Forum Discussion
Oleg_68900
Nimbostratus
Nimbostratusmoving M$ SharePoint Portal Server 2003 from BIG-IP v4.x to v9.x
Guys,
I’m having troubles with moving M$ SharePoint Portal Server 2003 from BIG-IP v4.x to v9.x
MSPS uses NTLM authentication and works fine with BIG-IP v4.x
It never asked for credential if site is browsed with IE and configured as trusted.
Once I moved it to BIG-IP v9.x it keeps asking for credential on every click. :-(
I did follow guide http://www.f5.com/pdf/deployment-guides/sharepoint-bigip9-dg.pdf
The only way to make it work is to remove http profile (or its derivative) from virtual server configuration completely. (HTTP Profile set to none)
But in such a case I cannot take advantage of Compression associated with http profile.
I did some digging on internet and didn’t find answers related to BIG-IP v9.x and NTLM authentication problem... :-(
Will appreciate any help on troubleshooting this issue!
Here are few more details:
0. I’m complete newbie in v9.x
1. We have very simple MSPS configuration with only one server behind BIG-IP
2. Firefox firebug plugin shows the request for main page goes fine and then subsequent requests for CSS and/or images are filing randomly with 401 errors. I’m not an expert in NTLM authentication, but I fill authentication get used/reused in wrong way. I don’t use "OneConnect Profile" for virtual server and "OneConnect Transformations" is unchecked and "Pipelining" set to disabled for http profile derivative too. What else I’m missing here?
Oleg_68900F5 Field System Engineer Andrew Braverman said, it might be a bug in BIG-IP 9.4.5 Build 1049.10 Final and showed a simple workaround.
I’m still reading BIG-IP 9.X documentation, so my understanding may not be 100% correct.
If you see a mistake in my explanation, feel free to correct me. :-)
Basically, once a HTTP Profile is assigned to a virtual server, default OneConnect Profile is assigned to the same virtual server too. It is there, even if you see it set to None in GUI.
The (partial?) workaround will be to create custom OneConnect Profile with Source Mask 255.255.255.255.
This way a connection from one IP will never be shared/reused to serve requests from another IP.
Obviously, you might get unexpected results if you have two or more people coming from same IP (because of NAT) using different credentials.
Namely, one person request might be server with another person credentials.
I guess it would be quite difficult to troubleshoot... :-(
Greg_33923The version 9's are very different to V4 and there are some basic config's to apply before you even start adding VIP's, Pools, IRules etc.
I recently upgraded a number of them and we had an F5 consultant and another 3rd party baffled for ages becuase of severe performance and strange issues that we had not seen in the older v4's.
It sounds like you are going through the same thing, although it might not be spot on, I'd definately create or change the TCP and FastL4 profiles:
Logon to F5 and Select Virtual Servers > Profiles
TCP Profile
Select Protocol and TCP
Now create a new profile called MSSP-tcp based on the parent tcp profile:
Proxy Maximum Segment = enabled
Proxy Buffer Low = 131072
Proxy Buffer High = 131072
Send Buffer = 65535
Receive Window = 65535
Bandwidth Delay = check custom
Neagle’s Algorithm = check custom
Click on Finished.
FASTL4 Profile
Adding the MSSP-FastL4 profile(used for ALL rule and preventing sessions timing out) that prevent the need to keep authenticating!
Make sure you check Idle Timeout=indefinate ENABLED!
Now configure your sharepoint resources to use the newly created profiles.
Out of the box F5's do not alway work first time in my experience, they are a happy medium......so get the basic(rule for all!!) config in place first then start adding your resources!
Good Luck