Your SlideShare is downloading. ×
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Luminis Iv To Exchange Labs

1,977

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,977
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Good morning everyone. My name is Melissa Miller and I work at La Salle University as the Manager of Web Applications. I am here today to talk about our method of providing Single Sign On to the Microsoft Exchange Labs email system.
  • In the Fall of 2007, Our IT department started to evaluate options for student email. Do we stay with Lotus Notes, migrate to a local Exchange server, or outsource? Students want larger mailboxes, larger attachments, an easy to use interface and a reliable system.
  • Read slide
  • So what about Faculty and Staff email? Well, there was no desire to leave them on the Lotus Notes system due to the overall dissatisfaction of the software. We decided to build a local Exchange server environment and migrate them to this new server. This migration process is still underway as we speak, moving people by department or building, keeping the action contained to ensure they get the best support possible in the process. What’s nice about this solution is that we already owned the Exchange server and Outlook client licenses so the cost really came down to hardware. We were also able to upgrade the hardware for our spam appliance and reduce licensing costs since the number of local mailboxes dropped from 15000 to 1700. As far as integrating with the Luminis Portal, SCT provides a MOWA connector that you just need to setup and activate in your environment.
  • So what about Faculty and Staff email? Well, there was no desire to leave them on the Lotus Notes system due to the overall dissatisfaction of the software. We decided to build a local Exchange server environment and migrate them to this new server. This migration process is still underway as we speak, moving people by department or building, keeping the action contained to ensure they get the best support possible in the process. What’s nice about this solution is that we already owned the Exchange server and Outlook client licenses so the cost really came down to hardware. We were also able to upgrade the hardware for our spam appliance and reduce licensing costs since the number of local mailboxes dropped from 15000 to 1700. As far as integrating with the Luminis Portal, SCT provides a MOWA connector that you just need to setup and activate in your environment.
  • Heart of presentation.
  • Heart of presentation.
  • Okay now I would like to take a minute or two to run down the terminology list from the LiveAtEdu setup guide. (summarize definitions)
  • So when the user clicks on the Email Icon, this is the link they get. You can see the service ID being passed into CAS. CasRedirect.aspx was put together for the sole purpose of handling the authentication of the user to the IIS server. Once authenticated, the browser is sent directly to Redirect.aspx
  • So when the user clicks on the Email Icon, this is the link they get. You can see the service ID being passed into CAS. CasRedirect.aspx was put together for the sole purpose of handling the authentication of the user to the IIS server. Once authenticated, the browser is sent directly to Redirect.aspx
  • Here is a portion of our CASRedirect code. What we are looking at here is the code that sends the LiveID to Redirect.aspx which was part of the code package for SSO. When authentication to CAS happens, the string returned is the word ‘yes’ followed by a comma, followed by the username. So for me it would be yes,millermm. So the first part of the if statement is checking for the word ‘yes’ in the reply. If this is true, then we extract the username from stringReply by trimming off the first 4 characters. wlUserID is built by calling the GetWindowsLiveID function and passing in the username and scenario. The scenario is within the web.config file. At the bottom, if windowsLiveUserID is not null then the ID is passed to redirect.aspx
  • Okay so now we have been authenticated through CAS to the IIS Server. What now? This is the segment of the Solution that is provided to you by Microsoft (minus CASRedirect.aspx)
  • Lets start with Redirect.aspx. Once Redirect.aspx gets the LiveID it processes it and passes it to the Windows Live™ ID SOAP (Single Object Access Protocol) Service by requesting an SLT (short-lived token) using the getSLT function API (provided with this SDK) via SSL. The SLT is received by the IIS server from the Windows Live ID SOAP Service via SSL and converted to a URL such as (see link). You can see that the Token issued is specifically for mail service. The URL is redirected to the Luminis portal server, which is then send to the client browser.
  • The clients browser is then redirected to the Windows LiveID Login Service with a Valid SLT. I have highlighted the token in the example above from a session that was captured via a firefox add-in called liveheaders. The Windows Live ID Login Service issues a ticket for requested service (Mail). The client browser is redirected to Windows Live Mail Service. The Windows Live Mail Service redirects the student to their mailbox.
  • Ok so what else was involved in this thing? Well there was the IIS Server installation and setup, Web.config customizations, and days upon days of certificate and site troubleshooting. I’ll talk a bit about the Server installation.
  • One of the first things you need to do is obtain and Import a provided security certificate into LocalComputerPersonal store. This procedure is illustrated in the SDK Appendix - Security Certificate Installation. You would have obtained that cert from Microsoft. Then, Copy your SDK files into created web-site root directory (such as "C:inetpubwwwrootSSOPortal or EmailSSO, whatever you decide. Create and configure a web-site for your SSO Portal on IIS. This portal will be the middleman between your Luminis Server and Windows Live Authentication servers. These procedures are illustrated in the SDK Appendix - Portal Web Site Configuration (IIS).
  • Next you will configure the IIS Windows Authentication for the ‘Public’ sub-directory to allow anonymous access. If you refer to the instructions for the previous step, the SDK Appendix instructed to uncheck the “Enable Anonymous Access” check-box on the root web-site. This is correct; however, the reverse instructions should be used to check the “Enable Anonymous Access” check-box on the ‘Public’ sub-directory. Modify access control list (ACL) for the previously installed certificate. Since the “code behind” of ASP.NET will be executed under the IUSER_ ServerName context, you will need to ensure that the IUSER_ ServerName user account has appropriate security permissions to read the installed certificate from certificate storage and you must also have network service . . The PfxNSAcl.exe utility included in this SDK will adjust the access control list (ACL) accordingly. You then export the certificate for use with the solution and make modifications to web.config to fit your solution. I don’t want to get into too much detail on the specifics of the IIS server setup since they are well documented by Microsoft, and I know that since I used release 3.5 they have released a version 4 which I believe has changed slightly. I would download what they provide and get the IIS portion working before worrying about getting the CAS hooked up. They provide you with Test pages that test your connection to Microsofts various authentication servers and will inform you if there is a problem.
  • Some things I have learned along the way is to allow plenty of time to deal with support issues. Microsoft is working on there support model and as of this writing this is still in progress. In particular the Windows Ed Desk was a major sticking point in trying to resolved certificate issues. Make sure you are clear from the beginning on your domains and if you will have sub domains or separate domains because that changes EVERYTHING as far as they are concerned. If you can land yourself one or two senior tech support people they will be your best friends and help escalade the process in a way that you cant.
  • Transcript

    • 1. Melissa Miller La Salle University Philadelphia, PA [email_address]
    • 2.
      • Please turn off all cell phones/pagers
      • If you must leave the session early, please do so as discreetly as possible
      • Please avoid side conversations during the session
      • Questions will be answered after the presentation
      • Thank you for your cooperation
    • 3.
      • La Salle is a Catholic University founded by the Christian Brothers in Philadelphia in 1863.
      • Three campuses: North East Philadelphia, Bucks County and Montgomery County
      • Recent expansion projects
        • The acquisition of Germantown Hospital for the School of Nursing and Health Sciences
        • The expansion of Roland Holroyd Science Center to include environmentally friendly laboratories, classrooms, and lounges
    • 4.
      • The University student body of 7,500 students includes
        • 3,400 full-time undergraduates
        • 1,400 part-time undergraduates
        • 2,700 graduate and doctoral students.
      • Enrollment has grown 16 percent in the past 10 years.
      • Students come from 44 states and 27 foreign countries
      • Two-thirds of undergraduates live on campus
    • 5.
      • Current System – Lotus Notes 7.5
      • We need to Upgrade
        • Servers running out of space
        • Performance problems
        • User dissatisfaction with product
      • Do We…
        • Upgrade to Domino 8 and migrate to a larger server?
        • Switch to Microsoft Exchange 2007 on a larger server?
        • Outsource?
    • 6.
      • Domino 8
        • User Interface improvements
        • Feature enhancements
      • Microsoft Exchange
        • Features and Interface desired over Lotus
        • Save money on licenses- Already own SW
        • More hardware needs – greater initial costs
      • Outsource?....
    • 7.
      • Outsourcing Email
        • Between Microsoft and Google
        • Feature comparisons
        • Support comparisons
        • Asking the community
      • Other Schools seemed to like their decision to outsource, whether Google, Microsoft, or both.
    • 8.
      • Exchange Labs was best fit.
      • Environment more like local hosting.
      • Could host Faculty and Staff email if we choose
      • Next release promises more features and shared address book with local Exchange Server.
    • 9.
      • Larger Mailboxes – 10 gig
      • Large Attachments - 20 meg
      • Remote File Storage - Sky Drive – 5 gig
      • Spam Filtering and Virus Scanning
      • Less Maintenance by IT staff
      • Free!
    • 10.
      • What’s Skydrive?
      • Students wanted “Digital Locker”
      • Skydrive gives public, private, and shared storage of files
        • Upload homework
        • Share projects with team
        • Make resume public
      • Uses same authentication as Email – Live ID
      • Free! Marketed with LiveAtEdu Solution
    • 11.
      • Microsoft Model is to get customers for life
      • If students get comfortable with products in school, they will stay with Microsoft products as Employees in the work force.
      • Alumni get email for life
      • Once Alumni, Microsoft displays “Family Safe” Ads to recoup some funding.
      • Learn more at www.liveatedu.com
    • 12.
      • Initially considered Faculty and Staff on Exchange Labs
      • Microsoft allows Faculty and Staff email to be hosted at Exchange Labs for a fee
      • After serious consideration, decided to keep Faculty and staff email locally
    • 13.
      • Decided to build a Microsoft Exchange environment.
      • Phased Migration to Local Exchange Servers
      • Reduced costs – We already owned licenses
      • Reduction in Spam Appliance licenses from 15000 to 1700.
      • MOWA connector included with Luminis IV for Single Sign-On
    • 14.  
    • 15.
      • How we got started
        • Sign up at www.liveatedu.com
      • Register a test domain
        • Simply fill out and submit a web form
      • Sign volunteers up to test it
        • Once domain is approved, users can be added
    • 16.
      • Start process of integration
        • Contact [email_address] for information
        • Request access to Microsoft Connect
        • Request Certificate for SSO
        • Download Liveatedu SSO download package
    • 17.  
    • 18.
      • Single Sign On
        • Solution that allows users to login to a portal or web service, and be granted access to other services without secondary credentials.
      • Windows Live ID
        • A Windows Live ID is a unique ID issued to a user by Windows Live Services for authentication and authorization. It is in the format of an email address.
    • 19.
      • SOAP (Simple Object Access Protocol)
        • Protocol for exchanging XML-based messages over a network, using HTTP. Here, SOAP is used to retrieve a token from the Windows Live ID SOAP Services.
      • SLT (Short Lived Token)
        • A Short Lived Token (SLT) is a string that is issued by the Windows Live ID SOAP Service that can be used by the Web Portal in lieu of credentials (username and password) in order to authenticate a user to the Windows Live ID service.
      • Certificate (Digital Certificate)
        • A certificate is a digital document that is used to encrypt and decrypt data and verify the identity of an entity.
    • 20.
      • IIS (Internet Information Services)
        • Software services that support Web site creation, configuration, and management, along with other Internet functions
      • The web.config File
        • The web.config XML file must be customized for your environment. The web.config XML file defines the configuration of your SSO application.
    • 21. Based off of Scenario 2a from SDK Guide
    • 22.  
    • 23.
      • Central Authentication Service
      • CAS is an authentication system originally created by Yale University
      • Provides a trusted way for an application to authenticate a user without a password
    • 24.
      • CAS involves three components- a client web browser, the web application requesting authentication, and the CAS server .
      • Client visits an application, the application redirects it to CAS.
      • CAS validates the client's authenticity
    • 25.
      • If the authentication succeeds, CAS returns the client to the application, passing along a security ticket
      • Application validates ticket by contacting CAS over a secure connection.
      • CAS passes information about whether the client has been successfully authenticated
    • 26.  
    • 27.
      • “ Yale CAS 2.0 is integrated by default with Luminis IV, and will issue tickets recognized by CAS-enabled clients.”
      • http://www.yale.edu/tp/cas/
      • Can be locked down to only trust specified services or applications
      • Usernames or Immutable ID’s can be used
      • See Appendix B in Luminis IV install guide for more details and Parallel deployment settings
    • 28. https://inside.lasalle.edu/cas/login?Service=www.mywebsite.com User logs into Luminis Portal User is presented with Link
    • 29. Browser sent to CAS with Service ID CAS Returns Ticket and Cookie http://www.mywebsite.com/? ticket=ST-12-g9uDQJB0gtoOJfiycsdz https://inside.lasalle.edu/cas/login? Service=www.mywebsite.com
    • 30. Browser sent to CAS enabled Web Service with ticket http://www.mywebsite.com/ ?ticket=ST-12-g9uDQJB0gtoOJfiycsdz https://inside.lasalle.edu/cas/validate?service=http://www.mywebsite.com& ticket=ST-12-g9uDQJB0gtoOJfiycsdz Web Service Validates Ticket External CAS Enabled Web Service
    • 31. Yes , username User is now Authenticated into External Web Service External CAS Enabled Web Service
    • 32.
      • Log into portal
      • Enter link to fake CAS enabled website
        • Why? To see the ticket returned
        • https://inside.lasalle.edu/cas/login?service=http%3A%2F%2Fwww.google.com
      • We get a page not found error with the ticket
      • Validate ticket
        • https://inside.lasalle.edu/cas/validate?service=http%3A%2F%2Fwww.google.com&ticket=<ticket>
      • Yes, millermm – We are validated!
    • 33.  
    • 34. Alternative to GCF/CPIP No password exchanged with External System
    • 35.
      • Icon in portal points students to https://inside.lasalle.edu/cas/login?service=http://myintranet.lasalle.edu:8007/public/CasRedirect.aspx
      • CASRedirect.aspx is our code page added to the Public folder of the LiveAtEdu SSO solution to process the users portal authentication to CAS
    • 36.
      • Once the user is validated against CAS, the Live ID is passed to Redirect.asp which begins validation to Windows Live Services.
      • http://myintranet.lasalle.edu:8007/public/Redirect.aspx?Debug=false&ID=023139ce-9ec9-441c-9b4d-68727590299f
    • 37.
      • if (stringReply.Trim().StartsWith(&quot;yes&quot;))
      • {
      • string rawUsername = (stringReply.Remove(0, 4));
      • Page.Session[&quot;portalUser&quot;] = rawUsername.Trim();
      • string wlUserID = Name.GetWindowsLiveID((string)Page.Session[&quot;portalUser&quot;], (int)Page.Session[&quot;scenario&quot;]);
      • Page.Session[&quot;windowsLiveUserID&quot;] = wlUserID;
      • string windowsLiveUserID = (string)(Page.Session[ &quot;windowsLiveUserID&quot; ]);
      • if (!String.IsNullOrEmpty( windowsLiveUserID ))
      • {
      • string ssoId = SQL.InsertSSOID( windowsLiveUserID );
      • string result = &quot;Redirect.aspx?Debug=false&ID=&quot; + ssoId;
      • Response.Redirect( result );
      • }
      • }
    • 38. Authenticated. Now What? Microsoft's Solution (Big Picture)
    • 39.
      • Redirect.aspx processes UserID & cert, passes it to the Windows Live™ ID SOAP service and requests an SLT.
      • The token is received by the IIS server from the Windows Live ID SOAP Service via SSL and converted to a URL such as…
    • 40.
        • https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=10&ct=1225214652&rver=5.5.4177.0&wp=MBI_SSL&wreply=https:%2F%2Fexchangelabs.com%2Fowa%2F&lc=1033&id=76067& slt=B1bdkBJAXLsx95n66v1IMgGg1CWvjp1pkOPY7pyDi6iqH7yAsxxoMgLH56Wpp8qDDHJc3h3aViunia1pCGwsjIL7rhWvcOfxIxOPU7IS!*deebSPQw$$
    • 41. The client is redirected by the URL to the Windows Live ID Login Service with a valid SLT. The Windows Live ID Login Service issues a ticket for requested mail service .
    • 42. The Windows Live Mail Service redirects the student to their mailbox. The client browser is redirected again to the Windows Live Mail Service. https://exchangelabs.com/owa/?wa=wsignin1.0
    • 43.
      • IIS Server Installation / Site Configuration
      • Web.config customizations
      • Days of site/certificate troubleshooting
    • 44.
      • Import security certificate
      • Copy SDK files into created web-site root directory
      • Create and configure a web-site for your SSO Portal on IIS.
    • 45.
      • Configure the IIS Windows Authentication for the ‘Public’ sub-directory to allow anonymous access.
      • Export Certificate into known directory
      • Modify access control list (ACL) for the previously installed certificate using the utility PfxNSAcl.exe
    • 46.
      • Modify web.config
        • <configuration>
        • <appSettings>
        • <add key=&quot;domain&quot; value=&quot;student.lasalle.edu&quot;/>
        • <add key=&quot;siteID&quot; value=“975342&quot;/>
        • <add key=&quot;certThumb&quot; value=&quot;45 aa c2 a2 eb… …”
        • <!-- Service ID (ie ExchangeLabs, mail)-->
        • <add key=&quot;serviceID&quot; value=&quot;ExchangeLabs&quot;/>
        • <add key=&quot;scenario&quot; value=&quot;1&quot;/>
    • 47.
      • SSO to sky drive
      • SSO to local Exchange using ISA
    • 48.
      • Test vs Prod
      • Communication of site differences
      • Find a good contact
      • Be persistent

    ×