Securing Novell® GroupWise® with Citrix NetScaler AAA-TM

When confronted with the task to implement single sign on for Novell GroupWise, the web based email frontend of Novell’s groupware solution, it turned out that many before me had tried to implement form based authentication to that web application with various products already. Whichever product as gateway were used, all attempts seem to have failed unless heavy customizations were involved.

As with other enterprise applications as well, protection features prevent intermediate systems from authenticating to the login form via form fill, hence the user, after logging in at the AAA-TM logon page is presented with the logon screen of Groupwise and has to authenticate a second time.

The logon form displayed in the picture (pardon the German captions, please) contains the information you would usually extract and send to the backend using an AAA-TM form fill policy after the user successfully authenticated.

Novell GroupWise logon form

The logon form contains the following information:

The problem here is the “User.context” value, which isn’t static and therefore can’t be passed by AAA module to GroupWise authentication. Hence it’s a requirement for secure logon, the process fails and the user is prompted with Novell logon form and has to authenticate a second time.

There is no simple solution to that problem, however digging into the excellent documentation provided by Novell, an alternative approach brings the solution. With just one line of configuration change on the GroupWise system it can be set to accept HTTP authentication (HTTP 401/basic) when accessed by configured gateways. While this logic is intended for Novell Access Manager/LAG it can be used with other gateway systems like NetScaler as well. The details are outlined in the Novell article 7010088 (href http://www.novell.com/support/kb/doc.php?id=7010088). Essentially, on the WebAccess server the parameter “Security.Authenticate.header” in the webacc.cfg configuration file needs to be modified. By default it’s deactivated and needs to be activated by removing the hash sign. The following snippet shows by example how to change it. The IP (or hostname) to set here is the source IP for the incoming connection to GroupWise. In a NetScaler environment that’s usually a MIP or SNIP IP address.

#——————————————————————————
# Identifies what remote computers will be trusted for recieiving the
# authentication header. Multiple addresses can be on the line, separated
# by commas (can be any mixure of IP addresses or Domain names).
#——————————————————————————
#Security.Authenticate.header=
Security.Authenticate.header=1.2.3.4

On the NetScaler the configuration for AAA is very straightforward now. No form based authentication policy is necessary, the AAA-TM module, when challenged for HTTP authentication, will send the Base64 encoded credentials automatically to the backend system.

add tm trafficAction tmAct_sso_NGW -appTimeout 180 -SSO ON -persistentCookie OFF -InitiateLogout OFF
add tm trafficPolicy tmPol_sso_NGW true tmAct_sso_NGW
bind lb vserver vSrv_NGW -policyName tmPol_sso_NGW -priority 100 -gotoPriorityExpression END -type REQUEST

Below an extract from the HTTP communication between the NetScaler and the Groupwise systems. When presented with the HTTP 401 by the WebAccess system of Novell Groupwise, the NetScaler will resend the request with the user credentials in the HTTP Authorization header.

GET /gw/webacc HTTP/1.1
Host: groupwise.example.com

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm=”NovellWebApplication”

GET /gw/webacc HTTP/1.1
Host: groupwise.example.com
Authorization: Basic ZnJlZGRlbW86ZnJlZDAz

With that configuration in place, users will have single sign on access to Novell GroupWise via NetScaler AAA.

Topics

Products