Forum Discussion

Danny_Tix_27276's avatar
Danny_Tix_27276
Icon for Nimbostratus rankNimbostratus
Apr 19, 2017

SSO breaking OWA font icons

I am investigating an issue where font-based icons are not rendering in OWA 2013 when accessed in Internet Explorer through APM using SSO.

IE11:

Everywhere else:

We originally configured load balancing for CAS / OWA through LTM using the iApp without APM, and later added a portal access link to OWA on a separate APM webtop portal. This link goes through the APM session in order to use form-based SSO, and was configured manually & completely separately from the iApp-based VIP hosting CAS / OWA.

The page renders as expected in any browser when accessed directly without APM, or through APM when SSO is disabled (or fails). The page also renders normally when accessed with SSO in any browser except IE11.

We have performed a wide range of tests on the app and SSO profile with limited success. Under certain circumstances, IE11 will render the icons; but only when requests are routed through an external proxy (i.e. Fiddler) and even then only under specific SSO settings. We have verified that the fonts are being received intact, and can even get the icons to render if we install them locally and modify the page (through the IE developer console) to load the local copy. We have also applied the client-initiated SSO profile that is created by the exchange 2013 iApp template with the same results.

I am now out of ideas and open to any potential explanations or solutions the community has to share. Thank you in advance.

apm resource portal-access /Common/OWA {
    acl-order 8
    application-uri https://owa.domain.com/owa/auth/logon.aspx\?replaceCurrent=1
    customization-group /Common/OWA_resource_web_app_customization
    items {
        item {
            host owa.domain.com
            order 1
            paths /*
            port 443
            scheme https
            sso /Common/exchange_2013_sso
            subnet 0.0.0.0/0
        }
    }
    path-match-case false
    publish-on-webtop true
    scheme-patching true
}

apm sso form-based /Common/exchange_2013_sso {
    form-action /owa/auth.owa
    form-field "destination https://owa.domain.com/owa/
flags 4
forcedownlevel  0
isUtf8 1
trusted 0"
    form-password password
    form-username username
    start-uri /owa/auth/logon.aspx\?replaceCurrent=1
    success-match-value path
    username-source session.qualifiedlogin
}
application delivery
BIG-IP Access Policy Manager (APM)
internet explorer
LTM
owa 2013
No RepliesBe the first to reply