SharePoint and Office Integration - Part 2?
After doing some investigation from question "SharePoint and Office Integration using different browsers?" Ok I have the persisted cookie and session I know that there's OWA but it's not full feature (user have some complex Word and Excel files). The ActiveX control are not the problem - Using Fiddler I can see the request go out and come back it's the 302 to my.policy I have the following iRule to try to send incoming requests from Office user agent when HTTP_REQUEST { log local0. ".......[HTTP::header User-Agent]" if { [HTTP::header User-Agent] contains "Microsoft-WebDAV-MiniRedir" } { log local0. ".......Header does contain info *****************************" HTTP::header insert "clientless-mode" 1 } } when ACCESS_SESSION_STARTED { log local0. "**** Access Session Started ............" log local0. "Checking for cookies .................." ACCESS::session data set session.custom.usesso 0 ACCESS::session data set session.custom.useWindowsAuth 0 set usesso [HTTP::cookie UseSso_ClientServices] log local0. ">>>> Cookie value ...($usesso)" if { $usesso == 1 }{ log local0. ">>>> Setting ...($usesso)" HTTP::header insert "clientless-mode" 1 ACCESS::session data set session.custom.usesso $usesso } set user_agent [ACCESS::session data get "session.user.agent"] log local0. ">>> User Agent = $user_agent" if { $user_agent contains "MS-WebServices" }{ HTTP::header insert "clientless-mode" 1 log local0. "^^^^^^^^^ MS Web Serivce" ACCESS::session data set session.custom.useWindowsAuth 1 } if { $user_agent == "Microsoft Office Protocol Discovery" }{ HTTP::header insert "clientless-mode" 1 log local0. "^^^^^^^^^ Office Product" ACCESS::session data set session.custom.useWindowsAuth 1 } if { $user_agent contains "Microsoft-WebDAV-MiniRedir" }{ log local0. "^^^^^^^^ WebDav" ACCESS::session data set session.custom.useWindowsAuth 1 } log local0. ">>>VAR UseSSO ... ($usesso)" log local0. ">>> UseWinAuth variable set ... [ACCESS::session data get session.custom.useWindowsAuth]" } But it still not working do I need to do the clientless-mode in the HTTP_REQUEST?422Views0likes3CommentsSimple sharepoint lab problem
hi out there I started just in trying to publish SharePoint 2010 trough the F5 (11.3 with LTM & APM) - I am just playing around now to see how it Works. I am starting with a simple LTM proxie - where I hit the first problem and I can't find the right answer (or just don't understand it) - see - when I try to open the site it does a redirect to another uri: Oct 14 22:43:42 bigip1 info tmm[7591]: Rule /Common/log_headers : Client 195.81.253.32:1069 -> sp01/sites/titest/ (response) - status: 302 Oct 14 22:43:42 bigip1 info tmm[7591]: Rule /Common/log_headers : Content-Type: text/html; charset=UTF-8 Oct 14 22:43:42 bigip1 info tmm[7591]: Rule /Common/log_headers : Location: http://sp01/sites/titest/SitePages/Home.aspx Oct 14 22:43:42 bigip1 info tmm[7591]: Rule /Common/log_headers : Server: Microsoft-IIS/7.5 it does a redirect from /sites/titest to /sites/titest/SitePages/Home.aspx but it doesnt look to me as if this redirect is passed through to the client. How does I get it redirected ? best regards /ti310Views0likes6CommentsF5 APM and sharepoint 2010 AAM, get loading msg on drop down context menus
Hi, We are using F5 11.6 APM and LTM with SP2010. We are not using the out of the box iApp for SharePoint but a custom one virtually doing the same. We are hitting one small but painful issue over https. We get the "loading....." message when you try to use the context menu on document drop downs. We are making our internal web applications that currently run over HTTP accessible via F5 so they will keep the same url/name but access it over HTTPS when externally (which we do over ISA). I don’t want to run everything under https internally. Existing setup over ISA: The alternative access mappings we have look as follows: Internal URL Zone Public URL http://mywebapp.company.com Default http://mywebapp.company.com https://mywebapp.company.com Internet https://mywebapp.company.com and if someone clicked on an https link internally the item would still load / function. I have not extended the web applications in SharePoint as we are not using different authentication mechanisms. When we put F5 APM in and kept the above AAMs we started to get the"loading...." message when trying to use the drop down context menus So in the F5 best practice guides and help articles it says change them to what is below and have two default AAMs Internal URL Zone Public URL https://mywebapp.company.com Default https://mywebapp.company.com http://mywebapp.company.com Default https://mywebapp.company.com As soon as you use the above the context menu starts working over HTTPS! no more loading message However, if I then try to use the site over HTTP (as all our users internally do) you get the same “Loading…” message again when they try and use the drop down context issue. The actual error in fiddler / firefox showed (ive removed the url with someWebapp) “Mixed Content: The page at 'https:// SomeWebapp /Forms/AllItems.aspx' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint '…some url /Forms/AllItems.aspx'. This request has been blocked; the content must be served over HTTPS.” The SSL Certificate is bound to the web application on 443, normal traffic on port 80. Q. Do I need to extend the web applications as the F5 Sharepoint best practice guides do not state this they only say add the AAMs? Q. I assume F5 and SP2010 support running the same URL name under http internally and https externally. E.g. internally http://mywebapp.company.com and externally https://mywebapp.company.com Q. Anything else / settings I need to check on LTM e.g. compression and where, APM, SharePoint (I even took the .js out of the blob cache) the web applications are Kerberos enabled. I found one similar question but no answer just saying check AAM: http://sharepointpromag.com/sharepoint/q-how-do-i-configure-load-balancer-accept-only-ssl-requests-sharepoint-2010-fqdns and this one https://devcentral.f5.com/questions/sharepoint-ssl-offloading-causes-access-denied-error but none talk about extending the web application in sharepoint regards Brad283Views0likes1Commentsharepoint multiple authentication providers
Hi all, We have setup Sharepoint with multiple authentication mechanisms: Windows authentication and ADFS authentication. When connecting to Sharepoint, a dropdown list is shown where you can select whether you want to use Windows authentication or ADFS authentication. When choosing Windows authentication, a Kerberos ticket will be obtained and you will be logged on to Sharepoint with the Kerberos ticket. When choosing ADFS authentication, you are redirected to the ADFS login page, a claims based token will be obtained and you will be logged on to Sharepoint with the ADFS token. This works like a charm, when in our internal network. Now, we want to have the same on the internet. If we just ‘reverse proxy’ the Sharepoint site, this also works just fine: a user is prompted to choose which authentication method he wants to use and when selecting Windows authentication, the user will receive a popup to login via NTLM. When choosing ADFS, a token will be obtained. What we now want, is to omit the dropdown list where to choose the authentication method, which would be as follows with the BigIP: BigIP shows a logon page and a user logs on with his e-mailaddress and password. When the e-mailaddress is an internal one ((at)ourcompanydomain.com), Windows authentication should be chosen and the BigIP should obtain a Kerberos ticket via Kerberos Constrained Delegation, using the credentials entered in the BigIP logon page. When the e-mailaddress is not an internal one, ADFS authentication should be chosen and Sharepoint will redirect to the ADFS logon page, which the BigIP will detect via forms detection and will enter the users’ credentials entered in the BigIP logon page. The obtained token will be sent to the client and it will be used for authentication in Sharepoint. When Sharepoint is only set to use Windows authentication, option 2 works just fine with Kerberos Constrained Delegation (logging on with UPN in the BigIP logon page). When Sharepoint is only set to use ADFS authentication, option 3 works just fine with forms detection. The question now is, can we have Sharepoint show the dropdown list and have F5 decide (based on e-mailaddress) which option to choose and then follow the required authentication path for the selected authentication method? The flow would be something like this: Logon page Extract domain from e-mailaddress (variable assign?) If e-mailaddress from our company domain: Obtain UPN via AD query Preauthenticate users Send request to Sharepoint Sharepoint sends selection form BigIP chooses Windows authentication (forms detection?) Using the UPN a Kerberos ticket is obtained via KCD User is logged on to Sharepoint with Kerberos ticket If e-mailaddress not from our company domain: Send request to Sharepoint Sharepoint sends selection form BigIP chooses ADFS authentication (forms detection?) Sharepoint redirects to ADFS BigIP fills in e-mailaddress and password in ADFS (via forms detection) A token is obtained from ADFS User is logged on to Sharepoint with ADFS token Will this work? In the flow above, I guess I would need to choose Kerberos SSO as SSO method in APM, but it would not apply to ADFS users. Can someone point me in the right direction?247Views0likes0CommentsConnection to Big- IP for a SharePoint Client App
Hi, I need to build a third part client application to crawl a SharePoint for a certain type of files, The company that is asking me this is working with SharePoint 2010 with form authentication and has a F5 Big-Ip server in front. I was wondering is there any way to pass that Big-Ip so that I can log on the SP server. Like any API or Http request header that I can use to passe that? I do have registered credential to connect that works from any browser, but as I use CSOM to connect to SharePoint all I get is an empty response. Thanks for your help :) Regards, Pascal.206Views0likes1CommentSharepoint Subsites
Hey all, I'm trying to configure access to an internal sharepoint farm that hosts multiple subsites but I need to limit access to those external users logging in to one specific subsite. I used the Sharepoint 2010 iApp template and I can get to the default IIS page of the sharepoint server, but I have no idea how to direct the users to that specific subsite. It seems like it should be fairly simple, anyone do this before? I also need to be able to send those users directly to that subsite once they authenticate through APM. Any help appreciated. -GR181Views0likes1CommentF5 Big IP LTM & SharePoint 2010 Do Not Fragment Bit
I am curious if anyone has run into an issue in which a Windows 7 machine that communicates directly with a SharePoint 2010 web front end does not receive a DF bit from that Web Server though when that same Windows 7 client communicates with a virtual server on the Big IP, the SharePoint server responds with a DF bit. This Windows 7 client sits on a perimeter network and establishes a three way hand shake just fine but when the Web Server tries to send any type of payload the DF bit gets set and the client never responds. A successful three way hand shake is also made when communicating directly with the SharePoint FE though when the web server begins to send a payload that is larger than the MTU, the DF bit is removed. The Big IP is running 11.6 HF1.142Views0likes0Comments