Forum Discussion
riraccuia
Cirrus
CirrusF5 APM OWA o365 SSO Form Based Authentication Issues
Hello there, we'd like to configure our v11.6 F5 box to provide access to an Exchange 2013 / MS o365 web based email using APM to enforce two factor authentication (AD + OTP) on an HTTPS Virtual Server. The authentication part is ok and the policy log shows that the ending is "allow". On the other end the authenticated user is redirected to his o365 landing home page that displays his latest emails. At this point any attempt to click on any item in the page won't produce any result. When looking at the session logs, I noticed that right after the webtop gets assigned and the Websso form-based auth is triggered, APM says "Session deleted due to user logout request." which of course the user has not done.
What am i missing ?
Session Logs:
Jul 9 17:47:02 MY-F5 notice apd[5923]: 01490220:5: c1f370de: Pool '/Common/mail.o365.mydomain.com' assigned
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490004:6: c1f370de: Executed agent '/Common/WEBMAIL_act_resource_assign_2_ag', return value 0
Jul 9 17:47:02 MY-F5 notice apd[5923]: 01490005:5: c1f370de: Following rule 'fallback' from item 'TEST_OWA' to ending 'Allow'
Jul 9 17:47:02 MY-F5 notice apd[5923]: 01490102:5: c1f370de: Access policy result: Web_Application
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490004:6: c1f370de: Executed agent '/Common/WEBMAIL_end_allow_ag', return value 0
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.pool' set to '/Common/mail.o365.mydomain.com'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.resources.pa' set to '/Common/OWA_TEST'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.uuid' set to 'tmm.uuid./Common/WEBMAIL.userid'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.webtop' set to '/Common/WebTop_Test'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.authresult' set to '1'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.errmsg' set to ' '
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.errmsgext' set to ' '
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.totalEntries' set to '0'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.authresult' set to '1'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.errmsg' set to ' '
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.errmsgext' set to ' '
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.totalEntries' set to '0'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.logon.last.password' set to '**********'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.logon.last.username' set to 'userid@mydomain.ad'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.logon.page.errorcode' set to '0'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.policy.result' set to 'allow'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.policy.result.start_uri' set to '/f5-w-68747470733a2f2f7765626d61696c2e6d79646f6d61696e2e636f6d$$/owa/'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.policy.result.webtop.type' set to 'web_application'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.attr.class' set to '0x661905fe00000137000102000aef19aa00000000000000000000000001d0b703690c67f0000000000000129d'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.attr.framed-protocol' set to '1'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.attr.service-type' set to '2'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.errmsg' set to ' '
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.result' set to '1'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.attr.class' set to '0x661905fe00000137000102000aef19aa00000000000000000000000001d0b703690c67f0000000000000129d'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.attr.framed-protocol' set to '1'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.attr.service-type' set to '2'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.errmsg' set to ' '
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.result' set to '1'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.sso.token.last.password' set to '**********'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.sso.token.last.username' set to 'userid@mydomain.ad'
Jul 9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.webtop.customization.group' set to '/Common/WebTop_Test_customization'
Jul 9 17:47:02 MY-F5 info websso.0[12351]: 014d0015:6: c1f370de: Websso form-based authentication for user 'userid@mydomain.ad' using config '/Common/OWA_365'
Jul 9 17:47:06 MY-F5 notice tmm2[11808]: 01490501:5: c1f370de: Session deleted due to user logout request.
Jul 9 17:47:44 MY-F5 notice tmm2[11808]: 01490521:5: c1f370de: Session statistics - bytes in: 161950, bytes out: 1593105
`
And here's the sso config
`apm sso form-based /Common/OWA_365 {
form-action https://webmail.mydomain.com/owa/auth.owa
form-field "destination https://webmail.mydomain.com/owa/
flags 4
forcedownlevel 0
passwordText
isUtf8 1
trusted 4"
form-password password
form-username username
start-uri /owa/auth/logon.aspx*
}
apm resource portal-access /Common/OWA_TEST {
acl-order 2
customization-group /Common/OWA_TEST_resource_web_app_customization
flash-patching false
items {
item {
client-caching-type no-cache
compression-type none
home-tab false
host webmail.mydomain.com
log packet
order 1
paths /*
port 443
scheme https
session-timeout false
session-update false
sso /Common/OWA_365
subnet 0.0.0.0/0
}
}
path-match-case false
scheme-patching true
}
apm resource webtop /Common/WebTop_Test {
customization-group /Common/WebTop_Test_customization
portal-access-start-uri https://webmail.mydomain.com/owa/
webtop-type portal-access
}
Thanks in advance for your help
For everyone's information, this is how I solved the problem:
when HTTP_REQUEST { For OWA 2013 if { [HTTP::uri] starts_with "/owa/manifests/appCacheManifestHandler.ashx" }{ HTTP::respond 200 content {} noserver } }
kunjan_118660Cumulonimbus
How about your access policy, can share?
- riraccuiaHi Kunjan, sure, see below
kunjanNimbostratus
How about your access policy, can share?
- riraccuiaHi Kunjan, sure, see below
- riraccuia
The Policy:
apm policy access-policy /Common/WEBMAIL { default-ending /Common/WEBMAIL_end_deny items { /Common/WEBMAIL_act_empty { } /Common/WEBMAIL_act_empty_1 { } /Common/WEBMAIL_act_empty_2 { } /Common/WEBMAIL_act_empty_3 { } /Common/WEBMAIL_act_irule_event { } /Common/WEBMAIL_act_ldap_auth { } /Common/WEBMAIL_act_ldap_auth_1 { } /Common/WEBMAIL_act_ldap_query { } /Common/WEBMAIL_act_ldap_query_1 { } /Common/WEBMAIL_act_logon_page { } /Common/WEBMAIL_act_message_box { } /Common/WEBMAIL_act_message_box_1 { } /Common/WEBMAIL_act_message_box_2 { } /Common/WEBMAIL_act_message_box_3 { } /Common/WEBMAIL_act_message_box_4 { } /Common/WEBMAIL_act_message_box_5 { } /Common/WEBMAIL_act_radius_auth { } /Common/WEBMAIL_act_radius_auth_1 { } /Common/WEBMAIL_act_resource_assign { } /Common/WEBMAIL_act_resource_assign_1 { } /Common/WEBMAIL_act_resource_assign_2 { } /Common/WEBMAIL_act_resource_assign_3 { } /Common/WEBMAIL_act_sso_credential_mapping { } /Common/WEBMAIL_act_sso_credential_mapping_1 { } /Common/WEBMAIL_act_variable_assign { } /Common/WEBMAIL_act_variable_assign_1 { } /Common/WEBMAIL_act_variable_assign_2 { } /Common/WEBMAIL_end_allow { priority 1 } /Common/WEBMAIL_end_deny { priority 2 } /Common/WEBMAIL_end_redirect { } /Common/WEBMAIL_ent { } } start-item /Common/WEBMAIL_ent } apm profile access /Common/WEBMAIL { accept-languages { en ja zh-cn zh-tw } access-policy /Common/WEBMAIL app-service none customization-group /Common/WEBMAIL_logout default-language en domain-cookie none eps-group /Common/WEBMAIL_eps errormap-group /Common/WEBMAIL_errormap exchange-profile none framework-installation-group /Common/WEBMAIL_frameworkinstallation general-ui-group /Common/WEBMAIL_general_ui generation 64 generation-action noop inactivity-timeout 2700 logout-uri-include { /owa/auth/logoff.aspx } logout-uri-timeout 5 max-failure-delay 0 min-failure-delay 0 modified-since-last-policy-sync true secure-cookie true sso-name none type all user-identity-method http }And here are the relevant ending items of my policy, everything I do before is just AD and OTP/Radius authentication.
apm policy policy-item /Common/WEBMAIL_act_empty { caption "User Agent" color 1 item-type action rules { { caption "Test Branch" expression "expr { [mcget {session.user.agent}] contains \"test-o365\"}" next-item /Common/WEBMAIL_act_resource_assign_2 } { caption "Mobile Phones" expression "expr { [mcget {session.user.agent}] contains \"BlackBerry\" } " next-item /Common/WEBMAIL_act_resource_assign_1 } { caption fallback next-item /Common/WEBMAIL_act_resource_assign } } } apm policy policy-item /Common/WEBMAIL_act_resource_assign_2 { agents { /Common/WEBMAIL_act_resource_assign_2_ag { type resource-assign } } caption TEST_OWA color 1 item-type action rules { { caption fallback next-item /Common/WEBMAIL_end_allow } } } apm policy agent resource-assign /Common/WEBMAIL_act_resource_assign_2_ag { rules { { pool /Common/mail.o365.mydomain.com portal-access-resources { /Common/OWA_TEST } webtop /Common/WebTop_Test } } } - riraccuia
For everyone's information, this is how I solved the problem:
when HTTP_REQUEST { For OWA 2013 if { [HTTP::uri] starts_with "/owa/manifests/appCacheManifestHandler.ashx" }{ HTTP::respond 200 content {} noserver } }