Forum Discussion

yeahnhayeah_144's avatar
yeahnhayeah_144
Icon for Nimbostratus rankNimbostratus
Aug 20, 2014

F5 primary authentication URI - Session Expired issue

The F5 Guide for SharePoint 2013 says:

 

"F5’s APM and AAM modules also support the deployment of host-named site collections. When deploying the SharePoint iApp, you must enter each site collection FQDN in the "What FQDNs will clients use to access the servers?" question of the template. When accessing the web application via BIG-IP APM, the client will be redirected to the primary authentication URI, which is the first host entered in the FQDNs table. After authentication, BIG-IP APM redirects the client to the original request URI."

 

This works when logging in, however I am finding that if my session expires and you then click the "new session" it directs you to login to the primary authentication URI (not the site one was logged into), and if you don't have permissions to that primary authentication URI site then you get an access denied message, moreover if you do have access to the primary authentication URI site you login in to the primary authentication URI site which may not be the site you wanted to login to.

 

Example:

 

I request apple.contoso.com

 

F5 redirects me to the primary authentication URI login.contoso.com

 

I login

 

F5 redirects me back to apple.contoso.com

 

I go for lunch and come back only to find my session has expired and F5 page displaying

 

I click "new session" and it goes back to login.contoso.com

 

I login but get access denied because I do no have access to the login.contoso.com site (or if I have permissions to login.contoso.com site it logs me into that site and not apple.contoso.com the site I was originally on.

 

Does this makes sense? Is this by design or have we configured something incorrectly?

 

Any help appreciated.

 

devops
iApps
sharepoint 2013
  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Aug 20, 2014

    I believe this is by design.

     

    When you are at the expired page, what domain is used, is it apple.contoso.com or login.contoso.com?

     

  • yeahnhayeah_144's avatar
    yeahnhayeah_144
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2014

    The "Session Expired/Timeout" page shows the "login.contoso.com" domain. When I click the "Start a new session" it takes me to the F5 login page at "login.contoso.com" and the previous session association (connected to apple.contoso.com) is lost. Kind of annoying but if that is the design then I cannot much about that.

     

    Is it possible to modify the "Session Expired/Timeout" page message so as to explain this behaviour to end users?

     

    • Andrew_Husking's avatar
      Andrew_Husking
      Icon for Cirrus rankCirrus
      Sep 01, 2014
      Yea it is, depending on what version you are running. 11.x it's fairly simple, APM customisation should allow you to modify it. in advanced editing, change it from properties to advanced. then go to your policy > logout> logout.inc tinker with the below code, maybe you can change it to be sent to the original host

       

       

      "); }else{ if ($errorcode == 1) { print('%[error_message]

       

      '); } else { include_customized_page("errormap", "errormap.inc"); print("

       

      "); } } ?> %[thank_message]

       

      '); } ?>

       

  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Aug 22, 2014

    You could do some iRule/Stream profile magic.

     

    If you create an iRule to store what domain is used when you hit /my.policy into your own custom cookie. Then have the iRule rewrite the Session Expired page so that it rewrites the domain to be the domain that the user initially hit.

     

    I've not done something to this extent, but i've done each of the components individually before.

     

    Regards,