Forum Discussion

latheef_53585's avatar
latheef_53585
Icon for Nimbostratus rankNimbostratus
Dec 29, 2011

F5 & Share point 2010

We are facing an issue with our Sharepoint 2010, our SharePoint administrator explains it as below:

 

 

Environment

 

o Sharepoint 2010

 

o Infopath Web-enabled form 2010

 

o Windows server R2 2008

 

o F5 as application load balancer (LTM)

 

o Servers in farms - 2

 

 

Issue

 

o While accessing any page having infopath webpart on HTTPS we are facing this issue as we are calling GetUserProfileService web service within infopath form.

 

 An error occurred while trying to connect to a Web service. An entry has been added to the Windows event log of the server. Log ID:5566, Correlation ID:493330fd-eac7-49a7-ac8f-29ce467e3a90

 

o Without calling this web service, everything work fine.

 

 

- What We Did?

 

o We imported the https certificate file in Central administrationSecurityManage trusts on both servers

 

o DisableLoobbackcheck is 1 in the registry for both servers.

 

o Access the web service by putting URL on browser it works fine. (https:///_vti_bin/userprofileservice.asmx?WSDL) Behavior

 

 

o Sometimes it works and sometimes it gives same error.

 

o When Try to access within server it works fine every time. Although all requests from server are landing from F5(i.e. No host file is changed)

 

  • Michael_Shimku2's avatar
    Michael_Shimku2
    Historic F5 Account
    hi latheef, I have a few questions for you:

     

     

    Sounds like you are not offloading SSL to the F5, is that correct?

     

    Do you have alternate access mappings configured correctly for your SharePoint application?

     

    Is this a one-armed configuration (virtual servers and SharePoint servers on the same subnet)?

     

    If you disable one SharePoint server at a time, do the client connections still fail intermittently?

     

     

    thanks
  • 1) We are offloading SSL on F5, we are using a wildcard certificate for all of our applications.

     

    2) Alternate access mappings configured correctly.

     

    3) We have different VLANs, our both share point servers are physical (IBM HS21 blade), but we have different virtual servers on the same subnet for different purposes.

     

    4) If I disable one node on F5 then everything works fine without any problem.

     

     

    Thanks and Regards

     

     

    a.latheef
  • Are you saying that disabling one mode in the pool and going through F5 VIP works fine? If so, sounds like a persistence issue. Are you saying that Sharepoint server is making that call to itself? If so, I would recommend putting an iRule to test that would detect this call(you already have the URI), and manually set destination node for the call to be that of the source IP - to make sure the call gets back to the same SP server.
  • Thank you Michael for your help, you are right, I agree that I have to monitor through iRule to get the problem sorted out, as I’m not an expert of F5 can you give me some more information to do it, where can Ifind the iRule & other information to perform the task.

     

     

    Thanks and Regards

     

     

    a.latheef

     

  • Michael_Shimku2's avatar
    Michael_Shimku2
    Historic F5 Account
    We have a deployment guide for FAST search that addresses a similar problem. You can find it here: http://www.f5.com/pdf/deployment-guides/microsoft-fast-search-2010-dg.pdf (on pages 6-7).

     

     

    If the connection from your SharePoint servers to the farm is using SNAT, you will need to create a virtual server on the same subnet as the SharePoint servers and use a host entry to point them to the virtual server IP address.

     

     

  • This information is given by Microsoft about the above issue and they mentioned that the problem is from F5, any comments.

     

     

     

    From the IIS LOGS we have the good and the wrong entries:

     

     

    Good one:

     

    2012.01.02 6:06:17 xxx.xxx.xx.70 POST /_vti_bin/userprofileservice.asmx - 80 - xxx.xxx.xx.253 InfoPathDA 401 2 5 0

     

    2012.01.02 6:06:17 xxx.xxx.xx.70 POST /_vti_bin/userprofileservice.asmx - 80 - xxx.xxx.xx.253 InfoPathDA 401 1 2148074254 0

     

    2012.01.02 6:06:17 xxx.xxx.xx.70 POST /_vti_bin/userprofileservice.asmx - 80 SHARJAH\201453 xxx.xxx.xx.253 InfoPathDA 200 0 0 124

     

     

    Wrong one:

     

     

    2012.01.02 8:51:20 xxx.xxx.xx.70 POST /_vti_bin/userprofileservice.asmx - 80 - xxx.xxx.xx.253 InfoPathDA 401 2 5 0

     

    2012.01.02 8:51:20 xxx.xxx.xx.70 POST /_vti_bin/userprofileservice.asmx - 80 - xxx.xxx.xx.253 InfoPathDA 401 1 2148074254 0

     

    2012.01.02 8:51:20 xxx.xxx.xx.70 POST /_vti_bin/userprofileservice.asmx - 80 - xxx.xxx.xx.253 InfoPathDA 401 1 5 0

     

     

    From that it seems that NTLM handshake is not working.

     

     

    From the Network trace on booth of the servers we saw that the problem is with the authentication

     

     

    The problem with the NTLM authentication in details:

     

     

    Good Authentication example:

     

     

    No. Time Source Destination Protocol Length Info

     

    663 2012-01-05 14:59:50.421606 xxx.xxx.xx.253 xxx.xxx.xx.74 HTTP 736 GET /Style%20Library/Images/index_02.jpg HTTP/1.1 , NTLMSSP_NEGOTIATE

     

    666 2012-01-05 14:59:50.423059 xxx.xxx.xx.74 xxx.xxx.xx.253 HTTP 593 HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE

     

    684 2012-01-05 14:59:50.428955 xxx.xxx.xx.253 xxx.xxx.xx.74 HTTP 1344 GET /Style%20Library/Images/index_02.jpg HTTP/1.1 , NTLMSSP_AUTH, User: sharjah\20710632

     

     

    And the problematic one:

     

     

    No. Time Source Destination Protocol Length Info

     

    22145 2012-01-05 15:00:16.939837 xxx.xxx.xx.253 xxx.xxx.xx.70 HTTP/XML 567 POST /_vti_bin/userprofileservice.asmx HTTP/1.1

     

    22149 2012-01-05 15:00:16.946667 xxx.xxx.xx.253 xxx.xxx.xx.70 HTTP 469 POST /_vti_bin/userprofileservice.asmx HTTP/1.1 , NTLMSSP_NEGOTIATE

     

    22156 2012-01-05 15:00:16.952061 xxx.xxx.xx.253 xxx.xxx.xx.70 HTTP/XML 567 POST /_vti_bin/userprofileservice.asmx HTTP/1.1 , NTLMSSP_AUTH, User: \

     

     

    Please NOTE there are no DOMAIN and Username is specified in that packet those are missing! It seems that some active device is removing it? Maybe the F5? We need to investigate that.

     

     

     

    Thanks and Regarads

     

    a.latheef

     

  • I'm experiencing the problem. Have you been able to solve this problem with the domain and username not being passed through the F5?

     

  • Michael_Shimku2's avatar
    Michael_Shimku2
    Historic F5 Account
    Have you tried creating the local virtual server and iRule as specified in this guide: http://www.f5.com/pdf/deployment-guides/microsoft-fast-search-2010-dg.pdf

     

     

    As Michael mentioned, we need to confirm that connections from the SharePoint servers to the SharePoint site are being directed back to the originating server.