60.4 Setting Up Impersonation for Outlook Web Application (OWA)
In a distributed Exchange/OWA single sign-on environment, each server needs Access Manager to impersonate the current user. When you enable Impersonation, you need to include additional HTTP headers in the "Response" tab of the Authorization Policy of your impersonation application domain.
The following solution has been tested in both standalone and distributed OWA environments.
Install Access Manager 11g, as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Install a 11g WebGate on all OWA client servers, as described in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
On the WebGate registration page, Disable IP Checking for Webgates on the back-end server using the AccessGate (because the request comes from the front-end server, not from the user's browser).
60.4.2 Creating a Trusted User Account for Outlook Web Application
The special user should not be used for anything other than impersonation. Oracle recommends that you chose a very complex password, because your trusted user is being given very powerful permissions.
Also, be sure to check the box marked Password Never Expires. Since the impersonation module should be the only entity that ever sees the trusted user account, it would be very difficult for an outside agency to discover that the password has expired.
To create a Trusted User Account for Outlook Web Application:
On the Windows 2008 machine, select Start; Programs; Administrative tools, Active Directory Users and Computers.
In the Active Directory Users and Computers window, right-click Users on the tree in the left pane, then select New; User.
In the First name field of the pane entitled New Object - User, enter an easy-to-remember name such as OWAImpersonator.
Copy this same string to the User logon name field, then click Next.
In succeeding panels, you will be asked to choose a password and then retype it to confirm.
60.4.4 Binding the Trusted Outlook Web Application User to Your WebGate
You need to bind the trusted user to the WebGate by supplying the authentication credentials for the trusted user.
When the bind has been created for the WebGate and the trusted user, WebGate is ready to provide impersonation on demand. The demand is created by a Response set in the Authorization Policy of application domain created for impersonation.
The following procedure presumes that you have registered a 11g WebGate (ImpersonateAgent) with Access Manager. The values in the following procedure are provided as an example only. Your environment will be different.
In the Oracle Access Management Console, click Application Security at the top of the window.
in the Launch Pad tab, click Agents.
Find the desired 11g WebGate registration to modify for this integration. For example: ImpersonateAgent.
Find All Enabled: Select State All, click the Search button, click the desired Webgate name in the results list.
Open the Webgate registration page and enter the SharePoint username and password for the trusted user account, which you created earlier.
Click Apply to commit the changes.
A bind has been created for the Webgate and the trusted user. The Webgate is now ready to provide impersonation on demand. The demand is created by an Authorization Success Action in the application domain created for impersonation.
60.4.5 Adding an Impersonation Action to an Application Domain for Outlook Web Application
You must create or configure a application domain to protect your OWA resources (/owa and /ecp only).
Ensure that IISImpersonation Module.dll is applied only to "owa" and "ecp" applications in IIS7.x, and removed from the site level. The Authorization policy must set several HTTP Header variables (Header type Responses in the Authorization policy).
This procedure presumes that you have an existing application domain for the 11g WebGate (ImpersonateAgent) you registered with Access Manager.