UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Commander
Commander
560 views

OWA 2013 and identity injection


Hello NG

I have following request. Maybe you can help me to solve it.

I have a Outlook 2013 owa. Now i want to create an identity injection
for the website. Unfortunatelly it doesn't work. The workstation is AD
member and the contract is set to kerberos

The identity injection i created is following

Do Inject into Authentication Header
User Name: LDAP Attribute : cn Refresh Data Every: Session
Password: Credential Profile : LDAP Credentials; LDAP Password
Multi-Value Separator: ,
DN Format: LDAP (ex, cn=jsmith,ou=Sales,o=Novell)

When i start the page i see only that the username was filled up, but
not the password field.

Have I forgott to implement something in the identity injection?

Thanks in advance for your help
Ramon


--
RamonLustrati
------------------------------------------------------------------------
RamonLustrati's Profile: https://forums.netiq.com/member.php?userid=798
View this thread: https://forums.netiq.com/showthread.php?t=53787

0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

RamonLustrati <RamonLustrati@no-mx.forums.microfocus.com> wrote:
> Hello NG
>
> I have following request. Maybe you can help me to solve it.
>
> I have a Outlook 2013 owa. Now i want to create an identity injection
> for the website. Unfortunatelly it doesn't work. The workstation is AD
> member and the contract is set to kerberos
>
> The identity injection i created is following
>
> Do Inject into Authentication Header
> User Name: LDAP Attribute : cn Refresh Data Every: Session
> Password: Credential Profile : LDAP Credentials; LDAP Password
> Multi-Value Separator: ,
> DN Format: LDAP (ex, cn=jsmith,ou=Sales,o=Novell)
>
> When i start the page i see only that the username was filled up, but
> not the password field.
>
> Have I forgott to implement something in the identity injection?
>
> Thanks in advance for your help


Does your nam proxy user have rights to retrieve universal password for the
user from your eDirectory user store?

Note this will never work if AD is your user store as user passwords are
one-way encrypted in AD


--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Commander
Commander


alexmchugh;258530 Wrote:
> RamonLustrati <RamonLustrati@no-mx.forums.microfocus.com> wrote:
> > Hello NG
> >
> > I have following request. Maybe you can help me to solve it.
> >
> > I have a Outlook 2013 owa. Now i want to create an identity injection
> > for the website. Unfortunatelly it doesn't work. The workstation is

> AD
> > member and the contract is set to kerberos
> >
> > The identity injection i created is following
> >
> > Do Inject into Authentication Header
> > User Name: LDAP Attribute : cn Refresh Data Every: Session
> > Password: Credential Profile : LDAP Credentials; LDAP Password
> > Multi-Value Separator: ,
> > DN Format: LDAP (ex, cn=jsmith,ou=Sales,o=Novell)
> >
> > When i start the page i see only that the username was filled up, but
> > not the password field.
> >
> > Have I forgott to implement something in the identity injection?
> >
> > Thanks in advance for your help

>
> Does your nam proxy user have rights to retrieve universal password for
> the
> user from your eDirectory user store?
>
> Note this will never work if AD is your user store as user passwords
> are
> one-way encrypted in AD
>
>
> --
> If you find this post helpful and are logged into the web interface,
> show
> your appreciation and click on the star below...




Hi Alex

My userstore is an AD store. So what can i do that credentials are
passed to webmail?


--
RamonLustrati
------------------------------------------------------------------------
RamonLustrati's Profile: https://forums.netiq.com/member.php?userid=798
View this thread: https://forums.netiq.com/showthread.php?t=53787

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

RamonLustrati wrote:

>
> alexmchugh;258530 Wrote:
> > Does your nam proxy user have rights to retrieve universal password for
> > the
> > user from your eDirectory user store?
> >
> > Note this will never work if AD is your user store as user passwords
> > are
> > one-way encrypted in AD

>
> My userstore is an AD store. So what can i do that credentials are
> passed to webmail?


Well you are authenticating the user via Kerberos (so no password is supplied with authentication).
With FormFill NAM first needs to get the user's password from somewhere. It can't get the user's passsword from AD (non retrievable, at least by default)

You could try setting up SAML or WS-Federation to OWA.
Or you could maybe try Kerberos Constrained Delegation (if your NAM version is fully patched 3.2 or higher) to inject a Kerberos ticket (a different ticket, not the same as the one your user authed against NAM with)
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.