Posted in : ADFS, NetScaler, Office 365 By Simon Gottschlag

3 years ago

I wrote a blog post about smart links to Office 365, but there’s also a way to make sure users with their mailboxes in Office 365 automatically are redirected to their Outlook Web Access there (with SSO). They key lies in using a 307 redirect instead of 301 or 302, where the post is sent to ADFS – and the username and password field (luckily) are the same in Exchange (tried it with 2013). I haven’t tried this with Windows Integrated Authentication internally, but should work just fine – but maybe needs some tweaking.
First off, as always, create the pattern sets and expressions (if not already created for your Exchange load balancing):

add policy patset PATSET_HOSTHEADER_E2013
bind policy patset PATSET_HOSTHEADER_E2013 mail.example.com -index 1
bind policy patset PATSET_HOSTHEADER_E2013 autodiscover.example.com -index 2
add policy expression EXP_ADV_HOSTHEADER_E2013 "HTTP.REQ.HEADER(\"Host\").SET_TEXT_MODE(IGNORECASE).CONTAINS_ANY(\"PATSET_HOSTHEADER_E2013\")"

Next step, create the rewrite to actually redirect the user from Exchange to ADFS:

add rewrite action RWA-RES-INT_E2013_O365USER_REDIRECT replace_http_res q{"HTTP/1.1 307 Temporary Redirect\r\n" + "Location: " + "https://adfs.example.com/adfs/ls\?" + "wa=wsignin1.0&lc=1033&wtrealm=urn:federation:MicrosoftOnline" + "&wctx=wa%3Dwsignin1.0%26rpsnv%3D4%26ct%3D1435822861%26rver%3D6.4.6456.0%26" + "wp%3DMCMBI%26lc%3D1033%26bk%3D1435822861%26id%3D260563" + "LoginOptions%3D1" + "%26wreply%3Dhttps:%252F%252Foutlook.office365.com" + "%252Fowa%252F%253Frealm%253Dexample.com%26whr%3Dexample.com%26CBCXT%3Dout%26" + "\r\n" + "Connection: close\r\n" + "Cache-Control: no-cache\r\n" + "Pragma: no-cache\r\n" + "\r\n"}
add rewrite action RWA-RES-EXT_E2013_O365USER_REDIRECT replace_http_res q{"HTTP/1.1 307 Temporary Redirect\r\n" + "Location: " + "https://adfs.example.com/adfs/ls\?" + "wa=wsignin1.0&lc=1033&wtrealm=urn:federation:MicrosoftOnline" + "&wctx=wa%3Dwsignin1.0%26rpsnv%3D4%26ct%3D1435822861%26rver%3D6.4.6456.0%26" + "wp%3DMCMBI%26lc%3D1033%26bk%3D1435822861%26id%3D260563" + "LoginOptions%3D3" + "%26wreply%3Dhttps:%252F%252Foutlook.office365.com" + "%252Fowa%252F%253Frealm%253Dexample.com%26whr%3Dexample.com%26CBCXT%3Dout%26" + "\r\n" + "Connection: close\r\n" + "Cache-Control: no-cache\r\n" + "Pragma: no-cache\r\n" + "\r\n"}

Remember to replace example.com (it’s in a few different places) as well as the ADFS FQDN.
Now, create the rewrite policies and policy labels- and don’t forget to replace OFFICE365TENANT with your tenant name:

add rewrite policy RWP-RES-INT_E2013_O365USER_REDIRECT-NOOP "EXP_ADV_HOSTHEADER_E2013 && HTTP.REQ.URL.PATH.EQ(\"/owa/auth.owa\")" NOREWRITE
add rewrite policy RWP-RES-INT_E2013_O365USER_REDIRECT q{HTTP.RES.BODY(999999).SET_TEXT_MODE(IGNORECASE).CONTAINS("Use the following link to open this mailbox with the best performance:<br/><a href=\"http://outlook.com/owa/OFFICE365TENANT.onmicrosoft.com\">http://outlook.com/owa/OFFICE365TENANT.onmicrosoft.com</a>")} RWA-RES-INT_E2013_O365USER_REDIRECT
add rewrite policy RWP-RES-EXT_E2013_O365USER_REDIRECT-NOOP "EXP_ADV_HOSTHEADER_E2013 && HTTP.REQ.URL.PATH.EQ(\"/owa/auth.owa\")" NOREWRITE
add rewrite policy RWP-RES-EXT_E2013_O365USER_REDIRECT q{HTTP.RES.BODY(999999).SET_TEXT_MODE(IGNORECASE).CONTAINS("Use the following link to open this mailbox with the best performance:<br/><a href=\"http://outlook.com/owa/OFFICE365TENANT.onmicrosoft.com\">http://outlook.com/owa/OFFICE365TENANT.onmicrosoft.com</a>")} RWA-RES-EXT_E2013_O365USER_REDIRECT
add rewrite policylabel RWPL-RES-INT_E2013_O365USER_REDIRECT http_res
bind rewrite policylabel RWPL-RES-INT_E2013_O365USER_REDIRECT RWP-RES-INT_E2013_O365USER_REDIRECT 100 END
add rewrite policylabel RWPL-RES-EXT_E2013_O365USER_REDIRECT http_res
bind rewrite policylabel RWPL-RES-EXT_E2013_O365USER_REDIRECT RWP-RES-EXT_E2013_O365USER_REDIRECT 100 END

And as a last step, bind them to the vservers – in my case the load balancing vservers:

bind lb vserver LB-INT_E2013_SSL -policyName RWP-RES-INT_E2013_O365USER_REDIRECT-NOOP -priority 100 -gotoPriorityExpression END -type RESPONSE -invoke policylabel RWPL-RES-INT_E2013_O365USER_REDIRECT
bind lb vserver LB-EXT_E2013_SSL -policyName RWP-RES-EXT_E2013_O365USER_REDIRECT-NOOP -priority 100 -gotoPriorityExpression END -type RESPONSE -invoke policylabel RWPL-RES-EXT_E2013_O365USER_REDIRECT

Leave a comment if you have any questions or if it doesn’t work – or if you have any better ways of doing this! I’ve tried it with Exchange 2013 and ADFS on 2012 R2.

Tags :

Add comment

Your comment will be revised by the site if needed.