Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

APM/MsOFFICE: ACCESS:disable after decision box

I have a VS with an APM policy. Policy starts with a decision box.

OptionA => Domain users (multiple forests).

OptionsB => External user.

Authentication for option B in interna domains. Authentication for OptionB is a non-Microsoft ldap.

When user chooses optionA I set a cookie and after the access policy allowed event the browser picks the cookie and the ACCESS::disable works fine on subsequent requests. Browser tested: IE/FireFox/Chrome. Now the fun starts when it's an office client request. The request is redirected to the APM policy decision box. User picks optionA. Cookie is set. Access is allowed but the next office client request (excel or word) persist on using the apm session. The request gets a "WWW-Authenticate NTLM" reply form the server but does not reply with the authorization header. I tried ACCESS:session remove but no luck. The goal here is to not used APM at all when a user chooses optionA.

0
Rate this Question
Comments on this Question
Comment made 5 months ago by JoeTheFifth 301

Still fighting with the ACCESS::disable after a decisionbox choice for office clients. I delete the mrhsession cookie but it keeps popping in the requests.

0
Comment made 4 months ago by JoeTheFifth 301

iRule is here: formatting is a bit off for now.

when CLIENT_ACCEPTED {  
set client_id [format %09d [expr int(rand() * 1e9)]] 
log local0. "--------------------------------- CLIENT_ACCEPTED ---------------- $client_id ------------------------------ [ACCESS::session sid]"    
set office 0
set connectiontype 3 }
when HTTP_REQUEST { 
log local0. "--------------------------------- REQUEST ---------------- $client_id ------------------------------ [ACCESS::session sid]"    
set request "http://[HTTP::host][HTTP::uri]"
log local0. "requesteduri: [HTTP::uri]"
foreach aHeader [HTTP::header names] {
    log local0. "Header $aHeader [HTTP::header value $aHeader]"
}
foreach cookie [HTTP::cookie names] {
    log local0. "Cookie $cookie [HTTP::cookie value $cookie]"   }   
switch -glob [string tolower [HTTP::header "User-Agent"]] {
        "*webdav-miniredir*" -
        "*word*" -
        "*excel*" -
        "*office upload*" -
        "*office existence discovery*" -
        "*office protocol discovery*" -
        "*soap toolkit*" -
        "*ms-office*" -
        "*microsoft office onenote*" -    
        "*frontpage*" -
        "*msfrontpage*" -
        "*shareplus*" {
            set office 1
    }
}
if { [string tolower [HTTP::header "User-Agent"]] eq "mswac" or [HTTP::cookie "Trusted"] eq 1} {
    log local0. "We have an office Web Apps Call or a Trusted cookie"
    switch -glob [string tolower [HTTP::uri] ] {
        "*reauthpage*"  {
            log local0. "reauthpage here"
            HTTP::redirect https://[HTTP::host]/_layouts/15/error.aspx                  
        }
    }       
    ACCESS::disable
    log local0. "APM disabled"
}
else {
    if { [HTTP::uri] contains "*reauthpage*" } {
        if { [HTTP::cookie exists "MRHSession"] } {
            HTTP::redirect https://[HTTP::host]/_layouts/15/error.aspx       
        }
    }

    if { $office eq 1 } {
        if {not [HTTP::cookie exists "MRHSession"] } {
            set office 1 
            set head1 "X-Forms_Based_Auth_Required" 
            set val1 "https://[HTTP::host]/reauthpage?ReturnUrl=/_layouts/15/error.aspx"
            set head2 "X-Forms_Based_Auth_Return_Url" 
            set val2 "https://[HTTP::host]/_layouts/15/error.aspx"
            HTTP::respond 403 -version "1.1" $head1 $val1 $head2 $val2}}}}
            when HTTP_RESPONSE {
log local0. "--------------------------------- RESPONSE ---------------- $client_id ------------------------------" 
foreach aHeader [HTTP::header names] {
log local0. "Header $aHeader [HTTP::header value $aHeader]"
}
foreach cookie [HTTP::cookie names] {
    log local0. "Cookie $cookie [HTTP::cookie value $cookie]"
}   
log local0. "Response status: [HTTP::status]"}
when HTTP_RESPONSE_RELEASE {
log local0. "--------------------------------- RESPONSE_RELEASE ---------------- $client_id ------------------------------" 
foreach aHeader [HTTP::header names] {
log local0. "Header $aHeader [HTTP::header value $aHeader]"
}
foreach cookie [HTTP::cookie names] {
    log local0. "Cookie $cookie [HTTP::cookie value $cookie]"
}       
if { $connectiontype eq 0}
{
    log local0. "adding Trust cookie here."     
    HTTP::cookie insert name Trusted value 1 path "/"
    HTTP::cookie expires Trusted 28000 relative
    HTTP::header insert "Set-Cookie" "MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; domain=ca-mocca.com;path=/" 
    HTTP::header insert "Set-Cookie" "LastMRH_Session=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; domain=ca-mocca.com;path=/"}} 
    when ACCESS_SESSION_STARTED {
log local0. "--------------------------------- SESSION_STARTED ---------------- $client_id ------------------------------ [ACCESS::session sid]"
if { $office equals 1 } {       
    ACCESS::session data set session.custom.office 1}} 
    when ACCESS_POLICY_COMPLETED {
log local0. "--------------------------------- POLICY_COMPLETED $client_id ---------------------------------------------- [ACCESS::session sid]"
foreach aHeader [HTTP::header names] {
    log local0. "Header $aHeader [HTTP::header value $aHeader]"
}
foreach cookie [HTTP::cookie names] {
    log local0. "Cookie $cookie [HTTP::cookie value $cookie]"
}   
set connectiontype [ACCESS::session data get session.decision_box.last.result]  
log local0. "connectiontype: $connectiontype"   
if {$connectiontype eq 0} {
    ACCESS::respond 302 noserver Location [ACCESS::session data get session.server.landinguri]}} 
0
Comment made 4 months ago by JoeTheFifth 301

Policy flow is here: Image Text

The 401 response sent to the office client is generating a 401 auth popup to which the client is not responding.

So mainly what I do is: First request of browser with no cookie (cookie named truted) => enable APM and present a decision box. If AD is chosen then set the cookie and redirect the request so it the client retries and with the cookie set APM is disabled and sso with current user is done. If you run office now and you used IE in the first request you're ok => office uses the "trusted cookie" and does work with apm disabled. If you use firefox or chrome the sso does not work after apm is enabled to make the choice. I tried forcing office to retry the request but no luck.

0

Answers to this Question