29. Browser sent to CAS with Service ID CAS Returns Ticket and Cookie http://www.mywebsite.com/? ticket=ST-12-g9uDQJB0gtoOJfiycsdz https://inside.lasalle.edu/cas/login? Service=www.mywebsite.com
30. Browser sent to CAS enabled Web Service with ticket http://www.mywebsite.com/ ?ticket=ST-12-g9uDQJB0gtoOJfiycsdz https://inside.lasalle.edu/cas/validate?service=http://www.mywebsite.com& ticket=ST-12-g9uDQJB0gtoOJfiycsdz Web Service Validates Ticket External CAS Enabled Web Service
31. Yes , username User is now Authenticated into External Web Service External CAS Enabled Web Service
41. The client is redirected by the URL to the Windows Live ID Login Service with a valid SLT. The Windows Live ID Login Service issues a ticket for requested mail service .
42. The Windows Live Mail Service redirects the student to their mailbox. The client browser is redirected again to the Windows Live Mail Service. https://exchangelabs.com/owa/?wa=wsignin1.0
43.
44.
45.
46.
47.
48.
Editor's Notes
Good morning everyone. My name is Melissa Miller and I work at La Salle University as the Manager of Web Applications. I am here today to talk about our method of providing Single Sign On to the Microsoft Exchange Labs email system.
In the Fall of 2007, Our IT department started to evaluate options for student email. Do we stay with Lotus Notes, migrate to a local Exchange server, or outsource? Students want larger mailboxes, larger attachments, an easy to use interface and a reliable system.
Read slide
So what about Faculty and Staff email? Well, there was no desire to leave them on the Lotus Notes system due to the overall dissatisfaction of the software. We decided to build a local Exchange server environment and migrate them to this new server. This migration process is still underway as we speak, moving people by department or building, keeping the action contained to ensure they get the best support possible in the process. What’s nice about this solution is that we already owned the Exchange server and Outlook client licenses so the cost really came down to hardware. We were also able to upgrade the hardware for our spam appliance and reduce licensing costs since the number of local mailboxes dropped from 15000 to 1700. As far as integrating with the Luminis Portal, SCT provides a MOWA connector that you just need to setup and activate in your environment.
So what about Faculty and Staff email? Well, there was no desire to leave them on the Lotus Notes system due to the overall dissatisfaction of the software. We decided to build a local Exchange server environment and migrate them to this new server. This migration process is still underway as we speak, moving people by department or building, keeping the action contained to ensure they get the best support possible in the process. What’s nice about this solution is that we already owned the Exchange server and Outlook client licenses so the cost really came down to hardware. We were also able to upgrade the hardware for our spam appliance and reduce licensing costs since the number of local mailboxes dropped from 15000 to 1700. As far as integrating with the Luminis Portal, SCT provides a MOWA connector that you just need to setup and activate in your environment.
Heart of presentation.
Heart of presentation.
Okay now I would like to take a minute or two to run down the terminology list from the LiveAtEdu setup guide. (summarize definitions)
So when the user clicks on the Email Icon, this is the link they get. You can see the service ID being passed into CAS. CasRedirect.aspx was put together for the sole purpose of handling the authentication of the user to the IIS server. Once authenticated, the browser is sent directly to Redirect.aspx
So when the user clicks on the Email Icon, this is the link they get. You can see the service ID being passed into CAS. CasRedirect.aspx was put together for the sole purpose of handling the authentication of the user to the IIS server. Once authenticated, the browser is sent directly to Redirect.aspx
Here is a portion of our CASRedirect code. What we are looking at here is the code that sends the LiveID to Redirect.aspx which was part of the code package for SSO. When authentication to CAS happens, the string returned is the word ‘yes’ followed by a comma, followed by the username. So for me it would be yes,millermm. So the first part of the if statement is checking for the word ‘yes’ in the reply. If this is true, then we extract the username from stringReply by trimming off the first 4 characters. wlUserID is built by calling the GetWindowsLiveID function and passing in the username and scenario. The scenario is within the web.config file. At the bottom, if windowsLiveUserID is not null then the ID is passed to redirect.aspx
Okay so now we have been authenticated through CAS to the IIS Server. What now? This is the segment of the Solution that is provided to you by Microsoft (minus CASRedirect.aspx)
Lets start with Redirect.aspx. Once Redirect.aspx gets the LiveID it processes it and passes it to the Windows Live™ ID SOAP (Single Object Access Protocol) Service by requesting an SLT (short-lived token) using the getSLT function API (provided with this SDK) via SSL. The SLT is received by the IIS server from the Windows Live ID SOAP Service via SSL and converted to a URL such as (see link). You can see that the Token issued is specifically for mail service. The URL is redirected to the Luminis portal server, which is then send to the client browser.
The clients browser is then redirected to the Windows LiveID Login Service with a Valid SLT. I have highlighted the token in the example above from a session that was captured via a firefox add-in called liveheaders. The Windows Live ID Login Service issues a ticket for requested service (Mail). The client browser is redirected to Windows Live Mail Service. The Windows Live Mail Service redirects the student to their mailbox.
Ok so what else was involved in this thing? Well there was the IIS Server installation and setup, Web.config customizations, and days upon days of certificate and site troubleshooting. I’ll talk a bit about the Server installation.
One of the first things you need to do is obtain and Import a provided security certificate into LocalComputerPersonal store. This procedure is illustrated in the SDK Appendix - Security Certificate Installation. You would have obtained that cert from Microsoft. Then, Copy your SDK files into created web-site root directory (such as "C:inetpubwwwrootSSOPortal or EmailSSO, whatever you decide. Create and configure a web-site for your SSO Portal on IIS. This portal will be the middleman between your Luminis Server and Windows Live Authentication servers. These procedures are illustrated in the SDK Appendix - Portal Web Site Configuration (IIS).
Next you will configure the IIS Windows Authentication for the ‘Public’ sub-directory to allow anonymous access. If you refer to the instructions for the previous step, the SDK Appendix instructed to uncheck the “Enable Anonymous Access” check-box on the root web-site. This is correct; however, the reverse instructions should be used to check the “Enable Anonymous Access” check-box on the ‘Public’ sub-directory. Modify access control list (ACL) for the previously installed certificate. Since the “code behind” of ASP.NET will be executed under the IUSER_ ServerName context, you will need to ensure that the IUSER_ ServerName user account has appropriate security permissions to read the installed certificate from certificate storage and you must also have network service . . The PfxNSAcl.exe utility included in this SDK will adjust the access control list (ACL) accordingly. You then export the certificate for use with the solution and make modifications to web.config to fit your solution. I don’t want to get into too much detail on the specifics of the IIS server setup since they are well documented by Microsoft, and I know that since I used release 3.5 they have released a version 4 which I believe has changed slightly. I would download what they provide and get the IIS portion working before worrying about getting the CAS hooked up. They provide you with Test pages that test your connection to Microsofts various authentication servers and will inform you if there is a problem.
Some things I have learned along the way is to allow plenty of time to deal with support issues. Microsoft is working on there support model and as of this writing this is still in progress. In particular the Windows Ed Desk was a major sticking point in trying to resolved certificate issues. Make sure you are clear from the beginning on your domains and if you will have sub domains or separate domains because that changes EVERYTHING as far as they are concerned. If you can land yourself one or two senior tech support people they will be your best friends and help escalade the process in a way that you cant.