Forum Discussion

Stefan_Klotz_85's avatar
Stefan_Klotz_85
Icon for Cirrus rankCirrus
Jun 30, 2015

OWA2013 some requests breaking APM session

Hi again,

 

it was hard to find useful words for the topic so let me explain my issue or lets say two issues:

 

  1. When doing the logout from OWA, I'm issuing a redirect to the APM hangup URL when the logout URI is identified in the HTTP_REQUEST-event. This works fine and the APM session is also correctly deleted. But I identified that there is another automatic request issued (in the background) after this hangup-redirect towards the URI /owa/ev.owa2 (I guess this is related to the Enterprise Vault integration). But this request starts a new ASM session and when I click the link for a new session on the APM logout page, I'm always ending up with the error message:

     

    The resource you are looking for is temporarily unavailable.

     

    The cause may be an incomplete access policy evaluation. Please continue to finish your access policy in the previous browser window, and close this current window immediately.

     

  2. Sometimes when I start a complete new session (even with a fresh browser window), I'm also ending up with the above mentioned error message. I found out that there are two different URIs also issued somehow in the background. At that time I'm also seeing for a short moment OWA trying to login and I'm wondering how the APM can be "bypassed" (is this some kind of caching misbehavior?). These two requests are also creating additional APM sessions and breaking the normal logon behavior:

     

  • /owa/sessiondata.ashx
  • /owa/userspecificresourceinjector.ashx

Not sure if both issues have the same or at least similar root causes. I already tried to catch these three URIs within the ACCESS_SESSION_STARTED-event and delete the access session again. APM redirects then to the URI /owa/?bO=1 with the above mentioned error message and I tried to catch this again within the HTTP_REQUEST-event and redirect it back to /owa/ and deleting the MRHSession and LastMRH_Session cookie. But without success.

 

Has anybody an idea how to fix that or can point me in the right direction?

 

Thank you!

 

Ciao Stefan :)

 

APM
application delivery
deployment
devops
iRules
LTM
security

9 Replies

Sort By
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jul 01, 2015

    Have you tried making use of "Logout URI Timeout" which removes the session after a hold out period?

     

  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    Jul 01, 2015

    Hi Kunjan,

     

    no I haven't specified a Logout URI at all. I'm just handling this via iRule. But even with the Logout URI specified (tested it before) it causes the same issue.

     

    Ciao Stefan :)

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jul 01, 2015

    I had the same behavior with IE and OWA 2013 and not with firefox

     

    It appears that when the user request the default URL, IE request these URLs before the expected URL.. IE may have cache that this URL is a OWA 2013 and try to download these files before authentication form.

     

    These request generate new session with wrong landinguri.

     

    When the user request is sent by the browser, APM reply with the error page as it expect only logon URLS until session completed..

     

    The only way was to drop these URLs in an irule...

     

  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    Jul 01, 2015

    Hi Stanislas,

     

    can you please share the part of your iRule for this? I tried already something similar yesterday, but as you see without success.

     

    Thank you!

     

    Ciao Stefan :)

     

  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    Jul 01, 2015

    Ok, then just as high level explanation?

    Because I tried already something like this:

    when HTTP_REQUEST {
    if { [HTTP::uri] eq "/abc" } {
        drop
    }
}

    But then still the APM Session is created. And even if this would work, any future "official" requests to this URI should not be dropped (ok, that might be verified via ACCESS::policy result).

    Ciao Stefan 🙂

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jul 01, 2015

    try something like that:

    when HTTP_REQUEST {
switch -glob [string tolower [HTTP::path]] {
    "/owa/sessiondata.ashx" -
    "/owa/userspecificresourceinjector.ashx" {
    if { !([ACCESS::session exists -state_allow [HTTP::cookie value MRHSession]])}
        { drop }
    }
}
  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    Jul 02, 2015

    Ok, it seems to be two different issues.

     

    The additional request towards "/owa/ev.owa2" after the logout can be catched and solved with the iRule from Stanislas:

     

    when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::path]] {
        "/owa/ev.owa2*" {
            if { !([ACCESS::session exists [HTTP::cookie value MRHSession]]) } {
                drop
            }
        }
    }
}

    But the other issue with the initial request towards "/owa/sessiondata.ashx" seems to be some caching issue. With an incognito-tab in Chrome for example everything is fine. I also added this code to the iRule:

     

    when HTTP_RESPONSE {
    HTTP::header replace Pragma no-cache
    HTTP::header replace Cache-Control no-cache
    HTTP::header replace Expires -1
}

    And it seems to help a little bit, but didn't work all the time and across different browser.

     

    What I already mentioned before, I'm totally wondering why I get the "Outlook Web App" Loading screen displayed when this "/owa/sessiondata.ashx" URL is requested. I mean why is this bypassing the APM?

     

    Can I workaround this with another iRule code or is this something which can be adjusted in the application?

     

    Thank you!

     

    Ciao Stefan 🙂