I had a similar problem. Here is a write-up I did for my fix:
Problem: When running SharePoint 2013 behind an F5 Virtual Server utilizing APM and basic Active Directory authentication, when an MS Office Thick client (word, excel) makes its first request to the VIP to open a document, it has no cookie information. The APM module functions as normal and redirects the un-authenticated request to F5Networks-SSO-Req?xxxx, which sets a cookie, and forwards to my.policy page for forms login. Unfortunately, these redirects are accepted by excel client for instance, and actually attempts to request the my.policy page. Of course, excel has no idea how to open that page and barfs, indicating it cannot connect to the page.
Requirements: * Do not bypass APM authentication * Do not use disable::http and essentially pass the request directly to the end server acting as a dumb proxy (which in this instance would force NTLM authentication which is a problem). * No sharepoint server NTLM authentication. We have over 100 windows domains connecting to this VIP, so challenging the user with NTLM would force their workstation to authenticate with its domain, which isn’t going to work as this would require us to manage sharepoint permissions for every user in every domain.
Solution: Create an irule that will check the user-agent for any MS office thick client, and if found, check if the MRHSession cookie exists. If it does not exist, respond with a 403 auth status code, and send two http headers with name "X-Forms_Based_Auth_Required," and “X-Forms_Based_Auth_Return_Url”. The values in this instance will be https://[HTTP::host]/reauthpage?ReturnUrl=/_layouts/15/error.aspx, and https://[HTTP::host]/_layouts/15/error.aspx,” respectively. Reauthpage is a non-existent page that would otherwise never be called. The auth-required header will indicate to excel to call a forms login page, and the return_Url header will also cause excel to close the “re-auth APM login” window. Once complete. When excel receives these headers, the behavior appears to open some type of “mini-browser” session to make the forms login call. Strangely, these calls have a different user-agent than my installed version of Internet explorer. The mini-browser calls the fake page, and APM redirects to its own forms login page and the user can then login. Once the cookie is set in this mini-browser, excel picks it up and will use it to make all subsequent calls, until the application is closed, thus passing APM authentication. The behavior is that excel mini-browser calls the fake page, login occurs, and then APM directs the mini-browser back to the original page (in this case, “reauthpage?returnurl=/_layouts/15/error.aspx”). This request, since it has an MRHSession cookie, passes APM and is sent to the sharepoint farm. To fix this, I created an additional “if statement” that if the reauthpage page was called, and an MRHSession cookie existed, then respond with a 302 redirect to the actual return URL of /_layouts/15/error.aspx.
APM configuration An additional configuration that also helped was to ensure cookies were set to persistent. This assisted with an additional problem we had using WEBDAV calls to “open in explorer.” Until this was set, WEBDAV calls would never pick up the authenticated cookie. Additionally, we were using “multi domain” in APM, so it was not enough to have the root persistent setting set, you had to set it in each “authentication domain”
when HTTP_REQUEST {
if { [HTTP::uri] contains "/reauthpage" } {
if { [HTTP::cookie exists "MRHSession"] } {
HTTP::respond -version "1.1" content "Authentication successful. Please close this window to access your document." "connection" "close"
HTTP::redirect https://[HTTP::host]/_layouts/15/error.aspx
}
}
switch -glob [string tolower [HTTP::header "User-Agent"]] {
"*word*" -
"*excel*" -
"*office upload*" -
"*office existence discovery*" -
"*office protocol discovery*" -
"*soap toolkit*" -
"*ms-office*" -
"*microsoft office onenote*" -
"*webdav-miniredir*" -
"*frontpage*" -
"*msfrontpage*" -
"*shareplus*" {
if {not [HTTP::cookie exists "MRHSession"] } {
set head1 "X-Forms_Based_Auth_Required"
set val1 "https://[HTTP::host]/reauthpage?ReturnUrl=/_layouts/15/error.aspx"
set head2 "X-Forms_Based_Auth_Return_Url"
set val2 "https://[HTTP::host]/_layouts/15/error.aspx"
HTTP::respond 403 -version "1.1" $head1 $val1 $head2 $val2
}
}
default {
switch -glob [string tolower [HTTP::uri]] {
"*owssvr.dll*" {
if {not [HTTP::cookie exists "MRHSession"] } {
set head1 "X-Forms_Based_Auth_Required"
set val1 "https://[HTTP::host]/reauthpage?ReturnUrl=/_layouts/15/error.aspx"
set head2 "X-Forms_Based_Auth_Return_Url"
set val2 "https://[HTTP::host]/_layouts/15/error.aspx"
HTTP::respond 403 -version "1.1" $head1 $val1 $head2 $val2
}
}
}
}
}
}