a key generator while the ReplayPasswd.java file is a plug-in.

    The availability of DESGenKey.class and ReplayPasswd.class varies according to the Access Manager version. The following list indicates which versions of Access Manager have these classes bundled with them and which versions do not.

    Bundled with

    • Access Manager 7.0 series from Patch 5 forward

    • Access Manager 7.1 series from Patch 1 forward

    Not bundled with

    • Any version of the Access Manager 7.0 series prior to patch 5

    • Access Manager 7.1

    You can obtain the files DESGenKey.java and ReplayPasswd.java by contacting Sun technical support.

    1. Download the files DESGenKey.java and ReplayPasswd.java to the following directory:

      AccessManager-base/lib

    2. Change to the following directory:

      AccessManager-base/lib

    3. Compile ReplayPasswd.java and DESGenKey.java as follows

      # javac -classpath
AccessManager-base/lib/am_services.jar:AccessManager-base/lib/am_sdk.jar:
AccessManager-base/lib/servlet.jar
ReplayPasswd.java DESGenKey.java

  3. Execute DESgenKey.class as follows:

    Access Manager 7.0 series from Patch 5 forward and Access Manager 7.1 series from Patch 1 forward

    # java com.sun.identity.common.DESGenKey

    Any version of the Access Manager 7.0 series prior to patch 5 and Access Manager 7.1

    # java DESGenKey

    Executing the DESgenKey.class returns a string output.

  4. Add the string produced in the previous step to a newly created text file as described in the substeps that follow.

    1. Copy the string produced in the previous step.

    2. Create a file, which for this example is named des_key.txt, in a directory of your choosing.

      The des_key.txt name is used in this guide as an example. Name the file differently if you wish.

    3. Save the copied string in the des_key.txt file.

  5. Configure the com.sun.am.replaypasswd.key property in the AMConfig.properties configuration file as described in the substeps that follow.

    1. Open the AMConfig.properties configuration file.

    2. Add the following property to the file:

      com.sun.am.replaypasswd.key

    3. Copy the string from the des_key.txt file.

    4. Add the copied string as the value of the com.sun.am.replaypasswd.key property.

      For example, if the string in the des_key.txt file is wuqUJyr=5Gc=, then the new property would be set as follows:

      com.sun.am.replaypasswd.key = wuqUJyr=5Gc=

  6. Configure a property specific to Microsoft Office SharePoint or Outlook Web Access in the AMConfig.properties file as described in the substeps that follow.

    1. Add the respective property and corresponding value to the file as indicated:

      • Microsoft Office SharePoint:

        Add the following property and value if you are installing the agent for Microsoft Office SharePoint:

        com.sun.am.sharepoint_login_attr_name = SharePoint-login-value

        where SharePoint-login-value is a place holder that you must replace with an LDAP attribute login name that is created in both Access Manager and Microsoft Office SharePoint Server.

        For example if the actual value of SharePoint-login-value is login, the following would be the setting for this property:

        com.sun.am.sharepoint_login_attr_name = login

      • Outlook Web Access

        Add the following property and value if you are installing the agent for Outlook Web Access.

        com.sun.am.iis_owa_enabled = true

    2. Save and close the AMConfig.properties file.

  7. Restart Access Manager.

  8. Deploy the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.

    This step requires the use of Access Manager Console.

    1. Log in to Access Manager as amadmin.

    2. With the Access Control tab selected, click the name of the realm you wish to configure.

    3. Click the Authentication tab.

    4. Click Advanced Properties.

      The Advanced Properties button is in the General section.

    5. Scroll down to the Authentication Post Processing Classes field.

    6. In the Authentication Post Processing Classes field, enter the appropriate text depending upon the Access Manager version:

      For Access Manager 7.0 series from Patch 5 forward and Access Manager 7.1 series from Patch 1 forward

      Enter the following: com.sun.identity.authentication.spi.ReplayPasswd

      For Any version of the Access Manager 7.0 series prior to patch 5 and Access Manager 7.1

      Enter the following: ReplayPasswd

    7. Scroll up to click Save.

    8. Click Log Out to log out of the Access Manager Console.

  9. Verify the deployment of the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.

    1. Stop Access Manager.

    2. Access the AMConfig.properties configuration file.

    3. Note the value of the following property before changing it to message, as indicated:

      com.iplanet.services.debug.level = message

      You must change this value back to its original value at the completion of this step.

    4. Save and close the file.

    5. Start Access Manager.

    6. Log in to Access Manager Console.

      Again use amadmin.

    7. Click Log Out to immediately log out of the Access Manager Console.

    8. Change directories to the Access Manager debug log files.

      The default location of the debug log files is /var/opt/SUNWam/debug.

    9. Verify the existence of a file named ReplayPasswd.

      The existence of this file indicates the successful deployment of the post-authentication plug-in.

    10. Reset the debug value to its original value.

    11. Restart Access Manager.

  10. (Conditional) If you are installing this agent to protect Outlook Web Access, edit the idle session timeout page as described in the substeps that follow.

    Note –

    This step is implemented for deployments where the agent establishes SSO with Outlook Web Access. It does not apply to Microsoft Office SharePoint. Outlook Web Access runs in multiple frames. If this step is not implemented and a session timeout occurs, the session timeout page fills the entire browser window instead of just a single frame. Implementing this step directs the session timeout page, when issued, to fill only a single frame.

    1. Make a backup copy of the idle session timeout page.

      The idle session timeout page is typically the session_timeout.jsp file. You must locate the file in the Access Manager host. Be aware that the name and location of this file can vary. For example, for Access Manager 7.0, this file is located in the following directory:

      /opt/SUNWwbsvr/https-FQDN/is-webapps/services/config/auth/default

      where FQDN is a place holder that will actually be the fully qualified domain name of the Access Manager instance you are configuring.

    2. Open the idle session timeout page.

    3. Add the script that follows between the tags <head> and </head>:

      <script type="text/javascript">
function redirect() {
location.replace(location.href);
}
</script>

    4. Search and replace a snippet of code as indicated by the following example:

      Find and delete the following snippet of code:

      <auth:href name="LoginURL" fireDisplayEvents='true'><jato:text name="txtGotoLoginAfterFail" /></auth:href>

      Enter the following snippet of code:

      <a href="#" onClick="redirect(); return false;"><jato:text name="txtGotoLoginAfterFail" /></a>

  11. Restart Access Manager.

Microsoft Office SharePoint and Outlook Web Access: Installing the Agent

Once you have completed the preceding pre-installation steps, perform the actual installation as described in Installing Agent for Microsoft IIS 6.0.

Microsoft Office SharePoint and Outlook Web Access: Configuring the Agent

You should come to this section after you have created an agent configuration file as described in Creating Configuration Files: Agent for Microsoft IIS 6.0.

Perform the task that follows if you are installing Agent for Microsoft IIS 6.0 to protect Microsoft Office SharePoint or Outlook Web Access.

ProcedureMicrosoft Office SharePoint and Outlook Web Access: To Configure the Agent

Caution – Caution –

The script used in this task is IIS6AuthAdmin.vbs. This script installs the ISAPI filter (amiis6auth.dll). Do not confuse this script with the script to configure the agent for a web site. Therefore, ensure that you follow the steps in this task to execute the IIS6AuthAdmin.vbs script and not any other similarly named script.

  1. Verify that settings are correct in the defaultConfig file.

    If settings are incorrect, edit as required.

    For this task, the defaultConfig file is a place holder that you must replace with the name of the agent configuration file created in To Create Configuration Files: Agent for Microsoft IIS 6.0.

  2. Change to the following directory:

    PolicyAgent-base\iis6\bin

  3. Issue the following command (be aware that the command is case sensitive):

    cscript.exe IIS6AuthAdmin.vbs -config defaultConfig
    IIS6AuthAdmin.vbs

    is a VB script that uses the output of the IIS6CreateConfig.vbs script. The output was saved to a configuration file, which for this example is represented by defaultConfig.

    -config

    is the option that allows the output to be used to configure Agent for Microsoft IIS 6.0 to protect Microsoft Office SharePoint or Outlook Web Access.

  4. Accept the default when presented with the following prompt:

    Enter the Agent Resource File Name [IIS6Resource.en]:

    The preceding prompt appears in the following context:

    Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Copyright c 2004 Sun Microsystems, Inc. All rights reserved
Use is subject to license terms

Enter the Agent Resource File Name [IIS6Resource.en]:

    After you accept the default, a message such as the following should appear:

    Creating the Agent Config Directory
Creating the AMAgent.properties File
Updating the Windows Product Registry
Completed Configuring the IIS 6.0 Agent
Troubleshooting

If you experience difficulty after issuing the IIS6AuthAdmin.vbs script, see the related troubleshooting symptom, Troubleshooting Symptom 4.

Next Steps

After you complete this task, implement the task presented in the section that follows (Microsoft Office SharePoint and Outlook Web Access: Editing the Agent Properties File).

.

Microsoft Office SharePoint and Outlook Web Access: Editing the Agent Properties File

This section applies to both Microsoft Office SharePoint and Outlook Web Access. For the task presented in this section, you must edit the web agent AMAgent.properties configuration file.

After you have completed the task, a variety of other configurations are required for Outlook Web Access only, some of which also involve editing the web agent AMAgent.properties configuration file. Those tasks are presented in Outlook Web Access: Configuring Agent for Microsoft IIS 6.0.

The instructions provided in this section are similar to the instructions for adding the property, com.sun.am.replaypasswd.key to the AMConfig.properties configuration file as described in Microsoft SharePoint and Outlook Web Access: To Prepare for Installation.

The same property and respective value added to the AMConfig.properties configuration file must now be added to the web agent AMAgent.properties configuration file.

ProcedureMicrosoft SharePoint or Outlook Web Access: To Edit the Agent Properties File

This task describes how to configure the com.sun.am.replaypasswd.key property in the web agent AMAgent.properties configuration file.

For information about the location of the web agent AMAgent.properties configuration file, see Locating the Web Agent AMAgent.properties Configuration File.

  1. Open the web agent AMAgent.properties configuration file.

  2. Add the following property to the file:

    com.sun.am.replaypasswd.key

  3. Copy the string from the des_key.txt file.

    For more information on the des_key.txt file, see Microsoft SharePoint and Outlook Web Access: To Prepare for Installation.

  4. Add the copied string as the value of the com.sun.am.replaypasswd.key property.

    For example, if the string in the des_key.txt file is wuqUJyr=5Gc=, then the new property would be set as follows:

    com.sun.am.replaypasswd.key = wuqUJyr=5Gc=

  5. (Conditional) If you are configuring the agent for Microsoft SharePoint, save and close the web agent AMAgent.properties configuration file.

    For Outlook Web Access, further configuration is required. Therefore, you can save the AMAgent.properties configuration file, but you might want to keep it open. Skip to Outlook Web Access: Configuring Agent for Microsoft IIS 6.0.

  6. (Conditional) If you are configuring the agent for Microsoft SharePoint, restart the Microsoft IIS 6.0 Server.

    A method for restarting this server is to enter iisreset in a command window.

Next Steps

At this point, the next task to be implemented varies depending on if you are deploying this agent to protect Microsoft Office SharePoint or Outlook Web Access.

If you are installing this agent to protect Microsoft Office SharePoint, continue to the next section, Microsoft Office SharePoint: Configuring Agent for Microsoft IIS 6.0, to complete an additional configuration task specific to Microsoft Office SharePoint.

If you are installing this agent to protect Outlook Web Access, skip to Outlook Web Access: Configuring Agent for Microsoft IIS 6.0, to complete additional configuration tasks specific to Outlook Web Access.

Microsoft Office SharePoint: Configuring Agent for Microsoft IIS 6.0

If you are installing Agent for Microsoft IIS 6.0 to protect Microsoft Office SharePoint, another task is required. To protect Microsoft Office SharePoint with this agent you must ensure that the authentication method for the Microsoft IIS 6.0 Server is set to Basic authentication as described in the task that follows.

ProcedureMicrosoft Office SharePoint: To Enable the Authentication Method to Basic

  1. Log in to the Microsoft IIS 6.0 Server as an administrator

  2. In the Microsoft Windows Start menu, choose run.

  3. Type the following: inetmgr

  4. Click OK.

  5. Expand the local computer.

  6. Expand the Web Sites folder.

  7. Right click Default Web Site.

    An options list appears.

  8. In the options list, click Properties.

    The Default Web Site Properties dialog box appears.

  9. Select the Directory Security tab.

  10. Click Edit in the Authentication and access control section.

  11. Select Basic authentication in the Authenticated access section.

  12. Click OK.

  13. Click OK again to close the Web site properties.

Next Steps

Now you can verify the installation of the agent as described in Microsoft Office SharePoint and Outlook Web Access: Verifying a Successful Agent Installation.

Outlook Web Access: Configuring Agent for Microsoft IIS 6.0

If you are installing Agent for Microsoft IIS 6.0 to provide SSO to Outlook Web Access, additional configuration is required that is not required for Microsoft Office SharePoint. This section provides those configuration instructions in a series of tasks.

ProcedureOutlook Web Access: To Edit the Agent Properties File

Before You Begin

Open the web agent AMAgent.properties configuration file if it is not already open.

  1. In the web agent AMAgent.properties configuration file, locate the properties listed in this step and set the values accordingly.

    The settings that follow are provided as examples, where agentHost is a place holder that you must replace with the name of the host machine where the agent is installed and domain-name is a place holder that you must replace with the name of the domain, such as example.com. Add values that match your site's requirements.


    com.sun.am.notification.enable = false
com.sun.am.sso.polling.period = 1
com.sun.am.policy.agents.config.fqdn.map = agentHost|
agentHost.domain-name,agentHost.domain-name|
agentHost.domain-name

  2. Add the following property with its value set to true as indicated:


    com.sun.am.policy.agents.config.iis.owa_enabled = true

  3. Add the following property with its value set to the URL of a local session timeout page as indicated:


    com.sun.am.policy.agents.config.iis.owa_enabled_session_timeout_url = 
https://agentHost.domain-name:444/timeout.asp

    The timeout.asp page is an example timeout page name, which is used in this guide in reference to the timeout page used with Agent for Microsoft IIS 6.0 when protecting Outlook Web Access. However, timeout.asp is only an example. You might chose to use a different page name.

  4. Save and close the web agent AMAgent.properties configuration file.

ProcedureOutlook Web Access: To Create a Local Idle Session Timeout Page

This task consists of steps that vary in specificity. These steps are to be performed on the Microsoft IIS 6.0 Server.

  1. Create a new virtual server ( a different web site) in the Microsoft IIS 6.0 Server administration console.

  2. For the new virtual server, create a corresponding application pool with a new document folder.

    An example name for this folder is C:\Inetpub\test.

    While the preceding example folder name is used throughout this task, it is only an example. You might chose to use a different name.

  3. Install SSL on the newly created web site.

    Tip –

    • Ensure that this web site is accessible from a browser.

    • Configure the port number.

      An example port number for this port is 444. However, 444 is only an example. You might chose to use a different port number.

    • Ensure that the Outlook Web Access server runs on a different port (therefore, for the example used in this task, not port 444).

  4. Ensure that the web site is enabled to run scripts and executable files as described in the substeps that follow:

    1. Log in to the Microsoft IIS 6.0 Server as an administrator.

    2. In the Microsoft Windows Start menu, choose run.

    3. Type the following: inetmgr.

    4. Click OK.

    5. Expand the local computer.

    6. Expand the Web Sites folder.

    7. Right-click Default Web Site.

      An options list appears.

    8. In the options list, click Properties.

      The Default Web Site Properties dialog box appears.

    9. Select the Home Directory tab.

    10. Under the Application settings section, in the Execute permissions drop down list, select Scripts and Executables.

  5. Create a .asp page, such as timeout.asp, in the folder C:\Inetpub\test.

    As explained previously, timeout.asp is only an example. However, ensure that you use the same name for this page as used in Outlook Web Access: To Edit the Agent Properties File.

  6. Add the markup information provided in this step to the timeout.asp file, editing the place holders as appropriate.

    In the markup information that follows, AMhost is a place holder that you must replace with the name of the host machine on which Access Manager is running. AMhost.domain-name is the fully qualified domain name of the machine.


    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<% redirectvalue = Request.QueryString("owagoto")
posn=inStr( redirectvalue, "owalogon.asp?url=" )
If(posn > 1) Then
str2 = Split(redirectvalue,"owalogon.asp?url=")
str3 = Split(str2(1),"&reason")redirectvalue=str3(0)
End If
%>
<meta http-equiv="Refresh" content="0;url=https://
AMhost.domain-name:443/amserver/UI/Login?goto=<%=redire
ctvalue%>">
</head>
</html>

  7. Save and close the timeout.asp file.

ProcedureOutlook Web Access: To Modify the logoff.asp File to Properly Handle the Logout Process.

  1. Backup the file C:\Program Files\Exchsrvr\exchweb\bin\usa\logoff.asp.

  2. Retrieve the cookie domain name as described in the substeps that follow.

    The cookie domain name you are retrieving in this step is required in the next step for the logoff.asp file.

    1. Log in to Access Manager as amadmin.

    2. Select the Configuration tab.

    3. Scroll as necessary to click Platform under the System Properties section.

    4. In the Current Values list, take note of name of the appropriate cookie domain.

      The Current Values list is in the Cookie Domains section. The domain name you need to record for later use is the domain where Microsoft IIS 6.0 Server is installed and running.

  3. Replace the contents of the logoff.asp file with the markup information provided in this step.

    In the markup information that follows, AMhost and domain-name are place holders described in the previous task (Outlook Web Access: To Create a Local Idle Session Timeout Page). In this case, cookie-domain is a place holder that you must replace with the cookie domain name retrieved the previous step. You must replace the place holder agentHost with the host name (or the alias name, if an alias name is used instead of the actual host name) of the machine that hosts the agent.


    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<%
Response.Cookies("owaAuthCookie").Domain = ".cookie-domain"
Response.Cookies("owaAuthCookie").Path = "/"
Response.Cookies("owaAuthCookie")= "amOwaValue"
Response.Cookies("owaAuthCookie").Expires = "July 1, 1995"
%>
<meta http-equiv="Refresh" content="0;url= https://
AMhost.domain-name/amserver/UI/Logout?goto=https%3A%2F
%2F agentHost.domain-name%3A443%2F">
</head>
</html>

  4. Save and close the logoff.asp file.

Next Steps

Now you can verify the installation of the agent as described in Microsoft Office SharePoint and Outlook Web Access: Verifying a Successful Agent Installation.

Microsoft Office SharePoint and Outlook Web Access: Deactivating and Reactivating the Access Manager Policy Filter

If you decide to temporarily stop using Access Manager for SSO from Microsoft Office SharePoint or Outlook Web Access to other applications, you can accomplish this by deactivating the policy filter. Therefore, uninstalling the agent would not be necessary. If you are interested in uninstalling the agent instead, see Chapter 7, Uninstalling Policy Agent 2.2 for Microsoft IIS 6.0.

You can deactivate the policy filter from the Microsoft IIS 6.0 Server. The assumption is that you would reactivate the filter later.

Two tasks follow: one for deactivating the policy filter and one for reactivating it.

ProcedureMicrosoft Office SharePoint and Outlook Web Access: To Deactivate the Access Manager Policy Filter

  1. Log in to the Microsoft IIS 6.0 Server as an administrator.

  2. In the Microsoft Windows Start menu, choose run.

  3. Type the following: inetmgr.

  4. Click OK.

  5. Expand the local computer.

  6. Expand the Web Sites folder.

  7. Right-click Default Web Site.

    An options list appears.

  8. In the options list, click Properties.

  9. Click the ISAPI Filters tab.

  10. Click the amiis6auth filter.

  11. Click Remove.

    Caution – Caution –

    After removing the filter manually, as described in this task, if you want to reactivate it or if you want to unconfigure the agent by issuing the IS6AuthAdmin -unconfig command, you must first add the filter back manually (see Microsoft Office SharePoint and Outlook Web Access: To Reactivate the Access Manager Policy Filter) with the same filter name, for example amiis6auth. Otherwise, an error will be issued.

  12. Click OK.

  13. Restart the Microsoft IIS 6.0 Server.

    A method for restarting this server is to enter iisreset in a command window.

ProcedureMicrosoft Office SharePoint and Outlook Web Access: To Reactivate the Access Manager Policy Filter

Caution – Caution –

The filter name that you must enter in this task is amiis6auth. Be careful to enter the name exactly. If you enter the name incorrectly, any future attempt to use the IIS6AuthAdmin -unconfig command during installation will fail.

  1. Log in to the Microsoft Office SharePoint Server as an administrator.

  2. In the Microsoft Windows Start menu, choose run.

  3. Type the following: inetmgr.

  4. Click OK.

  5. Expand the local computer.

  6. Expand the Web Sites folder.

  7. Right click Default Web Site.

  8. Click Properties.

  9. Click the ISAPI Filters tab.

  10. Click Add.

  11. In the Filter Name field, enter the following: amiis6auth

  12. In the Executable field, enter PolicyAgent-base\iis6\bin\amiis6auth.dll.

  13. Click OK.

Microsoft Office SharePoint and Outlook Web Access: Unconfiguring the Agent

If you no longer require Agent for Microsoft IIS 6.0 to protect Microsoft Office SharePoint or Outlook Web Access, you can unconfigure the agent. Be aware that to uninstall the agent, you must first unconfigure it.

The task that follows in this section is similar to the task in Agent Unconfiguration for Microsoft IIS 6.0. However, this task is specific to deployments where Agent for Microsoft IIS 6.0 protects Microsoft Office SharePoint or Outlook Web Access. Though the unconfiguration task varies, the uninstallation task does not. The uninstallation task that applies to all deployments of this agent is as follows Agent Uninstallation for Microsoft IIS 6.0.

ProcedureMicrosoft Office SharePoint and Outlook Web Access: To Unconfigure Agent for Microsoft IIS 6.0

  1. Change to the directory PolicyAgent-base\iis6\bin

  2. Run the following VB script to unconfigure the agent (be aware that the command is case sensitive):

    cscript.exe IIS6AuthAdmin.vbs -unconfig defaultConfig

    IIS6AuthAdmin.vbs

    is a VB script that uses the output of the IIS6CreateConfig.vbs script. The output was saved to a configuration file, which for this example is represented by defaultConfig.

    -unconfig

    is the option that allows the output to be used to unconfigure Agent for Microsoft IIS 6.0 to protect Microsoft Office SharePoint or Outlook Web Access.

    defaultConfig

    represents the agent configuration file created previously as described in To Create Configuration Files: Agent for Microsoft IIS 6.0.

    The script unconfigures the agent and displays the following message:


        Microsoft (R) Windows Script Host Version 5.6
    Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

    Copyright c 2004 Sun Microsystems, Inc. All rights reserved
    Use is subject to license terms

    Enter the Agent Resource File Name [IIS6Resource.en] :

    Removing the Agent Config Directory
    Removing the entries from Windows Product Registry
    Unloading the IIS 6.0 Agent
    Completed Unconfiguring the IIS 6.0 Agent

    The unconfiguration does the following:

    • Removes the agent configuration directory

    • Removes the entries from Windows registry.

    • Removes the wild card application mappings in Microsoft IIS 6.0.

  3. Accept the default when presented with the following prompt:

    Enter the Agent Resource File Name [IIS6Resource.en]:
Next Steps

Once you have completed the unconfiguration process, see Agent Uninstallation for Microsoft IIS 6.0 to uninstall the agent.

Microsoft Office SharePoint and Outlook Web Access: Verifying a Successful Agent Installation

This section describes the methods for verifying the installation of Agent for Microsoft IIS 6.0 to protect Microsoft Office SharePoint and Outlook Web Access. Refer to the section that applies to your deployment.

Microsoft Office SharePoint

If the agent is installed correctly, an attempt to access a protected resource results in the presentation of the Access Manager login page. Entering proper credentials at this point, successfully authenticates users, and if they have the appropriate SharePoint access rights to the resource, they are granted access. Then when users attempt to access any other application secured by the same Access Manager server, they are not prompted for authentication. They are granted or denied access to the resource depending on defined policies.

Microsoft Outlook Web Access

If the agent is installed correctly, an attempt to access the Outlook Web Access URL, which is https://agentHost.domain-name/exchange, results in the presentation of the Access Manager login page. Entering proper credentials at this point, successfully authenticates users and provides access to the Outlook Web Access inbox. Then when users attempt to access any other application secured by the same Access Manager server, they are not prompted for authentication. They are granted or denied access to the resource depending on defined policies.

Microsoft Office SharePoint and Outlook Web Access: Tasks Not Specified

Refer to the respective sections of this guide to perform tasks that are not specifically described or referenced in this appendix since such sections apply to all deployments of Agent for Microsoft IIS 6.0, including Microsoft Office SharePoint and Outlook Web Access deployments. For example, see Uninstallation of Agent for Microsoft IIS 6.0 to uninstall Agent for Microsoft IIS 6.0 whether Microsoft Office SharePoint or Outlook Web Access are involved in the deployment or not.