Forum Discussion

dradiant_306130's avatar
dradiant_306130
Icon for Nimbostratus rankNimbostratus
Jan 13, 2017

OWA 2013 SSO - Client initiated form Logout

Hi!

I currently have SSO working to log into OWA 2013 via a client-initiated form. I am having an issue with the logout functionality though. Currently when a user presses logout from OWA it loops back into itself and never logs the user out (browser close required to logout).

I've used the "Deploying F5 with Microsoft Exchange 2013..." guide to set up the login part. This guide describes the following iRule to terminate inactive APM sessions (which also seems to include a logout feature).

when RULE_INIT {
 set static::cookie_sessionid [format "sessionid=null; path=/; Expires=Thur, 01-Jan-1970 00:00:00 GMT;"]
 set static::cookie_cadata [format "cadata=null; path=/; Expires=Thur, 01-Jan-1970 00:00:00 GMT;"]
 set static::cookie_usercontext [format "UserContext=null; path=/; Expires=Thur, 01-Jan-1970 00:00:00 GMT;"]
}
when ACCESS_SESSION_STARTED {
 if { [string tolower [HTTP::uri]] contains "ua=0" } {
 ACCESS::session remove
 }
}
when ACCESS_ACL_ALLOWED {
 set apm_mrhsession [HTTP::cookie value "MRHSession"]
 if { [table lookup $apm_mrhsession] == "EXCHANGE_LOGOUT" } {
 ACCESS::session remove
 table delete $apm_mrhsession
 }
}
when HTTP_REQUEST {
 set isset 0
 if {[string tolower [HTTP::uri]] starts_with "/owa" } {
 if {[string tolower [HTTP::uri]] contains "logoff" } {
 ACCESS::session remove
 HTTP::respond 302 Location "https://[HTTP::host]/vdesk/hangup.php3" "Set-Cookie" $static::cookie_sessionid "Set-Cookie"
$static::cookie_cadata "Set-Cookie" $static::cookie_usercontext
 } else {
 if { [string tolower [HTTP::uri]] contains "ua=0" } {
 set mrhsession [HTTP::cookie value "MRHSession"]
 set isset 1
 }
 }
 }
}
when HTTP_RESPONSE {
 if { $isset == 1 } {
 if { $mrhsession != "" && [HTTP::status] == 440 } {
 table set $apm_mrhsession "EXCHANGE_LOGOUT"
 return
 }
 }
}

Currently when a user logs out I see it hit:

Which then loops directly back into:

What am I missing here? Any tips would be great!

Thanks

APM
application delivery
client initiated forms
iRules
owa 2013
SSO

7 Replies

Sort By
  • dradiant_306130's avatar
    dradiant_306130
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2017

    Thanks Leonardo,

     

    I have downloaded and applied iapp "; to this configuration. However the logout functionality still does not work (I don't even see an iRule that references logout when this iApp is installed).

     

    The logout feature still loops the user back to a logged in state.

     

    The closing of a browser behaviour has changed though with this iApp (compared to my manual setup). Now when I open a new browser and access the webmail site it prompts that an evaluation is already in progress.

     

    Since I am now using a supported iApp is this something F5 support would be willing to look at?

     

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Jan 13, 2017

    Maybe, you don't lose anything in trying. :P

     

    Anyway, if you want to do more troubleshooting. I create an iapp using the same version, the logout is done in the APM policy configuration. The URI used is "/owa/auth/logoff.aspx".

     

    Try to access the exchange server directly, and log the HTTP requests with something like Fiddler. Then you can see what is the correct page to logout, and you can apply to your configuration.

     

  • dradiant_306130's avatar
    dradiant_306130
    Icon for Nimbostratus rankNimbostratus
    Jan 26, 2017

    For future users, this is how I solved the issue:

    Add the logout URL (In the APM policy) of: /owa/logoff.owa

    Use the following iRule to ensure logoff is done correctly: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } }

    iRule to log off: when RULE_INIT { set static::cookie_sessionid [format "sessionid=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"] set static::cookie_cadata [format "cadata=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"] set static::cookie_usercontext [format "UserContext=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"] } when ACCESS_SESSION_STARTED { if { [string tolower [HTTP::uri]] contains "ua=0" } { ACCESS::session remove } } when ACCESS_ACL_ALLOWED { set apm_mrhsession [HTTP::cookie value "MRHSession"] if { [table lookup $apm_mrhsession] == "EXCHANGE_LOGOUT" } { ACCESS::session remove table delete $apm_mrhsession } } when HTTP_REQUEST { set isset 0 if {[string tolower [HTTP::uri]] starts_with "/owa" } { if {[string tolower [HTTP::uri]] contains "logoff" } { ACCESS::session remove HTTP::respond 302 Location "https://[HTTP::host]/vdesk/hangup.php3" "Set-Cookie" $static::cookie_sessionid "Set-Cookie" $static::cookie_cadata "Set-Cookie" $static::cookie_usercontext } else { if { [string tolower [HTTP::uri]] contains "ua=0" } { set mrhsession [HTTP::cookie value "MRHSession"] set isset 1 } } } } when HTTP_RESPONSE { if { $isset == 1 } { if { $mrhsession != "" && [HTTP::status] == 440 } { table set $apm_mrhsession "EXCHANGE_LOGOUT" return } } }

    `We also ran into an issue with being prompted that the Access Policy was already being evaluated (whenever we opened a new browser to connect). This is referenced in the iApp guide as a known issue. Use the following iRule:`
    when HTTP_REQUEST {
    if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } {
    HTTP::cookie "IsClientAppCacheEnabled" False
    }
    }
  • Garsa_163306's avatar
    Garsa_163306
    Icon for Nimbostratus rankNimbostratus
    Jun 23, 2017

    Hello All,

    The issue here is that the condition on the portion below of the current irule does not match.

     when HTTP_REQUEST { 
    set isset 0 if {
        [string tolower [HTTP::uri]] starts_with "/owa" } {
            if {[string tolower [HTTP::uri]] contains "logoff" } { 
                ACCESS::session remove 
                HTTP::respond 302 Location "https://[HTTP::host]/vdesk/hangup.php3"
                "Set-Cookie" $static::cookie_sessionid "Set-Cookie" $static::cookie_cadata "Set-Cookie" $static::cookie_usercontext
                .....

    With Portal Access the URL gets rewritten to something like:

    https:///f5-w-474736e612e6174736175746f2e6e6574$$/owa/

    so the condition below does not longer match.

    [string tolower [HTTP::uri]] starts_with "/owa" }

    Therefore the solution I came up with was to modify that portion as per below:

    if {[string tolower [HTTP::uri]] matches_regex {\/f5-w-.*\$\$\/owa.*/} } {

    So far no issues for me and the logout works as expected. Hopefully it helps.

    Regards,

    Simon

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      Jun 26, 2017

      Hi,

      a better solution is to evaluate 

      ACCESS_ACL_ALLOWED
      instead of 
      HTTP_REQUEST
      .

      when ACCESS_ACL_ALLOWED { 
    set isset 0 if {
        [string tolower [HTTP::uri]] starts_with "/owa" } {
            if {[string tolower [HTTP::uri]] contains "logoff" } { 
                Do not remove the session within irule but redirect to /vdesk/hangup.php3
                ACCESS::session remove 
                 Redirect to relative URI and use ACCESS::respond (HTTP::respond not supported in ACCESS_ACL_ALLOWED
                HTTP::respond 302 Location "https://[HTTP::host]/vdesk/hangup.php3"
                ACCESS::respond 302 Location "/vdesk/hangup.php3" "Set-Cookie" $static::cookie_sessionid "Set-Cookie" $static::cookie_cadata "Set-Cookie" $static::cookie_usercontext
                .....

      ACCESS_ACL_ALLOWED is evaluated after rewrite.

      if you want to use HTTP_REQUEST, scan is better than regex

      if {[scan [string tolower [HTTP::uri]] {/f5-w-%[^$]$$/%[^/]} encresource baseuri] == 2 && $baseuri starts_with "owa" } {