Forum Discussion
NimbostratusExchange OWA 2013 SSO
I am trying to deploy OWA 2013 via a portal resource. I have configured the SSO profile for Forms - Client Initiated as per the settings in the manual on AskF5. I have had this work maybe once or twice. Anytime it works, it will only work the first time and will fail if a logoff and re-login are attempted (most of the time it fails the first time as well). It is like it is not detecting the form and therefor not passing the parameters. My form detection is URI and the string is /owa/auth/logon.aspx. Request Prefix and Submit Request Prefix are selected. Any thoughts? Ideas? Thanks.
12 Replies
- Matt_Dierick
Employee
The best way to figure out the issue is to take a tcpdump on the server side on the APM. And take HTTPWatch traces with your laptop on IE.
You should see all parameters needed by OWA13 and check if APM does the job all the time. Sometime, issue occurs when APM does not catch login page.
Did you configure the SSO manually, or using the iApp from downloads.f5.com? The iApp is the way to go for complicated configs, of which APM is one.
Mike
schmuckI have tried via the iApp and manually configuring it as well. Neither work as desired. I have also viewed the connection with HTTPWatch and verified that the URI and form parameters look correct. Has anyone had any luck with OWA 2013 SSO?
It works consistently for me.
Can you go to System>Logs>Configuration>Options>Access Policy Logging and set Access Policy and SSO logs to debug?
Then, when the issue is happening, ssh into the BIG-IP and tail /var/log/apm.
There should be some indication in those logs about what's causing the failure. If you want to sanitize and post them here, I'll take a look.
- schmuck
It is pretty much always working the first time now and then failing every time after. When it fails, there are no logs. These are the logs from a successful connection (even though it says SSOv2 Logon failed):
Oct 18 08:58:12 tmm1 info tmm1: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/logon.aspx", config /Common/Exchange-2013_sso Oct 18 08:58:12 tmm1 info tmm1: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/logon.css", config /Common/Exchange-2013_sso Oct 18 08:58:12 tmm1 info tmm1: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/favicon.ico", config /Common/Exchange-2013_sso Oct 18 08:58:12 tmm0 info tmm0: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/scripts/premium/flogon.js", config /Common/Exchange-2013_sso Oct 18 08:58:12 tmm3 info tmm3: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/scripts/premium/flayout.js", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm0 info tmm0: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fowa.domain.com%2fowa", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm0 info tmm0: 014d0002:6: 30cb5538: SSOv2 Request match, config /Common/Exchange-2013_sso form Exchange-2013_form Oct 18 08:58:13 tmm1 info tmm1: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/favicon.ico", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm0 info tmm0: 014d0002:6: 30cb5538: SSOv2 Form detected, config /Common/Exchange-2013_sso form Exchange-2013_form Oct 18 08:58:13 tmm0 info tmm0: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/logon.css", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm1 info tmm1: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/scripts/premium/flogon.js", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm3 info tmm3: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/scripts/premium/flayout.js", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm0 info tmm0: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/olk_logo_white.png", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm1 info tmm1: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/favicon.ico", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm3 info tmm3: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/olk_exchange_text_stacked_white_small.png", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm2 info tmm2: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/olk_logo_white_small.png", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm1 info tmm1: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/Sign_in_arrow.png", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm0 info tmm0: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/bg_gradient_login.png", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm1 info tmm1: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/owa_text_blue.png", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm0 info tmm0: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/olk_exchange_text_blue.png", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm3 info tmm3: 014d0002:6: 30cb5538: SSOv2 Request "GET /owa/auth/15.0.620/themes/resources/favicon.ico", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm2 info tmm2: 014d0002:6: 30cb5538: SSOv2 Request "POST /owa/auth.owa?f5-sso-form=Exchange-2013_form", config /Common/Exchange-2013_sso Oct 18 08:58:13 tmm2 info tmm2: 014d0002:6: 30cb5538: SSOv2 Form submitted, config /Common/Exchange-2013_sso form Exchange-2013_form Oct 18 08:58:13 tmm2 warning tmm2: 014d0002:4: 30cb5538: SSOv2 Logon failed, config /Common/Exchange-2013_sso form Exchange-2013_form
It's odd that you don't see any log entries when it fails. Do you see connections for those attempts reflected in the virtual server stats? Are there new APM sessions being created for each attempt?
Also, which browser are you using?
- schmuck
Firefox, although I see the same symptoms in IE. I see the virtual server stats increasing and the bytes in/out increasing. A new APM session isn't created each time as it is a portal resource within a full webtop.
Ah, I've never tested with that configuration. The deployment guidance we give for forms SSO with OWA 2013 assumes that APM will be communicating directly with the CAS servers, not through a portal resource.
I've found similar examples using Basic and NTLM SSOs used in this way, but not forms based. I'll check with the APM experts around here and let you know.
- schmuck
Thanks for the help so far. I've now managed to trade down a little in issues. I have SSO working every time now. I am just unable to properly log out from OWA 2013. When the log out link is clicked, it just spins for a while and then logs the user back in. The reason I am here now, is the logline above that says "SSOv2 Logon failed".
Since SSO was in fact working this was just f5 telling me what it saw. The reason f5 thinks this is because the logon detection field in the Forms - Client Initiated is looking for the presence of a cookie = sessionid. OWA 2013 does not appear to provide that cookie.
I performed an HTTPWatch on a connection to OWA 2013 and decided to look for the presence of the cadata cookie. I now receive "SSOv2 Logon succeeded" in my logs and I receive logs for all attempts to hit OWA.
Any thoughts about my new issue? I've used an iRule before to completely log out of an APM session. Is there a way to simply close out a portal resource??
