Collaboration Technology Support Center - Microsoft - Collaboration Brief October 2004 Integration of Outlook Web Access (OWA) into SAP Enterprise Portal André Fischer, Project Manager CTSC, SAP AG Michael Sambeth, NetWeaver Practice Unit Enterprise Portal, SAP Deutschland AG & Co. KG Summary Integrating Microsoft Exchange using Outlook Web Access allows portal users to access their Microsoft Outlook e-mail, task, contact and calendar information. The Web interface of Microsoft Outlook Web Access (OWA) for Exchange 2003 can be customized so that single folders can be made available only. SAP delivers the application integrator iview template that can be used for quickly integrating the inbox, calendar, task, and contacts folders into SAP Enterprise Portal. Beside the front end integration a new SAP Logon Ticket Kerberos Ticket bridging mechanism allows SAP Enterprise Portal to provide SSO to Microsoft Outlook Web Access also in extranet scenarios. Applies to SAP Enterprise Portal 6.0 SP2 Patch 4 or higher Microsoft Outlook WebAccess for Exchange 2003 Keywords Outlook WebAccess, SSO22KerbMap Module Level of difficulty Technical consultants, Developers Contact For feedback or questions you can contact the Collaboration Technology Support Center at ctsc@sap.com. Please check the.net interoperability area in the SAP Developer Network http://www.sdn.sap.com/sdn/developerareas/dotnet.sdn for any updates or further information. 1
Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iseries, pseries, xseries, zseries, z/os, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mysap, mysap.com, xapps, xapp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. 2
Contents Summary...1 Applies to...1 Keywords...1 Level of difficulty...1 Contents...3 Outlook WebAccess...4 Integrating single OWA components...6 Exchange Alias... 6 Localization... 7 Configuration of Outlook Web Access iviews...8 Single Sign-on...9 Conclusion...11 References...11 3
Outlook WebAccess Microsoft Exchange Server supports the deployment of Exchange in a manner that distributes server tasks among front-end and back-end servers. A front-end server accepts requests from clients, performs the authentication and distributes them to the appropriate back-end server for processing. Microsoft Exchange Front-End and Back-End Server Architecture Firewall Exchange front-end servers Global catalog server Client Extranet Exchange back-end servers Client - Intranet SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 45 Figure 1 Microsoft Exchange Front-End and Back-End Server Architecture The frond-end server can be accessed using the URL http://<server_hostname>:<port>/exchange. 4
Figure 2 Outlook Web Access 2003 Outlook Web Access now more closely matches the Outlook 2003 user interface (see Figure 2 Outlook Web Access 2003). Outlook Web Access 2003 allows users the selection of different pre-defined color schemes for their Outlook Web Access experience. The Administrator can however define which of the color schemes is used as default. The default color scheme can be assigned using the Outlook Web Access Web Administration tool provided by Microsoft that allows a preview so that one can see what it will look like. If installed it allows the administration of Outlook Web Access using the URL https://servername/owaadmin. 5
Integrating single OWA components If single OWA components such as the calendar should be integrated as single iviews into the SAP Enterprise portal one faces two problems: 1. The URL that is used to access a single OWA component like the calendar must contain the name of the Exchange Alias. The Exchange Alias is stored in the attribute mailnickname in Active Directory. 2. The URL to access a single OWA component like the calendar is also localized and will usually depend on the default language used by a client in its browser settings when the client logs on the first time to Outlook WebAcces. The URL for a English localization would be http://<server_hostname>:<port>/exchange/myexchangealias /Calendar/?cmd=contents. while for a German localization the name of the URL would be http://<server_hostname>:<port>/exchange/myexchangealias /Kalender/?cmd=contents. Exchange Alias In a default portal configuration the samaccountname is used as the portal user id. In many customer installations the samaccountname contains the same value as the attribute mailnickname. In this case the portal user id can be used to retrieve the Exchange Alias. However it is not mandatory to use the samaccountname as the mailnickname. Moreover it is possible to use any user attribute as portal user id. This is very likely for multi domain scenarios. Since the samaccountname is unique only on domain level an attribute like the userprincipalname has to be used as portal user id that is unique in the complete forest. The UME can be configured to provide access to any number of arbitrary user LDAP attributes. This is accomplished by editing the datasourceconfiguration.xml file associated with the LDAP Server. If the portal is configured to retrieve the attribute mailnickname for a new portal user attribute called myexchangealias this value can dynamically be inserted into the URL that is called by an iview based on the SAP Application Integrator component using the syntax <User.myexchangealias>. The data source configuration file has to be changed as follows. <responsiblefor> <principal type="user"> <namespaces> <namespace name="com.sap.security.core.usermanagement"> <attributes> <attribute name=" myexchangealias"/> </attributes> <attributemapping> <principals> <principal type="user"> <namespace name="com.sap.security.core.usermanagement"> 6
<attributes> <attribute name= myexchangealias > <physicalattribute name="mailnickname > </attribute> </attributes> </namespace> Figure 3 UME data source configuration file Localization When a user is created in Active Directory the mailbox in Exchange 2000/2003 is not created until the user first logs on to the mailbox. Depending on the settings for the default language used in Internet Explorer when the user does access Outlook Web Access the first time the folders will be created. An example of the portalized Outlook WebAccess calendar component (with German localization) is shown in the following figure. Figure 4 OWA iview (German localization) In the example above a German localization is used. Since the URL used by an iview has to contain the folder name this results into different URL s if several localizations of Outlook WebAccess are used. 7
If the folder names were already set and you want to change them a procedure has been described in the document Dealing with Localization of Outlook Folders that is mentioned in the reference. Configuration of Outlook Web Access iviews iviews that are created from the generic template of the SAP Application Integrator component can be used for quickly integrating the inbox, calendar, task, and contacts folders on the Microsoft Exchange Server. You can integrate this iview into a SAP Enterprise Portal framework page. Proceed as follows to configure an OWA iview for displaying the calendar folder for an NT user that is using an folder structure with English localization: 1. Select New From Portal Archive and then iview. (Do not select New.) 2. Select the SAP Enterprise Portal application com.sap.portal.appintegrator.sap and choose Next. 3. On the next screen, choose Generic and Next. 4. On the iview Wizard, enter the iview Name and ID for the new namespace, and choose Next. 5. Select Open for editing when wizard completes, and choose Finish. 6. In the Property Editor for Property Category choose Show All. 7. Scroll down and set the iview property URL template as URL to your target application. You configure the following link as follows: a. If the portal user id is the same as the exchange alias: http://<server_hostname>:<port>/exchange/<user.userid>/calendar/?cmd=cont ents b. If the portal user id is NOT the same as the exchange alias the value has to be retrieved by UME as described in section above: http://<server_hostname>:<port>/exchange/<user.myexchangealias>/calendar/?cmd=contents 8. Replace <server_hostname> and <port> with the Outlook Web Access server name and port. 9. Save the iview. 8
Single Sign-on Outlook Web Access supports Windows integrated authentication as the main SSO method. However this can only be used in intranet scenarios since Kerberos does not work well across the Internet due to client side firewall configuration and because Windows integrated authentication requires that client and server reside in trusted domains. To overcome this limitation Microsoft has enhanced its implementation of the Kerberos protocol. Using constrained delegation a service may request a (constrained) Kerberos ticket on behalf of a user for specified services only. Using protocol transition it is possible that the client may be authenticated using other methods than Kerberos. Based on this technology SAP has developed an ISAPI Filter called SSO22KerbMap Module. Outlook Web Access using SSO22KerbMap Module Exchange Frontend Server passthrough authentication Check SAP Logon Ticket 1 Exchange Backend Server(s) 3 SSO22KerbMap Module Impersonation Kerberos ticket SSO22KerbMap Module 2 Active Directory Check if server is trusted for delegation SAP AG 2004, MS ADS & SSO, Andre Fischer / Michael Sambeth / 48 Figure 5 SAP Logon Ticket Kerberos Ticket Bridging The ISAPI Filter allows the authentication using SAP Logon Tickets (protocol transition). Based on this authentication the filter can acquire a Kerberos Ticket on behalf of the user that is authenticated by the SAP Logon Ticket (constrained delegation). The ISAPI Filter must be installed on each exchange back-end server. Thus configuration changes have to be applied to all backend server(s). This is because windows integrated authentication cannot be used for Exchange front-end servers. A detailed description of the SSO22KerbMap Module can be found in the Collaboration Brief Using SAP Logon Tickets for Single Sign on to Microsoft based web applications 9
Spelling checker By default, the spelling checker is available to OWA users as soon as you install Exchange 2003 on the server. If the spelling checker is used then the virtual directory /Exchweb is accessed by users via the URL http://<server_hostname>:<port>/exweb in addition to the virtual directory /Exchange. If SSO using Windows integrated authentication should be used one has to make sure that the security settings of the virtual directory /Exchweb is configured the same way for windows integrated authentication as it is done for the virtual directory /Exchange. If like in the following example the virtual directory /Exchweb is not configured for windows integrated authentication one gets the following error message. This has to be considered especially if the SSO22KerbMap Module is used. Figure 6 Spelling checker in Outlook Web Access 2003 Authentication error 10
Conclusion Outlook Web Access can be seamless integrated into SAP Enterprise portal. No additional software has to be installed on the front ends to enable this integration. For the visual integration into the portal UI the application integrator iview template can be used. The new SSO capabilities that are available with the SAP SSO22KerbMap Module allow SSO from the SAP Enterprise Portal to Microsoft Outlook Web Access now also in extranet scenarios. References Integrating MS Exchange Using Outlook Web Access http://help.sap.com/saphelp_nw04/helpdata/en/bd/48043196af764b96933827123493 6a/frameset.htm Step-by-Step Guide: SSO22KerbMap ISAPI Module Collaboration Brief Using SAP Logon Tickets for Single Sign on to Microsoft based web applications How to Change the Outlook Web Access Logon Page http://support.microsoft.com/?kbid=321832 Customizing Microsoft Outlook Web Access http://www.microsoft.com/downloads/details.aspx?familyid=6532e454-073e-4974- A800-1490A7CB358F&displaylang=en Exchange Server 2003 Technical Documentation Library - What's New in Exchange Server 2003 http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.mspx Exchange 2003: Outlook Web Access Web Administration http://www.microsoft.com/downloads/details.aspx?familyid=4bbe7065-a04e-43ca- 8220-859212411E10 Dealing with Localization of Outlook Folders http://www.msexchange.org/tutorials/localization_outlook_folders.html Overview of the spelling checker in Outlook Web Access for Exchange Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;825430 11