Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
code share

APM Sharepoint authentication v2

Problem this snippet solves:

This new version of irule supports NTLM auth (mandatory for Onedrive Apps)

APM is a great authentication service but it does it only with forms.

The default behavior is to redirect user to /my.policy to process VPE. this redirect is only supported for GET method.

Sharepoint provide 3 different access types:

browsing web site with a browser

  • Editing documents with Office
  • connect to One Drive on premise from PC and mobiles
  • browser folder with webdav client (or editing documents with libreoffice through webdav protocol)

This irule display best authentication method for each of these access types:

  • browsers authenticate with default authentication method (form based authentication)
  • Microsoft office authenticate with Form based authentication (with support of MS-OFBA protocol)
  • Libreoffice and webdav clients authenticate with 401 basic authentication (NTLM and Basic)
  • Form based authentication (browser and Microsoft office) is compatible (validated for one customer) with SAML authentication
  • NTLM auth for Onedrive mobile applications

Editing documents is managed with a persistent cookie expiring after 5 minutes. to be shared between IE and Office, it requires :

  • cookie is persistent (expiration date instead of deleted at the end of session)
  • web site defined as "trusted sites" in IE.
How to use this snippet:

install this irule and enable it on the VS.

In the first HTTP_REQUEST event, configure authentication mode list by setting the AUTHENTICATION_MODE variable

Set authentication mode list supported. possible values are :

  • form :default Form based authentication
  • msofba : Microsoft Office Form Based Authentication for Office and Onedrive apps
  • persist : Add persistent cookie to recover closed session. this function is only supported by form and msofba authentications.

    • --> persist word must be set after authentication mode : ex : {form persist} or {msofba persist}
  • basic : Basic Authentication

  • ntlm : NTLM Authentication

  • negotiate : Kerberos / SPNEGO authentication : Not supported yet by this irule

    • --> basic, ntm and negotiate can be set together. ex: {negotiate ntlm basic} {ntlm basic}
  • deny : send a 403 response code to deny the request

  • disable : disable APM authentication

Tested on Version:
Comments on this Snippet
Comment made 23-Feb-2018 by IT TAB F5 1

Hello Stanislas,

We have tried this V2 code with default settings, but we received a script error on web_host.js on Windows devices when opening an Office document in Office 2016. On Mac OS the Office client hangs when we tried to edit a document. If we change the default authentication for MSOffice clients to Basic we receive an error that the document cannot be opened. Note: We are using APM Domain Mode with Multiple Autentication Domains. If we switch to APM Single Domain mode, then Basic authentication works.

How can we get MSOFBA or Basic working on Windows and Mac OS with APM Domain Mode with Multiple Autentication Domains?

Thanks for your support

Kind regards

Comment made 23-Apr-2018 by kevin.flynn 53

Stanislas, We are having the same issue with a new deployment we are standing up. Were you able to resolve this?

Comment made 05-Jul-2018 by AN 165

I am still having issue with launching office app even using above iRULE. Following APM Policy I have:

textSTART -> IP SUBNET MATCH -> Internal IP -> Don't do anything -> ALLOW Extenral IP -> Logon Page -> AD Auth -> SSO Crendetial Mapping -> Variable Assigne-> Allow Fall balck ---------------------------------------------> Deny

Comment made 05-Jul-2018 by Stanislas Piron 10465

Commented lines 44-47 are there to bypass APM for some client ips!

What issues do you have?

Comment made 05-Jul-2018 by AN 165

Thanks Stanislas Piron for your response. My issue is I don't want to use APM policy if client is coming from internal. But if client is external then give F5 login page and do NTLM SSO to backend servers.

I want to use same VSERVER for both internal and external. I tried disabling APM based on client IP with no success.

 if { [IP::addr [IP::client_addr] equals] } { 
        HTTP::cookie remove "MRHSession"
        HTTP::cookie remove "LastMRH_Session"

From below link I found other users have same issue. https://devcentral.f5.com/questions/irule-to-disable-apm-not-working-as-expected

Issue I am having with using your iRULE I still same error when opening any office documents. If I remove APM policy works fine.

Comment made 05-Jul-2018 by Stanislas Piron 10465

Did you look at lines 44-47?

Comment made 05-Jul-2018 by AN 165

@ Stanislas Piron

I have uncomment following and replaced IP with Office servers IPs

`if { [IP::addr [IP::client_addr]/32 equals] or [IP::addr [IP::client_addr]/32 equals] } { 
set AUTHENTICATION_MODE {disable}              

But no luck..

Comment made 09-Jul-2018 by JoeTheFifth 301

I have two issues after a quick test.

I had to add this to make it work with office web apps (sharepoint 2013): if {[HTTP::header "User-Agent"] equals "MSWAC"} { ACCESS::disable ECA::disable return }

I have the same issue with the irule I wrote for my setup. And another similar error which I've always seen but never dealt with as I'm still testing my setup. Java script error when opening office docs with office client right before the logonpage. the error comes from apm script having issues with the mini ie browser. https://webapp1.com/public/include/js/web_host.js error line 35 => return (window.external && typeof window.external === 'object');

DefaultExternalWebHostImpl.prototype.isAvailable = function() { return (window.external && typeof window.external === 'object'); }

Comment made 20-Sep-2018 by Josh Becigneul 1232

I spent part of the day working with this iRule and it seems that it may be broken in regards to using Office clients on OSX. Adding some debugging shows that they continue to attempt to authenticate after the first success, in rapid succession. The client then crashes and needs to be force closed. I'm trying to see what the difference, if any is between OSX and Windows.

Comment made 2 days ago by Kai Wilke 6973

Hi Stanislas,

you may want to double check your lines 211, 212 and 343. They allow an attacker to perform a TCL-injection attack by sending handcrafted HOST header values.

Remote Code Execution with TMM crash:

Host: www.[while { 1 } { set x 1 }].de

Disclosure of your AES Recovery Key:

Host: www.[b64encode [subst [b64decode JHN0YXRpYzo6c2Vzc2lvbl9yZXN0b3JlX2Flc19rZXk=]]].de

Cheers, Kai