Recently I got a question from a friend of mine regarding delivering OWA via Netscaler UnifiedGateway with a working SSO (Single Sign On). Basically setting up the Web Application using the Netscaler UnifiedGateway wizard will not provide you with SSO. Users will need to authenticate twice.
So how do we solve this issue?

Let’s suppose you have alredy configured your OWA using the Netscaler UnifiedGateway wizard as following:














Well, this is great 🙂
Try to logon to your gateway, hit the Clientless access Tab and launch the app. Unfortunately you will be prompted to logon again…

Now, Let’s make sure SSO works

Step 1:
Logon to your Netscaler using Putty and paste the following commands…
(What you do here is creating an SSO form profile and a traffic policy to pass your credentials to OWA, finally you are binding the traffic policy to your UnifiedGateway)

add vpn formSSOAction OWA_SSO_Form_Action -actionURL "/owa/auth.owa" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)" -responsesize 60000 -submitMethod POST
add vpn trafficAction OWA_SSO_Traffic_Profile HTTP -appTimeout 1 -SSO ON -formSSOAction OWA_SSO_Form_Action -kcdAccount NONE
add vpn trafficPolicy OWA_SSO_Traffic_Policy "REQ.HTTP.URL CONTAINS owa/auth/logon.aspx" OWA_SSO_Traffic_Profile
bind vpn vserver "name of your unifiedgateway vserver" -policy OWA_SSO_Traffic_Policy -priority 10

Step 2:
Head back to your Netscaler Web GUI, Navigate to “Netscaler Gateway – Global Settings” and click on “Configure Domains for Clientless Access
Klick on “Allow Domains” and fill in your domain names as ( or smali.local)…













Step 3:
Make sure your unifiedGateway VIP is on Smart access mode
To do this, navigate to your Access gateway VIP, edit it, Click “more” and uncheck “ICA Only” if it is checked…

Step 4:
If you are using OWA 2013 or 2016 you may need to add the following configuration:

add vpn clientlessAccessProfile skip_profile
add vpn clientlessAccessPolicy skip_rewrite “HTTP.REQ.URL.ENDSWITH(\”mouse.js\”)” skip_profile
bind vpn global -policyName skip_rewrite -priority 100

This skips rewrite in the file where the javascript calls corresponding to maximum stack is getting generated. Skimming through the javascript, it doesn’t seem that the rewritten portion were parts of urls. In some use cases where after adding this skip_rewrite policy the out of office or password change button could stop working since they doesn’t get rewritten by cvpn.