Forum Discussion
Did you ever sort this one out? We switched from ADFS to the Big-IP for SSO and some of our Skype for Business users are seeing this same behavior.
- Ryan_T_152455Nov 27, 2017Nimbostratus
I worked with support a while and they acknowledged that there is an issue with the ECA module in certain cases which is related to POST operations, which would come from SP-Initiated SAML. The support guy referenced me to another case where they added a 100ms delay in the iRule HTTP_REQUEST section when the browser string indicates Chrome.
My experience is that IE is the only browser failing and I added a delay for all POST operations and my situation improves some but is not fixed. When I say improves, I mean it goes from always failing to intermittently failing. I'm still seeking a full solution.
- Shane_Hickey_19Nov 27, 2017Nimbostratus
Thanks for the quick reply. We made a few changes to accommodate Chrome as well, but not the one you mention. We actually have a VIP sitting in front of the VIP with our ECA iRule. That first VIP has an iRule that does user-agent detection. If it detects "chrome" in the user-agent string it forces the login page instead of trying to do ECA. But, that was to solve an issue with SP-redirects in Chrome just hanging forever.
These javascript errors (which are identical in line and character number to yours) seemed to have cropped up after we made some changes in our Skype for Business configuration. I'm still digging into exactly what those changes are. If I get a solution that is more than just a workaround, I will reply here.
- Ryan_T_152455Nov 27, 2017Nimbostratus
I also tried disabling clustered multi-processing https://support.f5.com/csp/article/K14358 in order for the delay to be more effective. It's hard to say whether that helped or not, but I left that setting in place regardless.
The browser will end up doing 3 POST requests to the F5 during CHAP authentication. On the F5 side, the first two seem to execute just fine, the third one never comes if the defect is realized. From the browser's perspective, the 2nd POST doesn't get a reply from the F5. It's hard to troubleshoot because when I run it through Fiddler, it works just fine, possibly because of a change to the timing. This problem is also tricky to troubleshoot because the ECA module appears to be a black box on the F5 side that I can't see inside.