Another solutions to CASify OWA.
CAS and OWA at ENSAM (France)
Goal
My problem was to be able to use CAS with my network architecture in which there was an OWA server. There were two solutions, but there were for me not good : I did not want to store all users passwords in a local database, and I did not want to use the cas2owa ISAPI filter which is for me a working hack, but a hack.
My idea is simple : when a user connect to OWA, he get a cookie which let him connect again to OWA without authenticating again (it will be boring to authenticate to each page he want to see). So, if I want to get this cookie, I need the user login and password. I don't want to store user's login and password nowhere. So, the only way to get the OWA cookie is to use the user's login and password when I got it, when the user is authenticating against CAS server. I can't change OWA, but I can change CAS. So I did.
? Cas is working like this :
1. User is connecting to login page
2. User is entering login and password
3. CAS is checking login and password
4. If ok, then CAS return the CAS cookie containing the Granting Ticket.
? My change are :
1. User is connecting to login page
2. User is entering login and password
3. CAS is checking login and password
4. If ok, then CAS use login and password to authenticate against OWA service and retrieve OWA cookie
5. If ok, then CAS return the CAS cookie containing the Granting Ticket and the OWA cookie.
So I opened Eclipse and starting to read CAS code 
Prerequesite
OWA must be running in Form Authentication Based, so when users are connecting to OWA, there must have first a page with an authentication form.
URL to access OWA must be like : https://owa.domain.com/exchange/? to access mailboxes and https://owa.domain.com/exchweb/.../? to access Form Authentication Page.
Change in CAS 3.2
You can get the patch in Attachments : filename is cas-3.2.1-owa.patch
I used Cygwin to create the patch (diff), and to apply the patch (patch).
Apply the patch against Cas 3.2.1 and compile using maven.
Architecture
The system architecture must be strict in order to make the system work. The goal is that either cas server and owa server have the same hostname. So to do, I use Apache and mod_proxy. If you are using Windows system, download the Apache + SSL package.
You can install Apache and Tomcat on the same server, it is not a problem. I configured Tomcat to listen on port 444 in SSL mode.
Let's have two server : cas.domain.com and owa.domain.com. In the DNS system I had a CNAME entry : www.domain.com pointing to cas.domain.com
In Apache, I configured a SSL Virtual Hosts and activated the mod_proxy, mod_proxy_http, , mod_proxy_connect and mod_rewrite
In the SSL Virtual Hosts definition, add the following directives :
<VirtualHost *:443>
[...]
SSLProxyEngine on
ProxyPreserveHost on
ServerSignature Off
AllowCONNECT 443
RewriteEngine on
RewriteCond %{QUERY_STRING} logoff
RewriteRule ^/exchange/.+/ https:RewriteRule ^/exchweb/bin/auth/owalogon.asp https:ProxyRequests off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /exchweb https:ProxyPassReverse /exchweb https:
ProxyPass /exchange https:ProxyPassReverse /exchange https:
ProxyPass /cas https:ProxyPassReverse /cas https:
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost>
What does it mean ?
The first rewrite rule redirect the user to the CAS logout page when he click on the Logout button in OWA interface. CAS will destroy the OWA cookies.
The second rewrite rule will redirect the user to the CAS login page when the user will try to connect to OWA without having being authenticated
Now the ProxyPass directives :
When users will connect to https://www.domain.com/exchweb, page will be retreived from https://owa.domain.com. Idem for /exchange and /cas.
With Apache mod_proxy, owa and cas server use the same URL. With mod_rewrite, we redirect login and logout OWA function to CAS without having changing OWA source code.
