While I was rebuilding my lab, I ran into an issue when building out my demo Exchange OWA front-ended by NetScaler – the error was pretty generic, I would attempt to access the OWA page, was then prompted for authentication by the NetScaler AAA engine running as a part of Unified Gateway, then I was dumped to the following error page:
Http/1.1 Service Unavailable – /cgi/selfauth/xxxxx
This error page is being presented by the NetScaler, and is nothing new – it usually means that a backend connection has failed or there are no policy matches on a Content Switching vServer and a default vServer is not configured – that is the case here as this is a CSW vServer for Exchange.
The Fix
We need to create a SelfAuth CSW policy and bind it to the OWA vServer. Here is the Content Switching policy that handles this error:
The expression is:
HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/cgi/selfauth")
Then we need to bind the policy to the CSW vServer – in this case, you can see the other Exchange policies in place, with the new policy at the bottom:
Once done, the OWA page comes up as expected after authentication. Fixed!
Hi
Thanks for the tip! I just wonder why this happens? Is it NetScaler bug or OWA’s strange behaviour?
BR Zoran
Zoran,
This is due to the content switch not having a policy for the SelfAuth request.
Hi,
it works fine, but the domainadmin become after the aaa-login a second 401-login-mask.
All other users become only the aaa-login and works normal.
What could be the problem?
Thanks and best regards
Mark
Mark, this sounds like it may be an issue with an LDAP policy\server? Hard to say