Forum Discussion
Nfordhk_66801
Nimbostratus
NimbostratusAccess Policy Already Being Evaluated - Exchange OWA Service
Hi,
We recently setup APM for our OWA service to the internet. Pretty simple, checks AD group, and SSO to exchange. Works flawlessly except we are seeing abnormal behavior regarding time out and keeping sessions active.
Many times due to inactive browsing, closing the tab, ect users will navigate to the main page again. They receive a "access policy already being evaluated message." Even closing the web browser at time doesn't seem to resolve the issue.
What we found does resolve it:
Desktops, launch private browsing windows iPhones, delete background processes or private windows.
Neither of these solutions are ideal. How do I force these "limbo" sessions to expire and allow users to re-authenticate properly.
Stanislas_Piro2Cumulonimbus
Hi,
This page display when :
- the APM session expired
- the browser request a background without displaying the new session authentication page
- the user refresh the page...
one solution is to replace text by a javascript redirecting to logout URL (or URL managed by an irule removing the pending session and redirecting to the main page)
to replace the text by a javascript,
- edit customization / Advanced / Localization (Text in V11.6)
- browser Access Profiles / "Your Access Profile" / Common / Logout / General / Access Not Found Page reject message
-
replace the text by :
The user will be redirected to the page displaying the session is ended...
Nfordhk_66801We have not but that irule looks promising! I'll try it out!- Nfordhk, have you implemented the iRule from pages 66-67 of the Exchange iApp deployment guide: Clients receiving error message when using BIG-IP APM with OWA 2013 and IE10 or Google Chrome
This error occurs when the following sequence happens:
- User connects to APM vip.
- APM vip creates session and hands cookie to user in HTTP 302 redirect to "/my.policy". Now the session is started, but not reached the "allow" or "deny" of the policy. So it is "in_progress" state.
- User connects to APM vip a URL *besides "/my.policy" with the cookie from step 2.
- APM sees this "in_progress" session and responds with that error page.
Normally this shouldn't happen, because the user should honor the redirect provided in step 2 and then go visit /my.policy to grab the logon page or whatever other items that the policy has. We do find some cases where the user opens multiple tabs or other behavior that always causes it to happen. For these cases, workaround irules can be used to detect it. Unfortunately the "in progress" error page is NOT included in normal customization (F5 RFE ID 377165), and we cannot handle multiple session creation from a single shared cookie (F5 RFE ID 439965).
This irule can be used to handle the situation for most cases. Note that customization will be required if you want other end-user behavior besides the logout page.
If end user accesses APM, creates a session, then does not complete the access policy before accessing other URLs besides "/my.policy", APM will produce a "session evaluation in progress" error. to reproduce this behavior: visit APM URL, eg: https://apm.siterequest.com see logon page visit APM URL again, eg: https://apm.siterequest.com/foo now error page is displayed to use the irule, simply attach it to the APM virtual server when HTTP_REQUEST { if { [HTTP::cookie exists "MRHSession"] && ([ACCESS::session exists -state_inprogress] || [ACCESS::session data get "session.policy.result"] == "not_started" ) && ! [string equal "[HTTP::uri]" "/my.policy"] } { log -noname accesscontrol.local1.err "$static::ACCESS_LOG_PREFIX [IP::remote_addr] access [HTTP::uri] with in_progress session, redirecting to logout URI" HTTP::close here you can do whatever you want, easiest option is to simply 302 user to logout URI to delete apm cookie and start over HTTP::respond 302 Location "/my.logout.php3" } }- Misty_Spillers
Hi Lucus, So far I have had the best luck with your iRule on this issue, but for me it doesn't matter is you have tabs open or not. Without your iRule I always get "Access Policy Already Being Evaluated"
However with your iRule, sometime browsers (doesn't seems to matter which) get caught in a loop.
So the first time you go to OWA everything is fine, you can login/logout no issues. Then close your browser, go back the next day and you can see the browser try to go to /OWA and then it send you to the F5 logout page. Click start session, again it tries to go to /OWA and gets redirected to the logout page. This goes on and on and only some weird mix of keep trying and clearing cache seems to break the cycle. Anyone know why? APM is version BIG-IP 12.1.2 Build 2.0.276 Hotfix HF2 iApp is
- Have you performed any packet captures or traffic analysis to determine the steps your device is taking to get to the result? The "already in progress" error only happens if the session is in that state and something besides "my.policy" is accessed. It could be even that your client device is making requests in the background.
- Nfordhk_66801Thanks for helping but I'm not sure the behavior is occurring as you describe. I will access the vip, go idle, I can come back to it at another time, refresh my page and get the error. Attempting to access the root url vip produces the error. I can also access the vip, complete my tasks and exit the tab, then attempt to access the vip at another time from the root url and see the error. The error usually only produces after a significant gap.
- Nfordhk_66801It is outlook web access, we did utilize iapps for this deployment.
- Hello, By OWA service are you referring to Outlook Web App or Office Web App? or neither? If it is one of the first two could you confirm which one as well as if you configured F5 using the iAPP's available for both of those applications?
