Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Mar 26, 2018

APM with cookies - having issues with multiple sites

I am a little lost and hoping someone can shed some light.

 

I have an environment where we use an external IDP. We recently added a new site, and for some reason it's not working as other sites do.

 

Here's what I have:

 

  1. VS1 = outlook.test.com
  2. VS2 = sharepoint.test.com
  3. VS3 = password.test.com

All VS's have an Access profile that uses SAML and shoots them out to the IDP for auth and then allows them in. That works fine and has been for years. In the APM profile under SSO/Domain I have cookies set as follows:

 

  1. VS1 = test.com
  2. VS2 = sharepoint.test.com
  3. VS3 = password.test.com & I've tried no cookie and I've tried test.com

If I access VS3 first it works, as long as I have the cookie set to test.com. If I have it set to password.test.com (the actual FQDN) it times out.

 

However, with it set to test.com it works - and then when I go to VS1 that works as well. However AFTER I have gone to VS1 when I go back to VS3 I get a session error, no matter how many times I click start a new session it just generates the same error. When I look in the logs it sees the request coming on the virtual server for VS1 not VS3.

 

In all it seems rather simple. Instead of having test.com for VS1 I should have outlook.test.com - but the problem is I can't change that b/c well...it's mail and that's kind of important and it's been working. I think if I made that change it would work. But what I don't understand is why does VS2 work when I have it set to sharepoint.test.com whereas VS3 won't work when it's set to password.test.com?

 

2 Replies

  • Maybe I can explain it better this way:

     

    I have this configured for multiple virtual servers and just recently added a new one and it won't work. I have tons of VS's, but for the sake of understanding this let's just say I have 4. They are:

     

    vs1 - outlook.test.com vs2 - sharepoint.test.com vs3 - time.test.com vs4 - newsite.test.com

     

    Here's how the APM cookies are set:

     

    vs1 - test.com vs2 - sharepoint.test.com (persistent) vs3 - test.com vs4 - test.com

     

    VS1 and VS2 and VS3 work just fine. However, VS4 seems to be getting messed up. If I have no sessions and I go to VS4 it works. And then when I go to VS1 it works. But after I've gone to VS1 and if I try and go back to VS4 it never works. In the logs it shows that i'm trying to access the virtual server for VS1 instead of VS4. It's as if it sees the existing MRHSession cookie and thinks it should be bound to VS1.

     

    Thoughts?

     

  • Hi,

     

    You are pointing on the right direction.

     

    when you are working with APM, make sure all access profiles domain cookie are working together.

     

    with your configuration:

     

    • if the user first hit VS1 it will authenticate with SAML and receive a cookie for the whole test.com domain, then he browse VS2 --> The user is already authenticated because sharepoint.test.com is inside test.com domain. it will use test.com cookie, so will be accepted according to VS1 access policy

       

    • if the user first hit VS2 it will authenticate with SAML and receive a cookie for the whole sharepoint.test.com domain, then he browse VS2 --> must reauthenticate on VS1 (transparent auth because of SAML)

       

    So if you want to authenticate users on SAML, never use a domain cookie (except if you want to save access sessions in license count), leave it blank which means the cookie is sent for the requested host.

     

    For the sharepoint VS, it is recommended to use one of following Sharepoint irules

     

    These irules add persistent cookie with smaller timeout than SSO domains does and check that only non browser can recover an existing session when browser was closed.