Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

APM Sharepoint authentication v2

Problem this snippet solves:

This new version of irule supports NTLM auth (mandatory for Onedrive Apps)

APM is a great authentication service but it does it only with forms.

The default behavior is to redirect user to /my.policy to process VPE. this redirect is only supported for GET method.

Sharepoint provide 3 different access types:

browsing web site with a browser

  • Editing documents with Office
  • connect to One Drive on premise from PC and mobiles
  • browser folder with webdav client (or editing documents with libreoffice through webdav protocol)

This irule display best authentication method for each of these access types:

  • browsers authenticate with default authentication method (form based authentication)
  • Microsoft office authenticate with Form based authentication (with support of MS-OFBA protocol)
  • Libreoffice and webdav clients authenticate with 401 basic authentication (NTLM and Basic)
  • Form based authentication (browser and Microsoft office) is compatible (validated for one customer) with SAML authentication
  • NTLM auth for Onedrive mobile applications

Editing documents is managed with a persistent cookie expiring after 5 minutes. to be shared between IE and Office, it requires :

  • cookie is persistent (expiration date instead of deleted at the end of session)
  • web site defined as "trusted sites" in IE.
How to use this snippet:

install this irule and enable it on the VS.

In the first HTTP_REQUEST event, configure authentication mode list by setting the AUTHENTICATION_MODE variable

Set authentication mode list supported. possible values are :

  • form :default Form based authentication
  • msofba : Microsoft Office Form Based Authentication for Office and Onedrive apps
  • persist : Add persistent cookie to recover closed session. this function is only supported by form and msofba authentications.

    • --> persist word must be set after authentication mode : ex : {form persist} or {msofba persist}
  • basic : Basic Authentication

  • ntlm : NTLM Authentication

  • negotiate : Kerberos / SPNEGO authentication : Not supported yet by this irule

    • --> basic, ntm and negotiate can be set together. ex: {negotiate ntlm basic} {ntlm basic}
  • deny : send a 403 response code to deny the request

  • disable : disable APM authentication

Tested on Version:
Comments on this Snippet
Comment made 3 weeks ago by IT TAB F5 1

Hello Stanislas,

We have tried this V2 code with default settings, but we received a script error on web_host.js on Windows devices when opening an Office document in Office 2016. On Mac OS the Office client hangs when we tried to edit a document. If we change the default authentication for MSOffice clients to Basic we receive an error that the document cannot be opened. Note: We are using APM Domain Mode with Multiple Autentication Domains. If we switch to APM Single Domain mode, then Basic authentication works.

How can we get MSOFBA or Basic working on Windows and Mac OS with APM Domain Mode with Multiple Autentication Domains?

Thanks for your support

Kind regards