SSO with different subdomain and APM 10.2.4

Question

We are running an APM on 10.2.4 and an upgrade to version 11 is not an option right now.
We configured it for OWA and this working fine. Now we want to extend the OWA functionality with the Enterprise Vault plugin (archives for emails). The hostname/DNS for the EV-servers is a different sub-domain, but pointing to the same VIP-address as OWA, e.g.&nbsp;
OWA: owa.company.comEV1: ev1.company.comEV2: ev2.company.com
Now when clicking the EV-link within OWA, I'm getting the APM logon page displayed again or the error message that there is already an active session running bla bla.&nbsp;
I know in version 11 there is the possibility to specify multi-domain for the APM policy, but that's not available in version 10. So how did I get it working to share the OWA credentials also for the EV-servers? Is it possible t share it across the same VIP or do we have to create a dedicated one for the EV-DNS-names?&nbsp;
Thank you!&nbsp;
Ciao Stefan :)&nbsp;

stefan_klotz · Answer

I found the Share Access Cookies article and tried to adjust it based on our setup, especially as we only use ONE virtual server, so no redirection is required. We only need to adjust the MRHSession cookie to be valid for all subdomains, meaning ".company.com". Additionally the EV-servers are using a different SSO method than OWA, so I tried to fix this with the "WEBSSO::select"-command for the appropriate request, but this doesn't seem to trigger.
Anyone an idea how to solve this issue, maybe also with some workarounds?
Thank you!&nbsp;
Ciao Stefan :)&nbsp;

stanislas_piro2 · Answer

Hi,
owa.company.com, ev1.company.com and ev1.company.com are in different subdomain but in the same : company.com (without dot at the beginning)
if you change SSO domain to company.com, every fqdn in company.com will share MHR session.
to change SSO profile based on hostname, you can use :
when ACCESS_ACL_ALLOWED {
    switch [string tolower [HTTP::host]] {
        "ev1.company.com" {WEBSSO::select Basic}
        "ev2.company.com" {WEBSSO::select Form-ev2}
    }
}

stefan_klotz · Answer

Hi Stanislas,&nbsp;
I entered "company.com" in the Domain Cookie field of the APM policy and this works perfectly fine. The MRHSession- and LastMRH_Session-cookie are now stored only with company.com.&nbsp;
But for the EV-plugin I'm still getting a 401. Interesting when verified with FF "Live HTTP headers" add-on I see two requests towards the ev DNS-name, the first one is answered with a 200 OK, but the second with a 401 (WWW-Authenticate: NTLM). I'm currently checking with application team, as I'm not sure if this is still a LB issue or somehow related to the application.&nbsp;
Thank you so far!&nbsp;
Ciao Stefan :)&nbsp;

stefan_klotz · Answer

Hi again,&nbsp;
we could solve the issue in the meanwhile. The problem was that for processing OWA authentication and SSO the domain was added as prefix via variable assignment. But the SSO for NTLM just needs the username, so we enabled the option "Username Conversion" in the NTLM SSO-profile.&nbsp;
So switching the SSO-profile the way how Stanislas described it in his answer was the only real trick required.&nbsp;
Thank you!&nbsp;
Ciao Stefan :)&nbsp;

Forum Discussion

SSO with different subdomain and APM 10.2.4

4 Replies

Recent Discussions

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Pricing when used with aws waf

iRule help masking IBM host URL/URI

Related Content

Rewrite Subdomain

iRule that saves subdomain

Copper SFP Differences

Http monitor on different port

Different policies same destination and pool