Skip to main content

Novell GroupWise Webmail Integration Guide


Use this guide to enable forms based authentication to Novell GroupWise Webmail via AAA module passing (configured for SAML).

Typical forms based authentication to the web application fails because the User.context value is not static and therefore cannot be passed by an AAA module to GroupWise authentication, forcing the user to authenticate a second time after authenticating through SecureAuth IdP.

However, with one line of configuration change on the GroupWise system, the application can be set to accept HTTP authentication (HTTP 401/basic) when accessed by configured gateways.

For this integration, the parameter, Security.Authenticate.header in the webacc.cfg configuration file on the GroupWise WebAccess server requires modification. By default, it is deactivated and must be activated by removing the hash sign. The following snippet shows by example how to change it. The IP (or hostname) to set here is the source IP for the incoming connection to GroupWise. In a NetScaler environment, that is usually a MIP or SNIP IP address.

# Identifies what remote computers will be trusted for receiving the
# authentication header. Multiple addresses can be on the line, separated
# by commas (can be any mixture of IP addresses or Domain names).

The Citrix NetScaler configuration for AAA is very straightforward, without requiring forms based authentication policies. The AAA-TM module, when challenged for HTTP authentication, sends the Base64 encoded credentials automatically to the backend system.


1. Have Novell GroupWise Webmail and access to the webacc.cfg file

2. Integrate AAA Gateway (e.g. Citrix NetScaler) with SecureAuth IdP (SAML)

Refer to Citrix NetScaler AGEE Integration Guide

Configuration Steps

Novell GroupWise WebAccess Procedure

1. On the WebAccess server, open the webacc.cfg file in a text editor

Linux: /var/opt/novell/groupwise/webaccess

Windows: c:\Novell\GroupWise\webaccess

2. Search for #Security.Authenticate.header=172.x.x.130,172.x.x.131,172.x.x.132,172.x.x.133

3. Remove the pound sign (#) and add IP Addresses


  • 172.x.x.130 = vip of WebMail

  • 172.x.x.131 = ip address of NetScaler

  • 172.x.x.132 = MIP on NetScaler

  • 172.x.x.133 = SNIP on NetScaler

4. Save the webacc.cfg file

5. Restart Tomcat to immediately enable the change, or wait 10 min for the refresh routine to put changes into place (no service disruption)