Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

APM websso credential lost

Hello,

We have several SharePoint 2013 sites deployed behind an F5 with APM using AD with NTLMv2 websso.

There is an issue when a user tries to access something that they are not "allowed" to or try to create a folder in a directory that they have no permission too, then the websso stops working. It behaves like the attempt to access the protected area deletes the websso entry for that user.

This causes the user to receive a popup and all of their existing session is "trashed" as their session no longer has sso active.

I have noticed that when the user "losses" their websso credentials, this session variable is set:

session.sso.token.last.username.sso.state 1 1

We've tried using NTLMv1 and have the same problem. The user must manually log out of the APM session and login again to restore the websso.

Does anyone know if there is a way of "protecting" the websso such that the user could be denied access but the websso is not deleted/lost on subsequent requests ?

thanks.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi mrobbins, that's interesting. I'm trying to replicate it in my lab but can't seem to do it.

I have a list that's only shared with one user. I log into APM/SharePoint as a different user and try to access the list, after which I get the "Sorry, this site hasn't been shared with you message". My session is still valid, however. Is this similar to what triggers your issue?

Have you tried turning up the APM SSO logs to debug and watching /var/log/apm? I'd be interested to see those logs.

thanks

Mike

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Thanks for trying, the other situation it happens in is when a user changes their AD password on another device whilst the session is still active but obviously you want it to deny access on that.

Not sure if it is a fix but I added this iRule to the last irule on the VS and it seems to have helped but it isn't test by any stretch of the imagination .. 8-)

if { [ACCESS::session data get "session.sso.token.last.username.sso.state"] equals "1" }{
      log local0. "Session \"[ACCESS::session sid]\", WebSSO is LOST."
      
      ACCESS::session data set "session.sso.token.last.username.sso.state" 0
      
      clientside { HTTP::respond 403 content "The page cannot be displayedError Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator." noserver Pragma "no-cache" Cache-Control "no-cache, must-revalidate" Content-Type "text/html" }
      
}

Cheers for any comments/help.

0
Comments on this Answer
Comment made 28-Mar-2014 by mikeshimkus
Since I can't repro the problem, I can't test your rule. It does seem like a bug, though, so you might consider opening a case with F5 support. If you let me know the case number, I can track it. BTW, did you use the latest iApp template to deploy SharePoint, or was it done manually?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

I'm having the exact same problem, but the iRule-fix doesn't seem to be helping. I put this in the HTTP_REQUEST event, but it never seems to trigger.

The log shows this: Jun 4 10:49:59 slot1/viprion debug websso.2[11137]: 014d0001:7: sso_disable: 1, _needAuth: 0

From then on, stuff starts getting weird: sometimes SSO still works, sometimes it doesn't.

Did anybody encounter this thing as well? Any fixes?

Kind regards,

Thomas

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Aha! Eureka! small update:

The iRule does work, but the *.sso.state=1 part is appended on whatever variable you put in the username source field of the SSO profile. For me, this field was changed because we need to construct the username from different parameters; below my custom field in the policy, I can now find that sso.state=1. When I change that specific one to 0, it works just fine.

So thank you mrrobbins!

Kind regards,

Thomas

0