Office Online Server with SharePoint 2016
I am in the process of deploying Office Online Server (OOS) with SharePoint 2016. Had a ticket open with support where it was suggested that I look at https://www.f5.com/pdf/deployment-guides/microsoft-office-web-apps-dg.pdf as an option. I cannot install this iApp on my system as I am running 14.1.0.2 and it seems that AAM is no longer an option. Being that OOS alongside SharePoint should be a pretty standard deployment, is there some documentation that describes how to properly deploy the two solutions together with LTM?701Views0likes1CommentiRule for migrating to Sharepoint Online
Hello, I'm very new to the F5 platform and creating iRules. I did try searching the forums, and there is a lot of good information (thank you contributors), but can't find a solution to exactly what I need to do. We are migrating off an on-premise Sharepoint to Sharepoint Online/365. I would like to have an iRule that states: If you are going to myportal.company.com then redirect to sharepointonline.company.com but if there is anything after the URI then redirect to sharepointonline.company.com/sites/<URI> For example: myportal.company.com = sharepointonline.company.com myportal.company.com/hr = sharepointonline.company.com/sites/hr myportal.company.com/aa = sharepointonline.company.com/sites/aa I was hoping not to have to list out every URI, but I didn't know if I could use a wildcard. Any help or pointers would be appreciatedSolved518Views0likes3CommentsAPM + SharePoint 2013
We're trying to deploy SP2013 externally through an APM portal (with rewriting), which so far has been pretty decent. However, I've noticed that one thing SharePoint does is return content with URLs that are have some Unicode encoding (e.g. http:\u002f\u002fwww.example.com\u002fsomepath ), so the rewrite profile does not catch those and rewrite them appropriately. I'm sure I can "fix" this with a stream profile, but wanted to see if anyone else had dealt with this and whether there's ever been a RFE or something submitted regarding this issue. Thanks, Michael405Views0likes6CommentsSharepoint 2013 Login redirect iRule problems
Hi, I'm having a problem with a Irule applied to a VS loadbalancing a sharepoint site. when HTTP_REQUEST { switch [HTTP::host] { sh.domain.com { if { [active_members SHAREPOINT_2013_HTTPS_pool] < 1 } { HTTP::respond 200 content {some content} } if { ( [string tolower [HTTP::uri]] contains "login.aspx" ) and ( [IP::addr [IP::client_addr] equals 10.0.0.0/8]) } { HTTP::redirect "https://sh.domain.com/_windows/default.aspx?ReturnUrl=/" } pool SHAREPOINT_2013_HTTPS_pool } sh.domain2.com { if { [active_members SHAREPOINT_2013_HTTPS_pool] < 1 } { HTTP::respond 200 content {some content} } if { ( [string tolower [HTTP::uri]] contains "login.aspx" ) and ( [IP::addr [IP::client_addr] equals 10.0.0.0/8] ) } { HTTP::redirect "https://sh.domain2.com/_windows/default.aspx?ReturnUrl=/" } pool SHAREPOINT_2013_HTTPS_pool } } } What happens: Internal users: User wants to access URL: https://sh.domain.com/testguy Without the irule, internal clients connects to the sharepoint site from a ip in the 10.0.0.0/8 subnet, and are automaticly redirected to a sharepoint login page. The user then has to click a link to log inn. Clicking this link does nothing but redirect to https://sh.domain.com/_windows/default/.aspx?ReturnUrl=/testguy With the iRule, internal clients buypass the login screen correctly, but they are riderected to the home page of sharepoint (another redirect that happens when you request https://sh.domain2.com/_windows/default.aspx?ReturnUrl=/) Trying to access the original URL : https://sh.domain.com/testguy again within the same browser now works correctly because the user is never redirected to login page, and therefor just sent straight to the pool. External users: Is currently working as expected. They are sent to login page, and have to click the login button and present credentials, and then redirected to the correct page. How can I have my internal users buypass the login page, and automaticly redirected to the requested URI? Is there a way to append the original URI to https://sh.domain2.com/_windows/default.aspx?ReturnUrl=/[HTTP::uri] without causing a redirection loop? I have tried the above statement, but it creates a loop because the HTTP:uri is now the login page. Appreciate all input!582Views0likes1CommentSharePoint - Bypass APM for Office and PowerBI
After implementing APM on SharePoint, users are unable to edit documents directly in Office or PowerBI. Workaround is to bypass APM when the User Agent string matches "microsoft office" for all Mirosoft Office applications and also bypass APM when the User Agent string matches "microsoft.data.mashup" for the PowerBI desktop client using the below iRule. Included bypass for the url "/_vti_pvt/service.cnf" to allow PowerBI to connect to SharePoint Lists. priority 1 when HTTP_REQUEST { set is_disabled 0 switch -glob [string tolower [HTTP::header "User-Agent"]] { "*microsoft.data.mashup*" { set is_disabled 1 set path [HTTP::path] ACCESS::disable HTTP::path _disable-$path pool /Common/sp2013_pool } "*microsoft office*" { set is_disabled 1 set path [HTTP::path] ACCESS::disable HTTP::path _disable-$path pool /Common/sp2013_ext_pool } } switch -glob [string tolower [HTTP::path]] { "/_vti_pvt/service.cnf" { set is_disabled 1 set path [HTTP::path] ACCESS::disable HTTP::path _disable-$path pool /Common/sp2013_pool } } } when HTTP_REQUEST_RELEASE { if { [info exists is_disabled] && $is_disabled == 0 } { return } if { [info exists path] } { HTTP::path $path unset is_disabled unset path } }363Views0likes1CommentSharePoint Redirect To New Path Using Public Name
Hello, I'm trying to use the following code to redirect public traffic over a secure link (https://) to a SharePoint 2013 server that's listening on port "33230" at "/sites/BI/". I did this before with a SharePoint 2010 server listening on port "80" at "/" without a problem, but this time I'm just getting text from the site in one long column instead of text on top of graphics with the proper formatting (Browsers don't make a difference and I have the same problem with-in the company unless I access the server with the server name in the URL with-in our company and then it looks fine). Firewall has port 80 and 443 open to accept incoming connections to the Virtual IP. Here's the iRule: "dashboards.domain.com" { switch [TCP::local_port] { 80 { HTTP::redirect "https://[HTTP::host]/sites/BI/" } 443 { if { [HTTP::uri] != "/sites/BI/" } { HTTP::redirect "https://[HTTP::host]/sites/BI/" } pool SharePoint_Dashboards_pool } } } I have the following SharePoint Alternate Access Mappings setup in this order: http://SERVER[Default]http://SERVER http://SERVER:33230[Default]http://SERVER:33230 https://dashboards.domain.com:33230[Internet]https://dashboards.domain.com:33230 http://dashboards.domain.com:33230[Internet]https://dashboards.domain.com:33230 Thanks, Brian693Views0likes7CommentsAPM Sharepoint authentication v2
Problem this snippet solves: This new version of irule supports NTLM auth (mandatory for Onedrive Apps) APM is a great authentication service but it does it only with forms. The default behavior is to redirect user to /my.policy to process VPE. this redirect is only supported for GET method. Sharepoint provide 3 different access types: browsing web site with a browser Editing documents with Office connect to One Drive on premise from PC and mobiles browser folder with webdav client (or editing documents with libreoffice through webdav protocol) This irule display best authentication method for each of these access types: browsers authenticate with default authentication method (form based authentication) Microsoft office authenticate with Form based authentication (with support of MS-OFBA protocol) Libreoffice and webdav clients authenticate with 401 basic authentication (NTLM and Basic) Form based authentication (browser and Microsoft office) is compatible (validated for one customer) with SAML authentication NTLM auth for Onedrive mobile applications Editing documents is managed with a persistent cookie expiring after 5 minutes. to be shared between IE and Office, it requires : cookie is persistent (expiration date instead of deleted at the end of session) web site defined as "trusted sites" in IE. How to use this snippet: install this irule and enable it on the VS. In the first HTTP_REQUEST event, configure authentication mode list by setting the AUTHENTICATION_MODE variable Set authentication mode list supported. possible values are : form :default Form based authentication msofba : Microsoft Office Form Based Authentication for Office and Onedrive apps persist : Add persistent cookie to recover closed session. this function is only supported by form and msofba authentications. --> persist word must be set after authentication mode : ex : {form persist} or {msofba persist} basic : Basic Authentication ntlm : NTLM Authentication negotiate : Kerberos / SPNEGO authentication : Not supported yet by this irule --> basic, ntm and negotiate can be set together. ex: {negotiate ntlm basic} {ntlm basic} deny : send a 403 response code to deny the request disable : disable APM authentication Code : when RULE_INIT { #If NTLM Auth is defined below, define the ECA_METADATA_ARG with your NTLM profile and enable eca profile in virtual server configuration with tmsh command # modify ltm virtual [virtual name] profile add {eca} set static::ECA_METADATA_ARG "select_ntlm:/Common/NTLM-Auth" set static::session_restore_aes_key "AES 256 affeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffe" ;# AES Key to protect and validate recovery data # Define required APM variables stored in the restore cookie to create new session with same security level. set static::session_restore_variables { session.ui.lang session.logon.last.username session.logon.last.logonname session.logon.last.krbdomain session.logon.last.domain session.krbsso.last.domain session.krbsso.last.username session.assigned.acls session.logon.last.domain session.sso.token.last.username session.user.sessiontype } # Cookie expire in 2 hours for the test... set static::session_restore_timeout 172800 ;### 7200 / 172800 } when CLIENT_ACCEPTED { set last_ua_agent "init" # Set addtional HTTP headers in HTTP authentication responses set ADDITIONAL_AUTH_HEADERS "MicrosoftSharePointTeamServices 15.0.0.4763" } when HTTP_REQUEST { #################################### Authentication method selection ##################################################### # Set authentication mode list supported. possible values are # form :default Form based authentication # msofba : Microsoft Office Form Based Authentication for Office and Onedrive apps # persist : Add persistent cookie to recover closed session. this function is only supported by form and msofba authentications. # --> persist word must be set after authentication mode : ex : {form persist} or {msofba persist} # basic : Basic Authentication # ntlm : NTLM Authentication # negotiate : Kerberos / SPNEGO authentication : Not supported yet by this irule # --> basic, ntm and negotiate can be set together. ex: {negotiate ntlm basic} {ntlm basic} # deny : send a 403 response code to deny the request # disable : disable APM authentication # Disable Authentication for Internal networks #if { [IP::addr [IP::client_addr]/25 equals 1.1.1.0] or [IP::addr [IP::client_addr]/25 equals 2.2.2.0] } { # set AUTHENTICATION_MODE {disable} # ASM::disable # return #} #log local0. [HTTP::header "User-Agent"] if { $last_ua_agent equals [set last_ua_agent [HTTP::header value "User-Agent"]] } { # Do nothing, keep previous request authschema value } elseif {[HTTP::header exists "X-FORMS_BASED_AUTH_ACCEPTED"] && (([HTTP::header "X-FORMS_BASED_AUTH_ACCEPTED"] equals "t") || ([HTTP::header "X-FORMS_BASED_AUTH_ACCEPTED"] equals "f"))} { set AUTHENTICATION_MODE {msofba} } else { switch -glob -- [string tolower [HTTP::header "User-Agent"]] { "*microsoft office *ios*" - "*onedriveiosapp*" - "onedrive/*darwin*" { # NTLM is the only one supported for onedrive mobile set AUTHENTICATION_MODE {ntlm basic} #set AUTHENTICATION_MODE {deny} } "*microsoft office onedrive*" - "*microsoft onedrive*" - "*microsoft office skydrive*" - "*microsoft office syncproc*" - "*microsoft office upload center*" - "*office protocol discovery*" - "*microsoft office*" - "*microsoft data access internet publishing provider*" - "*non-browser*" - "msoffice 12*" - "*microsoft-webdav-miniredir*" - "*ms frontpage 1[23456789]*" { # Implicit MSOFBA support detected. set AUTHENTICATION_MODE {msofba} #set AUTHENTICATION_MODE {ntlm basic} } "*ms frontpage*" { # Legacy client detected set AUTHENTICATION_MODE {ntlm basic} #set AUTHENTICATION_MODE {deny} } "*mozilla*" - "*opera*" { # Regular web browser detected. set AUTHENTICATION_MODE {form} } default { set AUTHENTICATION_MODE {ntlm basic} #set AUTHENTICATION_MODE {msofba} } } #log local0. "[IP::remote_addr] : [string tolower [HTTP::header "User-Agent"]] : $AUTHENTICATION_MODE : [HTTP::cookie value MRHSession] : [HTTP::cookie value MRHSession_R]" } #################################### end of Authentication method selection ############################################## } priority 900 when RULE_INIT { set static::AUTH_POLICY_FAILED "policy_failed" set static::AUTH_POLICY_SUCCEED "policy_succeed" set static::AUTH_POLICY_DONE_WAIT_SEC 5 set static::AUTH_FIRST_BIG_POST_CONTENT_LEN 640000 set static::AUTH_POLICY_RESULT_POLL_INTERVAL 100 set static::AUTH_POLICY_RESULT_POLL_MAXRETRYCYCLE 100 set static::AUTH_ACCESS_USERKEY_TBLNAME "auth_access_userkey" set static::AUTH_ACCESS_LOG_PREFIX "01490000:7:" set static::AUTH_ACCESS_DEL_COOKIE_HDR_VAL "MRHSession=deleted; \ expires=Thu, 01-Jan-1970 00:00:01 GMT;\ path=/" } when CLIENT_ACCEPTED { set clientless_mode 0 set inject_session_cookie "" set inject_recover_cookie 0 if { ! [ info exists ADDITIONAL_AUTH_HEADERS ] } { set ADDITIONAL_AUTH_HEADERS "" } } when HTTP_REQUEST { set inject_session_cookie "" if { ! [ info exists f_ntlm_auth_succeed ] } { set f_ntlm_auth_succeed 0 } if { ! [ info exists sid_cache ] } { set sid_cache "" } if { ! [ info exists PROFILE_POLICY_TIMEOUT ] } { set PROFILE_POLICY_TIMEOUT [PROFILE::access access_policy_timeout] } if { ! [ info exists PROFILE_MAX_SESS_TIMEOUT ] } { set PROFILE_MAX_SESS_TIMEOUT [PROFILE::access max_session_timeout] } if { ! [ info exists src_ip ] } { set src_ip [IP::remote_addr] } if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } { set PROFILE_RESTRICT_SINGLE_IP [PROFILE::access restrict_to_single_client_ip] } set persisted_session_timeout [PROFILE::access inactivity_timeout] set http_method [HTTP::method] set http_uri [HTTP::uri] set http_content_len [HTTP::header Content-Length] set MRHSession_cookie [HTTP::cookie value MRHSession] if { ! [ info exists AUTHENTICATION_MODE ] } { set AUTHENTICATION_MODE {form} } switch -- [lindex $AUTHENTICATION_MODE 0] { "disable" { #################################### APM Disable ######################################################################### # disable APM and leave irule if mode is set to disable ACCESS::disable return } "form" { #################################### Form based authentication ########################################################### # Leave irule if authentication mode is set to default form base authentication if {[lindex $AUTHENTICATION_MODE 1] equals "persist"} { set inject_recover_cookie 1} else {set inject_recover_cookie 0} set apm_sessionid [HTTP::cookie value "MRHSession"] if {![HTTP::cookie exists MRHSession] || !($inject_recover_cookie && [HTTP::cookie exists MRHSession_R])} {return} } "deny" { #################################### Deny Request ######################################################################## # Respond with 403 response code and "Access Denied" content if mode is set to deny HTTP::respond 403 -version "1.1" \ content {Access Denied.} \ noserver \ "Content-Type" "text/html" \ "Set-Cookie" "MRHSession=deleted;path=/;secure" \ "Set-Cookie" "LastMRH_Session=deleted;path=/;secure" \ "Set-Cookie" "MRHSession=deleted; expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/;secure" \ "Set-Cookie" "LastMRH_Session=deleted; expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/;secure" return } default { #################################### All other authentication methods ##################################################### # provision response Headers for specific authentication set httpheaders "$ADDITIONAL_AUTH_HEADERS Set-Cookie \"MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/\" Connection close" set httpcontent "ForbidenAuthentication\\ Required" set httpcode 401 foreach authvalue $AUTHENTICATION_MODE { switch $authvalue { basic { append httpheaders " WWW-Authenticate \"Basic realm=\\\"[HTTP::host]\\\"\"" } ntlm { append httpheaders " WWW-Authenticate NTLM" } negotiate { # Authentication method negociate not managed by this irule yet append httpheaders " WWW-Authenticate Negotiate" } msofba { #log local0. [HTTP::cookie value MRHSession_SP] if {[lindex $AUTHENTICATION_MODE 1] equals "persist" && [HTTP::cookie exists MRHSession_R]} { set persisted_session_timeout 300 } elseif {[HTTP::path] ne "/vdesk/ms-ofba-form"} { append httpheaders " \"Content-Type\"\ \"text/html\"" append httpheaders " X-FORMS_BASED_AUTH_REQUIRED"\ "https://[getfield [HTTP::host] ":" 1]/vdesk/ms-ofba-form?mode=[lindex $AUTHENTICATION_MODE 1]" append httpheaders " X-FORMS_BASED_AUTH_RETURN_URL"\ "https://[getfield [HTTP::host] ":" 1]/vdesk/ms-ofba-completed" append httpheaders " X-FORMS_BASED_AUTH_DIALOG_SIZE"\ "800x600" set httpcontent "ForbidenAccess\\ Denied.\\ Make\\ sure\\ that\\ your\\ client\\ is\\ correctly\\ configured.\\ See\\ https://support.microsoft.com/en-us/kb/932118\\ for\\ further\\ information." set httpcode 403 } } } } } } #################################### NTLM already authenticated connection ############################################### if {$f_ntlm_auth_succeed} { # enable ECA profile for already NTLM authenticated connections and ignore this irule event ECA::enable ECA::select $static::ECA_METADATA_ARG return } #################################### Valid session request : MHRSession Cookie ########################################### if { ( [set apm_sessionid [HTTP::cookie value "MRHSession"]] ne "" ) and ( [ACCESS::session exists -state_allow $apm_sessionid] ) } then { # Allow the successfully pre authenticated request to pass return #################################### Valid session request : MHRSession_R Cookie ######################################## ### This cokie is inserted to allow a user to log with recorded data stored on a encrypted cookie } elseif {([lindex $AUTHENTICATION_MODE 0] ne "form") and ( [set apm_sessionid [HTTP::cookie value "MRHSession_SP"]] ne "" ) and ( [ACCESS::session exists -state_allow $apm_sessionid] ) } then { #################################### Valid session request : MHRSession_SP Cookie ######################################## # Check if persistent APM session cookie is present and valid # Restore APM session cookie value HTTP::cookie insert name "MRHSession" value $apm_sessionid set inject_session_cookie $apm_sessionid # Allow the successfully pre authenticated request to pass return } elseif { [lindex $AUTHENTICATION_MODE 1] equals "persist" && [HTTP::cookie exists MRHSession_R] and ( [set session_restore_data [AES::decrypt $static::session_restore_aes_key [b64decode [HTTP::cookie value MRHSession_R]]]] ne "" )} { array set restore_data $session_restore_data if {$restore_data(timeout) > [clock seconds] } { set user_key "persist.[PROFILE::access name].$restore_data(session.logon.last.username)" if {[set apm_sessionid [table lookup -subtable APMSessionRestore $user_key]] != "" && ( [ACCESS::session exists -state_allow $apm_sessionid] ) } { #log local0. "session recover by table" } elseif { ([ llength [set cookie_list [ ACCESS::user getsid $user_key ] ] ] != 0) and [set apm_sessionid [ ACCESS::user getkey [ lindex $cookie_list 0 ] ] ] ne ""} { #log local0. "session recover by cookie list" } else { #log local0. "new session" if { [HTTP::header value "Accept-Language"] eq "" } then { # A "Accept-language" header is not present. Injecting language code = none HTTP::header insert "Accept-Language" "none" } set apm_sessionid [ACCESS::session create -timeout $persisted_session_timeout] ACCESS::session data set -sid $apm_sessionid "session.policy.result" "allow" foreach session_variable [lsearch -all -inline -not -exact [array names restore_data] timeout] { ACCESS::session data set -sid $apm_sessionid $session_variable $restore_data($session_variable) #log local0.debug "Adding $session_variable = $restore_data($session_variable)" } ACCESS::session data set -sid $apm_sessionid ".session.assigned.uuid" "tmm.uuid.$user_key" ACCESS::session data set -sid $apm_sessionid "session.user.uuid" $user_key } HTTP::cookie insert name "MRHSession" value $apm_sessionid set inject_session_cookie $apm_sessionid table set -subtable "APMSessionRestore" $user_key $apm_sessionid $persisted_session_timeout indef unset restore_data user_key return } } #################################### Request with valid Authorization Header ############################################ ### convert authentication header to be managed by APM if { [ llength [set auth_data [split [HTTP::header Authorization] " "]] ] == 2 } { if {[lsearch -exact $AUTHENTICATION_MODE [set authvalue [string tolower [ lindex $auth_data 0]]]] ne -1} { switch $authvalue { "ntlm" { ECA::enable ECA::select $static::ECA_METADATA_ARG } "basic" { set clientless(insert_mode) 1 set clientless(src_ip) [IP::remote_addr] set clientless(username) [ string tolower [HTTP::username] ] set clientless(password) [HTTP::password] if { $PROFILE_RESTRICT_SINGLE_IP == 0 } { binary scan [md5 "$clientless(password)"] H* clientless(hash) } else { binary scan [md5 "$clientless(password)$clientless(src_ip)"] H* clientless(hash) } set user_key "$clientless(username).$clientless(hash)" set clientless(cookie_list) [ ACCESS::user getsid $user_key ] if { [ llength $clientless(cookie_list) ] != 0 } { set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ] if { $clientless(cookie) != "" } { HTTP::cookie insert name MRHSession value $clientless(cookie) set clientless(insert_mode) 0 } } if { $clientless(insert_mode) } { HTTP::header insert "clientless-mode" 1 HTTP::header insert "username" $clientless(username) HTTP::header insert "password" $clientless(password) set clientless_mode 1 } unset clientless } "negotiate" { #log local0. [getfield [HTTP::header Authorization] " " 2] #set clientless(insert_mode) 1 #set clientless(authparam) [getfield [HTTP::header Authorization] " " 2] #log local0. $clientless(authparam) #log local0. [string length $clientless(authparam)] #set clientless(decode) [b64decode $clientless(authparam)] ##log local0. [sha256 "$clientless(decode)"] #binary scan [sha256 "$clientless(decode)"] H* clientless(hash) #log local0. $clientless(hash) #set user_key "$clientless(hash)" #set clientless(cookie_list) [ ACCESS::user getsid $user_key ] # if { [ llength $clientless(cookie_list) ] != 0 } { # set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ] # if { $clientless(cookie) != "" } { # HTTP::cookie insert name MRHSession value $clientless(cookie) # set clientless(insert_mode) 0 # } # } #if { $clientless(insert_mode) } { # HTTP::header insert "clientless-mode" 1 # set clientless_mode 1 # } # unset clientless } default { #other authentication methodes are not managed by this irule yet } } } #################################### Redirect unmanaged requests with supported authentication method ################## } else { eval HTTP::respond $httpcode -version 1.1 content $httpcontent noserver $httpheaders return } } when HTTP_RESPONSE { # Insert persistent cookie for html content type and private session if { [HTTP::header "Content-Type" ] contains "text/html" && [info exists "apm_sessionid"]} { HTTP::cookie remove MRHSession_SP HTTP::cookie insert name MRHSession_SP value $apm_sessionid path "/" HTTP::cookie expires MRHSession_SP 300 relative HTTP::cookie secure MRHSession_SP enable } # Insert session cookie if session was recovered from persistent cookie if { ([info exists "inject_session_cookie"]) && ($inject_session_cookie ne "") } { HTTP::cookie insert name MRHSession value $inject_session_cookie path "/" HTTP::cookie secure MRHSession enable #log local0. "injected $inject_session_cookie" } if { $inject_recover_cookie } then { # Insert APM recover session cookie into HTTP response. set session_restore_data "[clock seconds] [ACCESS::session data get "session.logon.last.username"]" foreach session_variable $static::session_restore_variables { if { [set session_variable_value [ACCESS::session data get $session_variable]] ne "" } then { lappend session_restore_data "$session_variable=$session_variable_value" } } HTTP::header insert "Set-Cookie" "MRHSession_R=[b64encode [AES::encrypt $static::session_restore_aes_key $session_restore_data]];Path=/;Secure;HttpOnly" set inject_recover_cookie 0 } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } } when ACCESS_SESSION_STARTED { if {[set landinguri [ACCESS::session data get session.server.landinguri]] equals "/vdesk/ms-ofba-form?mode=persist" } { ACCESS::session data set session.server.landinguri "/vdesk/AddPersistentCookie?url=[b64encode "/vdesk/ms-ofba-completed"]" } elseif {([info exists "inject_recover_cookie"])} { ACCESS::session data set session.server.landinguri "/vdesk/AddPersistentCookie?url=[b64encode [ACCESS::session data get session.server.landinguri]]" ACCESS::session data set session.inactivity_timeout 300 } if {([info exists "clientless_mode"])} { ACCESS::session data set session.clientless $clientless_mode if {$clientless_mode} { ACCESS::session data set session.inactivity_timeout 300 if {[HTTP::header Authorization] starts_with "Negotiate"}{ ACCESS::session data set session.logon.last.authtype "Negotiate" ACCESS::session data set session.logon.last.authparam [getfield [HTTP::header Authorization] " " 2] } } } if { [ info exists user_key ] } { ACCESS::session data set "session.user.uuid" $user_key } } when ACCESS_POLICY_COMPLETED { if { ! [ info exists user_key ] } { return } set user_key_value "" set f_delete_session 0 set policy_result [ACCESS::policy result] set sid [ ACCESS::session sid ] switch $policy_result { "allow" { set user_key_value $sid set sid_cache $user_key_value log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX Result: Allow: $user_key" log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX sid = $sid" } "deny" { eval ACCESS::respond 401 -version 1.1 content {ForbidenAuthentication\ Required} noserver $httpheaders set f_delete_session 1 } default { ACCESS::respond 503 content $static::actsync_503_http_body Connection Close log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX Got unsupported policy result for $user_key ($sid)" set f_delete_session 1 } } if { $f_ntlm_auth_succeed == 1 } { if { $user_key_value != "" } { log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX Setting $user_key => $static::AUTH_POLICY_SUCCEED" table set -subtable $static::AUTH_ACCESS_USERKEY_TBLNAME $user_key $static::AUTH_POLICY_SUCCEED } else { log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX Setting $user_key => $static::AUTH_POLICY_FAILED $static::AUTH_POLICY_DONE_WAIT_SEC $static::AUTH_POLICY_DONE_WAIT_SEC in table $static::AUTH_ACCESS_USERKEY_TBLNAME" table set -subtable $static::AUTH_ACCESS_USERKEY_TBLNAME $user_key $static::AUTH_POLICY_FAILED $static::AUTH_POLICY_DONE_WAIT_SEC $static::AUTH_POLICY_DONE_WAIT_SEC } } if { $f_delete_session == 1 } { ACCESS::session remove set f_delete_session 0 log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX Removing the session for $user_key." } } when ACCESS_ACL_ALLOWED { switch -glob -- [string tolower [HTTP::path]] { "/vdesk/addpersistentcookie" { set cookie_expire_absolute [expr {[clock seconds] + $static::session_restore_timeout}] set cookie_expire_date [clock format $cookie_expire_absolute -format "%a, %d-%b-%Y %H:%M:%S GMT" -gmt true] set session_restore_data "timeout $cookie_expire_absolute" foreach session_variable $static::session_restore_variables { if { [set session_variable_value [ACCESS::session data get $session_variable]] ne "" } then { lappend session_restore_data $session_variable $session_variable_value } } set cookie [format "MRHSession_R=%s; path=/; expires=%s;Secure; HttpOnly" [b64encode [AES::encrypt $static::session_restore_aes_key $session_restore_data]] $cookie_expire_date] ACCESS::respond 302 noserver Location [b64decode [URI::query [HTTP::uri] url]] "Set-Cookie" $cookie } "/vdesk/ms-ofba-form" { ACCESS::respond 302 noserver Location "/vdesk/ms-ofba-completed" } "/vdesk/ms-ofba-completed" { ACCESS::respond 200 content { Authenticated Good Work, you are Authenticated } noserver } "*/signout.aspx" { # Disconnect session and redirect to APM logout Page ACCESS::respond 302 noserver Location "/vdesk/hangup.php3" "Set-Cookie" "MRHSession_R=deleted;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/;secure" event disable TCP::close return } "/_layouts/accessdenied.aspx" { # Disconnect session and redirect to APM Logon Page if {[string tolower [URI::query [HTTP::uri] loginasanotheruser]] equals "true" } { ACCESS::session remove ACCESS::respond 302 noserver Location "/" "Set-Cookie" "MRHSession_R=deleted;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/;secure" event disable TCP::close return } } default { # No Actions } } } when ECA_REQUEST_ALLOWED { set f_ntlm_auth_succeed 1 if { $MRHSession_cookie == "" } { # Retrieve from SID cache set MRHSession_cookie $sid_cache HTTP::cookie insert name MRHSession value $sid_cache } if { $MRHSession_cookie != "" } { # Destroy session ID cache. This client should not need session ID cache if { ($sid_cache != "") && ($sid_cache != $MRHSession_cookie) } { set sid_cache "" } if { [ ACCESS::session exists -state_allow $MRHSession_cookie ] } { log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX HTTP *VALID* MRHSession cookie: $MRHSession_cookie" # Default profile access setting is false if { $PROFILE_RESTRICT_SINGLE_IP == 0 } { log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX Release the request" return } elseif { [ IP::addr $src_ip equals [ ACCESS::session data get -sid $MRHSession_cookie "session.user.clientip" ] ] } { log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX source IP matched. Release the request" return } else { log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX source IP does not matched" } } else { log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX HTTP *INVALID* MRHSession cookie: $MRHSession_cookie" } } set MRHSession "" set sid_cache "" HTTP::cookie remove MRHSession # Build user_key set user_key {} append user_key [string tolower [ECA::username]] "@" [ string tolower [ECA::domainname] ] if { $PROFILE_RESTRICT_SINGLE_IP == 0 } { append user_key ":" $src_ip } append user_key ":" [ECA::client_machine_name] set apm_cookie_list [ ACCESS::user getsid $user_key ] if { [ llength $apm_cookie_list ] != 0 } { set MRHSession_cookie [ ACCESS::user getkey [ lindex $apm_cookie_list 0 ] ] if { $MRHSession_cookie != "" } { set sid_cache $MRHSession_cookie HTTP::cookie insert name MRHSession value $MRHSession_cookie log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX APM Cookie found: $sid_cache" return } } unset apm_cookie_list set try 1 set start_policy_str $src_ip append start_policy_str [TCP::client_port] while { $try <= $static::AUTH_POLICY_RESULT_POLL_MAXRETRYCYCLE } { log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX NO APM Cookie found" log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX Trying #$try for $http_method $http_uri $http_content_len" if { $http_content_len > $static::AUTH_FIRST_BIG_POST_CONTENT_LEN } { # Wait at below } else { log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX EXEC: table set -notouch -subtable $static::AUTH_ACCESS_USERKEY_TBLNAME -excl $user_key $start_policy_str $PROFILE_POLICY_TIMEOUT $PROFILE_MAX_SESS_TIMEOUT" set policy_status [table set -notouch -subtable $static::AUTH_ACCESS_USERKEY_TBLNAME -excl $user_key $start_policy_str $PROFILE_POLICY_TIMEOUT $PROFILE_MAX_SESS_TIMEOUT] log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX DONE: table set -notouch -subtable $static::AUTH_ACCESS_USERKEY_TBLNAME -excl $user_key $start_policy_str $PROFILE_POLICY_TIMEOUT $PROFILE_MAX_SESS_TIMEOUT" if { $policy_status == $start_policy_str } { # ACCESS Policy has not started. Start one HTTP::header insert "clientless-mode" 1 set clientless_mode 1 break } elseif { $policy_status == $static::AUTH_POLICY_SUCCEED } { log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX table is out-of-sync retry" table delete -subtable $static::AUTH_ACCESS_USERKEY_TBLNAME $user_key continue } elseif { $policy_status == $static::AUTH_POLICY_FAILED } { ACCESS::disable TCP::close return } # Wait at below } log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX Waiting $static::AUTH_POLICY_RESULT_POLL_INTERVAL ms for $http_method $http_uri" # Touch the entry table table lookup -subtable $static::AUTH_ACCESS_USERKEY_TBLNAME $user_key after $static::AUTH_POLICY_RESULT_POLL_INTERVAL set apm_cookie_list [ ACCESS::user getsid $user_key ] if { [ llength $apm_cookie_list ] != 0 } { set MRHSession_cookie [ ACCESS::user getkey [ lindex $apm_cookie_list 0 ] ] if { $MRHSession_cookie != "" } { set sid_cache $MRHSession_cookie HTTP::cookie insert name MRHSession value $MRHSession_cookie log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX APM Cookie found: $sid_cache" return } } incr try } if { $try > $static::AUTH_POLICY_RESULT_POLL_MAXRETRYCYCLE } { log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX Policy did not finish in [ expr { $static::AUTH_POLICY_RESULT_POLL_MAXRETRYCYCLE * $static::AUTH_POLICY_RESULT_POLL_INTERVAL } ] ms. Close connection for $http_method $http_uri" table delete -subtable $static::AUTH_ACCESS_USERKEY_TBLNAME $user_key ACCESS::disable TCP::close return } log -noname accesscontrol.local1.debug "$static::AUTH_ACCESS_LOG_PREFIX Releasing request $http_method $http_uri" unset try unset start_policy_str } when ECA_REQUEST_DENIED { log local0. "User [ECA::username]@[ECA::domainname], Client Machine [ECA::client_machine_name], Auth Status [ECA::status]" set f_ntlm_auth_succeed 0 } Tested this on version: 11.52.2KViews0likes11CommentsAPM Sharepoint
We are attempting to migrate a Sharepoint Site that has 2 virtual servers from a Netscaler to F5. There are 3 separate user authentication domains. When I test directly to the Sharepoint site, I can successfully log in w/o domain notation. Is it possible to setup a F5 Logon Page that does not authenticate the user but only collects the username and password and passes to it the Sharepoint server?345Views0likes1CommentMigrating Sharepoint on-premise systems from Cisco ACE to BIG-IP LTM
I am migrating services from our old Cisco ACE to BIG-IP LTM, using the iApp f5.microsoft_sharepoint_2010_2013.v1.2.2. We have several sites (hub, network, projects, search, user and workspace)for 3 environments (test, pre-production, production).The ACE isn't configured for service checking for the Sharepoint sites, no probes are configured. So far migration has been reasonable and several services that worked on the ACE work on the LTM.All sites are built with the BIG-IP passing through SSL traffic, certificates are nt loaded onto LTM. I'm seeing all of the "search" instances marked offline due to a failed HTTPS monitor.The monitor consists of the iApp default send string: GET / HTTP/1.1\r\nHost: searchtest.domain.com\r\nConnection: Close\r\n\r\n for searchtest GET / HTTP/1.1\r\nHost: searchpreprod.domain.com\r\nConnection: Close\r\n\r\n for searchpreprod GET / HTTP/1.1\r\nHost: search.domain.com\r\nConnection: Close\r\n\r\n for searchprod The same defaults for projectstest, projectspreprod and projects work without errors. Where do I go next to resolve the monitor errors, please? Many thanks! Kev499Views0likes1CommentSharePoint Server Farm F5 LoadBalancer with SSL
Hi All, First off i should let you know that i am not managing the F5, I am posting here to maybe find out if error is caused from f5 config, if so steer the customer to fix their f5 config with regards to specific sharepoint settings. I have a 2x2 MinRole HA SharePoint Server Farm. 2 App servers, 2 WFE servers. I have had the customer set up F5 LoadBalancer with SSL being handled with F5. I have setup my alternate access mapping as follows. public url is the dns set up for f5. and in internal urls i have added http/s version of app server, and the two web servers. https://i.hizliresim.com/CiSVLD.png As for problems I have faced, I found out when i want to pick a date from calendar the widget is not loaded from server. It throws a x-frame set to deny error. https://i.hizliresim.com/ezYNAZ.png One other problem i found out is that workflows dont work and throw an ssl connection can not be established error. https://i.hizliresim.com/Djt61R.png How should the customer set up f5 load balancing with ssl handled in f5? Thanks in advance.974Views0likes1Comment