SharePoint 2013 Project Server with Project Application connection issue

Are you using APM, or strictly LTM for this deployment?

If you use the HOSTS file, does this bypass the firewall policies as well?

What exactly is the issue, Client Integration? What you are probably seeing, is that while Internet Explorer is open, its maintaining a authenticated cookie to the site. When it is closed, the cookie does not exist, and the ports and protocols used by the client are unable to access 443.

Have you attempted to get a wire capture of the traffic? What is the difference in traffic when using the HOST file versus going through the F5?

Thank you for your response.

I have an update to this, and then I'll answer your questions. I thought we had solved the problem. The fix that worked for almost a week. In the SSL Client Profile of the virtual server that did not work, the following three settings have to be changed. If one remains as it was, the Project client still breaks. Under the Client Authentication section: Client Certificate: Originally was set to require, change to ignore Trusted Certificate Authorities: Originally set to a custom certificate authority bundle, changed to none. Advertised Certificate Authorities: Originally set to a custom certificate authority bundle, changed to none.

This fixed everyone for 6 days and then all of a sudden some people have problems again this morning (but not everyone and I can't reproduce the problem for myself).

To answer your questions. We want to use APM, but I removed the APM profile off that virtual server. We still have the problem without APM involved.

Using HOSTS, we can bypass the problem. But most people do not have access to the subnet that the back end servers are on, so this only works for the SA and development team.

We did use Wireshark, but since it's all encrypted, there is very little we can learn. Nothing unexpected outside of the encrypted part. I also attempted tcpdump from the F5 to capture the decrypted traffic but I never got it right.

In order to see the unencrypted traffic, try this: https://devcentral.f5.com/articles/running-wireshark-captures-from-f5-big-ip

With APM, click the check box for persistent cookie, this is commonly the resolution to allow Client Applications to share an existing Browser cookie, the browser will still need to be open for this to work.

Are your users using NTLM, Kerberos, or ClientCertificate authentication to access the environment? Is everyone a member of the same AD, and receive the same Group Policies? Are you allowing users to use their own systems?

This would be a great time to utilize the end point inspections of APM to filter what systems are allowed to access the applications, and/or how they access. It will also give you a little bit more detail in the errors to see which users are having the issues, and why (when they fail the access policy).

The problem still exists even with APM profile off. So I don't think the problem is in APM. The APM was configured for smart card Kerberos authentication. The Project Server environment requires smart card authentication, even without the F5 being involved.

Everyone is part of the same AD forest, not the same domain though. And not the same group policies.

Scott,

Lets take this one offline, since now I know its a Federal based scenario.