Re: OWA 2013 and identity injection - Micro Focus Community

RamonLustrati · ‎2015-06-30

Hello NG

I have following request. Maybe you can help me to solve it.

I have a Outlook 2013 owa. Now i want to create an identity injection
for the website. Unfortunatelly it doesn't work. The workstation is AD
member and the contract is set to kerberos

The identity injection i created is following

Do Inject into Authentication Header
User Name: LDAP Attribute : cn Refresh Data Every: Session
Password: Credential Profile : LDAP Credentials; LDAP Password
Multi-Value Separator: ,
DN Format: LDAP (ex, cn=jsmith,ou=Sales,o=Novell)

When i start the page i see only that the username was filled up, but
not the password field.

Have I forgott to implement something in the identity injection?

Thanks in advance for your help
Ramon

--
RamonLustrati
------------------------------------------------------------------------
RamonLustrati's Profile: https://forums.netiq.com/member.php?userid=798
View this thread: https://forums.netiq.com/showthread.php?t=53787

Alex McHugh · ‎2015-06-30

RamonLustrati <RamonLustrati@no-mx.forums.microfocus.com> wrote:
> Hello NG
>
> I have following request. Maybe you can help me to solve it.
>
> I have a Outlook 2013 owa. Now i want to create an identity injection
> for the website. Unfortunatelly it doesn't work. The workstation is AD
> member and the contract is set to kerberos
>
> The identity injection i created is following
>
> Do Inject into Authentication Header
> User Name: LDAP Attribute : cn Refresh Data Every: Session
> Password: Credential Profile : LDAP Credentials; LDAP Password
> Multi-Value Separator: ,
> DN Format: LDAP (ex, cn=jsmith,ou=Sales,o=Novell)
>
> When i start the page i see only that the username was filled up, but
> not the password field.
>
> Have I forgott to implement something in the identity injection?
>
> Thanks in advance for your help

Does your nam proxy user have rights to retrieve universal password for the
user from your eDirectory user store?

Note this will never work if AD is your user store as user passwords are
one-way encrypted in AD

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.

RamonLustrati · ‎2015-06-30

alexmchugh;258530 Wrote:
> RamonLustrati <RamonLustrati@no-mx.forums.microfocus.com> wrote:
> > Hello NG
> >
> > I have following request. Maybe you can help me to solve it.
> >
> > I have a Outlook 2013 owa. Now i want to create an identity injection
> > for the website. Unfortunatelly it doesn't work. The workstation is
> AD
> > member and the contract is set to kerberos
> >
> > The identity injection i created is following
> >
> > Do Inject into Authentication Header
> > User Name: LDAP Attribute : cn Refresh Data Every: Session
> > Password: Credential Profile : LDAP Credentials; LDAP Password
> > Multi-Value Separator: ,
> > DN Format: LDAP (ex, cn=jsmith,ou=Sales,o=Novell)
> >
> > When i start the page i see only that the username was filled up, but
> > not the password field.
> >
> > Have I forgott to implement something in the identity injection?
> >
> > Thanks in advance for your help
>
> Does your nam proxy user have rights to retrieve universal password for
> the
> user from your eDirectory user store?
>
> Note this will never work if AD is your user store as user passwords
> are
> one-way encrypted in AD
>
>
> --
> If you find this post helpful and are logged into the web interface,
> show
> your appreciation and click on the star below...

Hi Alex

My userstore is an AD store. So what can i do that credentials are
passed to webmail?

--
RamonLustrati
------------------------------------------------------------------------
RamonLustrati's Profile: https://forums.netiq.com/member.php?userid=798
View this thread: https://forums.netiq.com/showthread.php?t=53787

Alex McHugh · ‎2015-06-30

RamonLustrati wrote:

>
> alexmchugh;258530 Wrote:
> > Does your nam proxy user have rights to retrieve universal password for
> > the
> > user from your eDirectory user store?
> >
> > Note this will never work if AD is your user store as user passwords
> > are
> > one-way encrypted in AD
>
> My userstore is an AD store. So what can i do that credentials are
> passed to webmail?

Well you are authenticating the user via Kerberos (so no password is supplied with authentication).
With FormFill NAM first needs to get the user's password from somewhere. It can't get the user's passsword from AD (non retrievable, at least by default)

You could try setting up SAML or WS-Federation to OWA.
Or you could maybe try Kerberos Constrained Delegation (if your NAM version is fully patched 3.2 or higher) to inject a Kerberos ticket (a different ticket, not the same as the one your user authed against NAM with)

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.