Forum Discussion

latheef_53585's avatar
Icon for Nimbostratus rankNimbostratus
Dec 29, 2011

F5 & Share point 2010

We are facing an issue with our Sharepoint 2010, our SharePoint administrator explains it as below:





o Sharepoint 2010


o Infopath Web-enabled form 2010


o Windows server R2 2008


o F5 as application load balancer (LTM)


o Servers in farms - 2





o While accessing any page having infopath webpart on HTTPS we are facing this issue as we are calling GetUserProfileService web service within infopath form.


 An error occurred while trying to connect to a Web service. An entry has been added to the Windows event log of the server. Log ID:5566, Correlation ID:493330fd-eac7-49a7-ac8f-29ce467e3a90


o Without calling this web service, everything work fine.



- What We Did?


o We imported the https certificate file in Central administrationSecurityManage trusts on both servers


o DisableLoobbackcheck is 1 in the registry for both servers.


o Access the web service by putting URL on browser it works fine. (https:///_vti_bin/userprofileservice.asmx?WSDL) Behavior



o Sometimes it works and sometimes it gives same error.


o When Try to access within server it works fine every time. Although all requests from server are landing from F5(i.e. No host file is changed)


9 Replies

  • Michael_Shimku2's avatar
    Historic F5 Account
    hi latheef, I have a few questions for you:



    Sounds like you are not offloading SSL to the F5, is that correct?


    Do you have alternate access mappings configured correctly for your SharePoint application?


    Is this a one-armed configuration (virtual servers and SharePoint servers on the same subnet)?


    If you disable one SharePoint server at a time, do the client connections still fail intermittently?



  • 1) We are offloading SSL on F5, we are using a wildcard certificate for all of our applications.


    2) Alternate access mappings configured correctly.


    3) We have different VLANs, our both share point servers are physical (IBM HS21 blade), but we have different virtual servers on the same subnet for different purposes.


    4) If I disable one node on F5 then everything works fine without any problem.



    Thanks and Regards



  • Are you saying that disabling one mode in the pool and going through F5 VIP works fine? If so, sounds like a persistence issue. Are you saying that Sharepoint server is making that call to itself? If so, I would recommend putting an iRule to test that would detect this call(you already have the URI), and manually set destination node for the call to be that of the source IP - to make sure the call gets back to the same SP server.
  • Thank you Michael for your help, you are right, I agree that I have to monitor through iRule to get the problem sorted out, as I’m not an expert of F5 can you give me some more information to do it, where can Ifind the iRule & other information to perform the task.



    Thanks and Regards





  • Michael_Shimku2's avatar
    Historic F5 Account
    We have a deployment guide for FAST search that addresses a similar problem. You can find it here: (on pages 6-7).



    If the connection from your SharePoint servers to the farm is using SNAT, you will need to create a virtual server on the same subnet as the SharePoint servers and use a host entry to point them to the virtual server IP address.



  • This information is given by Microsoft about the above issue and they mentioned that the problem is from F5, any comments.




    From the IIS LOGS we have the good and the wrong entries:



    Good one:


    2012.01.02 6:06:17 POST /_vti_bin/userprofileservice.asmx - 80 - InfoPathDA 401 2 5 0


    2012.01.02 6:06:17 POST /_vti_bin/userprofileservice.asmx - 80 - InfoPathDA 401 1 2148074254 0


    2012.01.02 6:06:17 POST /_vti_bin/userprofileservice.asmx - 80 SHARJAH\201453 InfoPathDA 200 0 0 124



    Wrong one:



    2012.01.02 8:51:20 POST /_vti_bin/userprofileservice.asmx - 80 - InfoPathDA 401 2 5 0


    2012.01.02 8:51:20 POST /_vti_bin/userprofileservice.asmx - 80 - InfoPathDA 401 1 2148074254 0


    2012.01.02 8:51:20 POST /_vti_bin/userprofileservice.asmx - 80 - InfoPathDA 401 1 5 0



    From that it seems that NTLM handshake is not working.



    From the Network trace on booth of the servers we saw that the problem is with the authentication



    The problem with the NTLM authentication in details:



    Good Authentication example:



    No. Time Source Destination Protocol Length Info


    663 2012-01-05 14:59:50.421606 HTTP 736 GET /Style%20Library/Images/index_02.jpg HTTP/1.1 , NTLMSSP_NEGOTIATE


    666 2012-01-05 14:59:50.423059 HTTP 593 HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE


    684 2012-01-05 14:59:50.428955 HTTP 1344 GET /Style%20Library/Images/index_02.jpg HTTP/1.1 , NTLMSSP_AUTH, User: sharjah\20710632



    And the problematic one:



    No. Time Source Destination Protocol Length Info


    22145 2012-01-05 15:00:16.939837 HTTP/XML 567 POST /_vti_bin/userprofileservice.asmx HTTP/1.1


    22149 2012-01-05 15:00:16.946667 HTTP 469 POST /_vti_bin/userprofileservice.asmx HTTP/1.1 , NTLMSSP_NEGOTIATE


    22156 2012-01-05 15:00:16.952061 HTTP/XML 567 POST /_vti_bin/userprofileservice.asmx HTTP/1.1 , NTLMSSP_AUTH, User: \



    Please NOTE there are no DOMAIN and Username is specified in that packet those are missing! It seems that some active device is removing it? Maybe the F5? We need to investigate that.




    Thanks and Regarads




  • I'm experiencing the problem. Have you been able to solve this problem with the domain and username not being passed through the F5?


  • Michael_Shimku2's avatar
    Historic F5 Account
    Have you tried creating the local virtual server and iRule as specified in this guide:



    As Michael mentioned, we need to confirm that connections from the SharePoint servers to the SharePoint site are being directed back to the originating server.