Forum Discussion

Josh_Becigneul_'s avatar
Josh_Becigneul_
Icon for Nimbostratus rankNimbostratus
Apr 18, 2016

Office 2016 + APM protected Sharepoint

Hi All,

 

I am in the process of testing out the use of on-premise Sharepoint 2013, protected by APM, and Office 2016. Particularly on OSX or without the use of Internet Explorer on Windows, as many of my users prefer Chrome or Firefox. I've used the persistent cookies feature in the past, but it seems as though there is a big lack of support for OSX.

 

My question is, is there any way to make the end-user experience better? Many users would like to use locally installed copies of Office when working in Sharepoint, and so far the only way I've found to deal with this is to use something like a user-agent match to trigger the ACCESS::disable function, which I dislike.

 

Looking at the Client for MS Exchange agent seems promising, as it appears to be able to correctly detect the need for clientless mode, and challenge for credentials. Right now users who attempt to open docs on OSX will generally receive the F5's login page as the content of their document. I'm not so concerned with needing single sign-on (would be nice to have), but would prefer that users are properly challenged when using an Office client.

 

I'm going to continue testing alternative methods, but would appreciate any insights anyone may have.

 

Thanks! Josh

 

APM
application delivery
sharepoint 2013

1 Reply

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 19, 2016

    Hi,

    This irule will help you...

    when RULE_INIT {
   set static::FormBaseURL "/sp-ofba-form"
   set static::FormReturnURL "/sp-ofba-completed"
   set static::HeadAuthReq "X-FORMS_BASED_AUTH_REQUIRED" 
   set static::HeadAuthRet "X-FORMS_BASED_AUTH_RETURN_URL"
   set static::HeadAuthSize "X-FORMS_BASED_AUTH_DIALOG_SIZE"
   set static::HeadAuthSizeVal "800x600"
   set static::ckname "MRHSession_SP"
   set static::Basic_Realm_Text "SharePoint Authentication"
}

when HTTP_REQUEST {
   set apmsessionid [HTTP::cookie value MRHSession]
   set persist_cookie [HTTP::cookie value $static::ckname]
   set clientless_mode 0
   set form_mode 0
    Identify User-Agents type
   if {[HTTP::header exists "X-FORMS_BASED_AUTH_ACCEPTED"] && (([HTTP::header "X-FORMS_BASED_AUTH_ACCEPTED"] equals "t") || ([HTTP::header "X-FORMS_BASED_AUTH_ACCEPTED"] equals "f"))} {
      set clientless_mode 0; set form_mode 1
   } else {
      switch -glob [string tolower [HTTP::header "User-Agent"]] {
         "*microsoft data access internet publishing provider*" -
         "*office protocol discovery*" -
         "*microsoft-webdav-miniredir*" -
         "*microsoft office/16*" -
         "*microsoft office word 2014*" -
         "*non-browser*" -
         "msoffice 12*" { set form_mode 1 }
         "*mozilla/4.0 (compatible; ms frontpage*" {
            if { [ string range [getfield [string tolower [HTTP::header "User-Agent"]] "MS FrontPage " 2] 0 1]  > 12 } {
               set form_mode 1
            } else {
               set clientless_mode 1
            }
         }
         "*mozilla*" -
         "*opera*" { set clientless_mode 0 }
         default { set clientless_mode 1
         }
      }
   }
   if { $clientless_mode || $form_mode } {
      if { [HTTP::cookie exists "MRHSession"] } {set apmstatus [ACCESS::session exists -state_allow $apmsessionid]} else {set apmstatus 0}
      if { !($apmstatus) && [HTTP::cookie exists $static::ckname] } {set apmpersiststatus [ACCESS::session exists -state_allow $persist_cookie]} else {set apmpersiststatus 0}
      if { ($apmpersiststatus) && !($apmstatus) } {
          Add MRHSession cookie for non browser user-agent first request and persistent cookie present
         if { [catch {HTTP::cookie insert name "MRHSession" value $persist_cookie} ] } {log local0. "[IP::client_addr]:[TCP::client_port] : TCL error on HTTP cookie insert MRHSession : URL : [HTTP::host][HTTP::path] - Headers : [HTTP::request]"} else {return}
      }
   } else { return }      
   if { $clientless_mode && !($apmstatus)} {
      HTTP::header insert "clientless-mode" 1
      if { !([HTTP::header Authorization] == "") } {
         HTTP::header insert "password" [HTTP::password]
         HTTP::header insert "username" [HTTP::username]
      }
   } elseif {$form_mode && !($apmstatus) && !([HTTP::path] equals $static::FormBaseURL)}{
      HTTP::respond 403 -version "1.1" noserver \
         $static::HeadAuthReq "https://[HTTP::host]$static::FormBaseURL" \
         $static::HeadAuthRet "https://[HTTP::host]$static::FormReturnURL" \
         $static::HeadAuthSize $static::HeadAuthSizeVal \
         "Connection" "Close"
      return
   }
}

when HTTP_RESPONSE {
    Insert persistent cookie for html content type and private session
   if { [HTTP::header "Content-Type" ] contains "text/html" } {
      HTTP::cookie remove $static::ckname
      HTTP::cookie insert name $static::ckname value $apmsessionid path "/"
      HTTP::cookie expires $static::ckname 120 relative
      HTTP::cookie secure $static::ckname enable
   }
    Insert session cookie if session was recovered from persistent cookie
   if { ([info exists "apmpersiststatus"]) && ($apmpersiststatus) } {
         HTTP::cookie insert name MRHSession value $persist_cookie path "/"
         HTTP::cookie secure MRHSession enable
   }
}

when ACCESS_SESSION_STARTED {
   if {([info exists "clientless_mode"])} {
      ACCESS::session data set session.clientless $clientless_mode
   }
}

when ACCESS_POLICY_COMPLETED {
   if { ([info exists "clientless_mode"]) && ($clientless_mode) && ([ACCESS::policy result] equals "deny") } {
      ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=$static::Basic_Realm_Text" Connection close
      ACCESS::session remove
   } 
}

when ACCESS_ACL_ALLOWED {
   switch -glob [string tolower [HTTP::path]] {
      "/sp-ofba-form" {
         ACCESS::respond 302 noserver Location "https://[HTTP::host]$static::FormReturnURL"
      }
      "/sp-ofba-completed" {
         ACCESS::respond 200 content {
            
               Authenticated
               Good Work, you are Authenticated
            
         } noserver
      }
      "*/signout.aspx" {
          Disconnect session and redirect to APM logout Page
         ACCESS::respond 302 noserver Location "/vdesk/hangup.php3"
         return
      }
      "/_layouts/accessdenied.aspx" {
          Disconnect session and redirect to APM Logon Page
         if {[string tolower [URI::query [HTTP::uri] loginasanotheruser]] equals "true" } {
            ACCESS::session remove
            ACCESS::respond 302 noserver Location "/"
            return
         }
      }
      default {
          No Actions
      }
   }
}