Jun 03

OWA 2010 Form Based SSO

  1. I’ve been asked about this a few times recently so thought it worth a post.

As of version 10.69.4.nc NetScaler Gateway and AAA features support OWA 2010

In order to provide SSO when authentication on OWA is form based additional configuration is required.

Create a formSSOAction, this provide the NetScaler with the following information:
  • The page in which to complete the Form based SSO (/owa/auth.owa)
  • The field names to pass the username and password values to (username and password)
  • The cookie that deals with authentication for OWA (cadata)
  • The method in which to submit form data (post)



add vpn formSSOAction SSOPro_OWA -actionURL “/owa/auth.owa” -userField username -passwdField password -ssoSuccessRule “http.RES.SET_COOKIE.COOKIE(“cadata”).VALUE(“cadata”).LENGTH.GT(70)” -responsesize 15000 -submitMethod POST
Create a VPN traffic action that specifies SSO as well as the name of the formSSOAction created above.
add vpn trafficAction TrafAct_OWA HTTP -appTimeout 1 -SSO ON -formSSOAction SSOPro_OWA
add a VPN traffic Policy to specify at when this traffic action should be applied
add vpn trafficPolicy TrafPol_OWA “HTTP.REQ.URL.CONTAINS(“owa/auth/logon.aspx”)” TrafAct_OWA
bind this traffic action globally so as to apply to all NetScaler Gateway Vservers (alternatively this could be bound specifically to a single VPN VServer if more then one version of OWA was to be supported from an appliance)
bind vpn global -policyName TrafPol_OWA -priority 100
bind vpn vserver VSERVERNAME -policyName TrafPol_OWA -priority 1000
The PBack cookie value is usually set to zero when the user manually selects submit in OWA so a rewrite action is created to simulate this
add rewrite action set_pback_cookie insert_after “http.REQ.COOKIE.VALUE(“OutlookSession”)” “”;PBack=0″” -bypassSafetyCheck YES
A policy is created to specify when this rewrite policy should apply
add rewrite policy set_pback_cookie “http.REQ.URL.CONTAINS(“logon.aspx”)” set_pback_cookie
This is then bound globally as it should not effect other versions of OWA operating
bind rewrite global set_pback_cookie 100 END -type REQ_DEFAULT


  1. Rosario

    I need to pass dynamically the original parameters flags and trusted as users can select on the original logon.aspx page. To do so I have rewritten and merged the original logon.aspx page with the tmindex.html page used on NetScaler. Everything works pretty well. If I put action=”https://myServer.myDomain/showRequest.php” into the FORM, I get also the parameters the users chooses. But if I let the call go through NetScaler’s /cgi/login the parameters are either overridden with the -nameValuePair “flags=4&trusted=4” you can set in the Form SSO Profiles. Despite choosing EXTRACTION = DYNAMIC, the parameters are simply overridden and not really taken from the FORM.

    Any suggestion? Thanks a lot Rosario

  2. Rosario

    Edit: I found a good way to implement parameter passing based on the client IP or other criteria here:


    But I want our users also to be able to choose the light or full GUI version of OWA

  3. fadi zayoun

    Hello Sir ,

    appreciate if some one can help me !
    I am trying to configure an LDAP authentication through netscaler in order to get a SSO to OWA 2013.
    noting that i have also create a SSO session policy bounded to a AAA server with LDAP authentication .

    after that i Have create a rewrite and TM policy same as describe in this link : http://support.citrix.com/article/CTX134724
    but unfortunately i am not able to have a direct SSO 🙁

    any idea ??

Leave a Reply

Your email address will not be published. Required fields are marked *

AlphaOmega Captcha Classica  –  Enter Security Code

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>