Forum Discussion

Marie's avatar
Marie
Icon for Nimbostratus rankNimbostratus
Sep 26, 2019

err websso

I'm having issues working with APM for Sharepoint.

I'm running Big IP v12.1.3.

SSO is using NTLMv2.

I'm having error logs for internal users only, external users are using SSO with no problem..

The VPE branch for internal does the following blocks : userStart > IP Subnet Match (check if is Proxy IP) > Allow.

The other branch is sending logon page then performing SSO, which is working well.

Also in the browsing session I have sessions created for internal user, with username N/A and proxy IP address.

And I don't know if this is normal, but in the logs I'm receiving all logs in double.

See below : the logs collected for a single session from the creation to the deletion. 1.1.1.1 is the Proxy IP used by internal clients, and 9.9.9.9 is the sharepoint VIP.

notice tmm1[28968]: 01490506:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Received User-Agent header: Mozilla%2f5.0%20(Windows%20NT%2010.0%3b%20Win64%3b%20x64)%20AppleWebKit%2f537.36%20(KHTML%2c%20like%20Gecko)%20Chrome%2f76.0.3809.132%20Safari%2f537.36.
notice tmm1[28968]: 01490506:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Received User-Agent header: Mozilla%2f5.0%20(Windows%20NT%2010.0%3b%20Win64%3b%20x64)%20AppleWebKit%2f537.36%20(KHTML%2c%20like%20Gecko)%20Chrome%2f76.0.3809.132%20Safari%2f537.36.
notice tmm1[28968]: 01490500:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: New session from client IP 1.1.1.1 (ST=Luxembourg/CC=LU/C=EU) at VIP 9.9.9.9 Listener /my-partition/vs_https_apm_sharepoint (Reputation=Unknown)
notice tmm1[28968]: 01490500:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: New session from client IP 1.1.1.1 (ST=Luxembourg/CC=LU/C=EU) at VIP 9.9.9.9 Listener /my-partition/vs_https_apm_sharepoint (Reputation=Unknown)
notice apmd[1210]: 01490005:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Following rule 'My Proxy' from item 'IP Subnet Match' to ending 'Allow'
notice apmd[1210]: 01490005:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Following rule 'My Proxy' from item 'IP Subnet Match' to ending 'Allow'
notice apmd[1210]: 01490102:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Access policy result: LTM+APM_Mode
notice apmd[1210]: 01490102:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Access policy result: LTM+APM_Mode
notice apmd[1210]: 01490248:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Received client info - Hostname:  Type: Mozilla Version: 5 Platform: Win10 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1
notice apmd[1210]: 01490248:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Received client info - Hostname:  Type: Mozilla Version: 5 Platform: Win10 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1
err websso.3[29525]: 014d0026:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Could not find SSO username, check SSO credential mapping agent setting
err websso.3[29525]: 014d0026:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Could not find SSO username, check SSO credential mapping agent setting
err websso.3[29525]: 014d0027:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Could not find SSO password, check SSO credential mapping agent setting
err websso.3[29525]: 014d0027:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Could not find SSO password, check SSO credential mapping agent setting
err websso.3[29525]: 014d0028:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Master Decyrpt failed for ckDecrypt: Ciphertext does not begin with master key prefix
err websso.3[29525]: 014d0028:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Master Decyrpt failed for ckDecrypt: Ciphertext does not begin with master key prefix
err websso.3[29525]: 014d0043:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: SSO username is empty - SSO is disabled
err websso.3[29525]: 014d0043:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: SSO username is empty - SSO is disabled
err websso.3[29525]: 014d0026:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Could not find SSO username, check SSO credential mapping agent setting
err websso.3[29525]: 014d0026:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Could not find SSO username, check SSO credential mapping agent setting
err websso.3[29525]: 014d0027:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Could not find SSO password, check SSO credential mapping agent setting
err websso.3[29525]: 014d0027:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Could not find SSO password, check SSO credential mapping agent setting
err websso.3[29525]: 014d0028:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Master Decyrpt failed for ckDecrypt: Ciphertext does not begin with master key prefix
err websso.3[29525]: 014d0028:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Master Decyrpt failed for ckDecrypt: Ciphertext does not begin with master key prefix
err websso.3[29525]: 014d0043:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: SSO username is empty - SSO is disabled
err websso.3[29525]: 014d0043:3: /my-partition/apm_sharepoint:my-partition:ef98fbe0: SSO username is empty - SSO is disabled
.....
....
notice tmm1[28968]: 01490502:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Session deleted due to user inactivity.
notice tmm1[28968]: 01490502:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Session deleted due to user inactivity.
notice tmm1[28968]: 01490521:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Session statistics - bytes in: 34689, bytes out: 2092840
notice tmm1[28968]: 01490521:5: /my-partition/apm_sharepoint:my-partition:ef98fbe0: Session statistics - bytes in: 34689, bytes out: 2092840

Why those err websso messages keep going when the SSO block isn't even called in the VPE ?

4 Replies

  • Hello Marie, if I am understanding you correctly the internal users do not have to authenticate via APM? That is probably the reason for those errors as that will mean APM does not have their credentials (Username and Password) and so when the SSO Object attempts to fire they (the session variables for username and password) are empty, hence the error messages.

  • Marie's avatar
    Marie
    Icon for Nimbostratus rankNimbostratus

    Hello Dave,

    Yes, that's what I thought, but it is still strange to me that SSO is triggered even if there is no SSO call is this VPE branch.

    Also Do you know why I'm hitting each log twice ? it's systematic

    • Dave_W's avatar
      Dave_W
      Icon for Employee rankEmployee

      Hello, do you have a SSO configuration set in the Access Policy. The double logs are probably because you have to log profiles with both set for this Access Policy.

    • Dave_W's avatar
      Dave_W
      Icon for Employee rankEmployee

      Went back and read your post some more. So 1) the SSO credential mapping is for the whole VPE, not just per branch 2) since it sounds like your are just allowing internal users right through APM has no username/password, hence the errors.