Forum Discussion

Nfordhk_66801's avatar
Nfordhk_66801
Icon for Nimbostratus rankNimbostratus
Mar 25, 2016

Access Policy Already Being Evaluated - Exchange OWA Service

Hi,

 

We recently setup APM for our OWA service to the internet. Pretty simple, checks AD group, and SSO to exchange. Works flawlessly except we are seeing abnormal behavior regarding time out and keeping sessions active.

 

Many times due to inactive browsing, closing the tab, ect users will navigate to the main page again. They receive a "access policy already being evaluated message." Even closing the web browser at time doesn't seem to resolve the issue.

 

What we found does resolve it:

 

Desktops, launch private browsing windows iPhones, delete background processes or private windows.

 

Neither of these solutions are ideal. How do I force these "limbo" sessions to expire and allow users to re-authenticate properly.

 

  • JamesSevedge_23's avatar
    JamesSevedge_23
    Historic F5 Account
    Hello, By OWA service are you referring to Outlook Web App or Office Web App? or neither? If it is one of the first two could you confirm which one as well as if you configured F5 using the iAPP's available for both of those applications?
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    This error occurs when the following sequence happens:

    1. User connects to APM vip.
    2. APM vip creates session and hands cookie to user in HTTP 302 redirect to "/my.policy". Now the session is started, but not reached the "allow" or "deny" of the policy. So it is "in_progress" state.
    3. User connects to APM vip a URL *besides "/my.policy" with the cookie from step 2.
    4. APM sees this "in_progress" session and responds with that error page.

    Normally this shouldn't happen, because the user should honor the redirect provided in step 2 and then go visit /my.policy to grab the logon page or whatever other items that the policy has. We do find some cases where the user opens multiple tabs or other behavior that always causes it to happen. For these cases, workaround irules can be used to detect it. Unfortunately the "in progress" error page is NOT included in normal customization (F5 RFE ID 377165), and we cannot handle multiple session creation from a single shared cookie (F5 RFE ID 439965).

    This irule can be used to handle the situation for most cases. Note that customization will be required if you want other end-user behavior besides the logout page.

     If end user accesses APM, creates a session, then does not complete
     the access policy before accessing other URLs besides "/my.policy",
     APM will produce a "session evaluation in progress" error.
    
     to reproduce this behavior:
     visit APM URL, eg: https://apm.siterequest.com
     see logon page
     visit APM URL again, eg: https://apm.siterequest.com/foo
     now error page is displayed
    
     to use the irule, simply attach it to the APM virtual server
    
    
    when HTTP_REQUEST {
      if { [HTTP::cookie exists "MRHSession"] && ([ACCESS::session exists -state_inprogress] || [ACCESS::session data get "session.policy.result"] == "not_started" ) && ! [string equal "[HTTP::uri]" "/my.policy"] } {
        log -noname accesscontrol.local1.err "$static::ACCESS_LOG_PREFIX [IP::remote_addr] access [HTTP::uri] with in_progress session, redirecting to logout URI"
        HTTP::close
    
         here you can do whatever you want, easiest option is to simply 302 user to logout URI to delete apm cookie and start over
        HTTP::respond 302 Location "/my.logout.php3"
      }
    }
    
    • Nfordhk_66801's avatar
      Nfordhk_66801
      Icon for Nimbostratus rankNimbostratus
      Thanks for helping but I'm not sure the behavior is occurring as you describe. I will access the vip, go idle, I can come back to it at another time, refresh my page and get the error. Attempting to access the root url vip produces the error. I can also access the vip, complete my tasks and exit the tab, then attempt to access the vip at another time from the root url and see the error. The error usually only produces after a significant gap.
    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Have you performed any packet captures or traffic analysis to determine the steps your device is taking to get to the result? The "already in progress" error only happens if the session is in that state and something besides "my.policy" is accessed. It could be even that your client device is making requests in the background.
    • Misty_Spillers's avatar
      Misty_Spillers
      Icon for Nimbostratus rankNimbostratus

      Hi Lucus, So far I have had the best luck with your iRule on this issue, but for me it doesn't matter is you have tabs open or not. Without your iRule I always get "Access Policy Already Being Evaluated"

       

      However with your iRule, sometime browsers (doesn't seems to matter which) get caught in a loop.

       

      So the first time you go to OWA everything is fine, you can login/logout no issues. Then close your browser, go back the next day and you can see the browser try to go to /OWA and then it send you to the F5 logout page. Click start session, again it tries to go to /OWA and gets redirected to the logout page. This goes on and on and only some weird mix of keep trying and clearing cache seems to break the cycle. Anyone know why? APM is version BIG-IP 12.1.2 Build 2.0.276 Hotfix HF2 iApp is

       

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Nfordhk, have you implemented the iRule from pages 66-67 of the Exchange iApp deployment guide: Clients receiving error message when using BIG-IP APM with OWA 2013 and IE10 or Google Chrome
  • Hi,

    This page display when :

    • the APM session expired
    • the browser request a background without displaying the new session authentication page
    • the user refresh the page...

    one solution is to replace text by a javascript redirecting to logout URL (or URL managed by an irule removing the pending session and redirecting to the main page)

    to replace the text by a javascript,

    • edit customization / Advanced / Localization (Text in V11.6)
    • browser Access Profiles / "Your Access Profile" / Common / Logout / General / Access Not Found Page reject message
    • replace the text by :

    The user will be redirected to the page displaying the session is ended...