Forum Discussion
OWA 2013 SSO - Client initiated form Logout
Hi!
I currently have SSO working to log into OWA 2013 via a client-initiated form. I am having an issue with the logout functionality though. Currently when a user presses logout from OWA it loops back into itself and never logs the user out (browser close required to logout).
I've used the "Deploying F5 with Microsoft Exchange 2013..." guide to set up the login part. This guide describes the following iRule to terminate inactive APM sessions (which also seems to include a logout feature).
when RULE_INIT {
set static::cookie_sessionid [format "sessionid=null; path=/; Expires=Thur, 01-Jan-1970 00:00:00 GMT;"]
set static::cookie_cadata [format "cadata=null; path=/; Expires=Thur, 01-Jan-1970 00:00:00 GMT;"]
set static::cookie_usercontext [format "UserContext=null; path=/; Expires=Thur, 01-Jan-1970 00:00:00 GMT;"]
}
when ACCESS_SESSION_STARTED {
if { [string tolower [HTTP::uri]] contains "ua=0" } {
ACCESS::session remove
}
}
when ACCESS_ACL_ALLOWED {
set apm_mrhsession [HTTP::cookie value "MRHSession"]
if { [table lookup $apm_mrhsession] == "EXCHANGE_LOGOUT" } {
ACCESS::session remove
table delete $apm_mrhsession
}
}
when HTTP_REQUEST {
set isset 0
if {[string tolower [HTTP::uri]] starts_with "/owa" } {
if {[string tolower [HTTP::uri]] contains "logoff" } {
ACCESS::session remove
HTTP::respond 302 Location "https://[HTTP::host]/vdesk/hangup.php3" "Set-Cookie" $static::cookie_sessionid "Set-Cookie"
$static::cookie_cadata "Set-Cookie" $static::cookie_usercontext
} else {
if { [string tolower [HTTP::uri]] contains "ua=0" } {
set mrhsession [HTTP::cookie value "MRHSession"]
set isset 1
}
}
}
}
when HTTP_RESPONSE {
if { $isset == 1 } {
if { $mrhsession != "" && [HTTP::status] == 440 } {
table set $apm_mrhsession "EXCHANGE_LOGOUT"
return
}
}
}
Currently when a user logs out I see it hit:
Which then loops directly back into:
What am I missing here? Any tips would be great!
Thanks
- Leonardo_SouzaCirrocumulus
Did you use the iApp for that?
https://support.f5.com/csp/article/K13497
If not, try to use it, as it configures all for you. You may also want to deploy via iApp, and then see how the logout is done, then apply to your current configuration.
- dradiant_306130Nimbostratus
Thanks Leonardo,
I have downloaded and applied iapp "; to this configuration. However the logout functionality still does not work (I don't even see an iRule that references logout when this iApp is installed).
The logout feature still loops the user back to a logged in state.
The closing of a browser behaviour has changed though with this iApp (compared to my manual setup). Now when I open a new browser and access the webmail site it prompts that an evaluation is already in progress.
Since I am now using a supported iApp is this something F5 support would be willing to look at?
- Leonardo_SouzaCirrocumulus
Maybe, you don't lose anything in trying. :P
Anyway, if you want to do more troubleshooting. I create an iapp using the same version, the logout is done in the APM policy configuration. The URI used is "/owa/auth/logoff.aspx".
Try to access the exchange server directly, and log the HTTP requests with something like Fiddler. Then you can see what is the correct page to logout, and you can apply to your configuration.
- dradiant_306130Nimbostratus
For future users, this is how I solved the issue:
Add the logout URL (In the APM policy) of: /owa/logoff.owa
Use the following iRule to ensure logoff is done correctly: when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } }
iRule to log off: when RULE_INIT { set static::cookie_sessionid [format "sessionid=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"] set static::cookie_cadata [format "cadata=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"] set static::cookie_usercontext [format "UserContext=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"] } when ACCESS_SESSION_STARTED { if { [string tolower [HTTP::uri]] contains "ua=0" } { ACCESS::session remove } } when ACCESS_ACL_ALLOWED { set apm_mrhsession [HTTP::cookie value "MRHSession"] if { [table lookup $apm_mrhsession] == "EXCHANGE_LOGOUT" } { ACCESS::session remove table delete $apm_mrhsession } } when HTTP_REQUEST { set isset 0 if {[string tolower [HTTP::uri]] starts_with "/owa" } { if {[string tolower [HTTP::uri]] contains "logoff" } { ACCESS::session remove HTTP::respond 302 Location "https://[HTTP::host]/vdesk/hangup.php3" "Set-Cookie" $static::cookie_sessionid "Set-Cookie" $static::cookie_cadata "Set-Cookie" $static::cookie_usercontext } else { if { [string tolower [HTTP::uri]] contains "ua=0" } { set mrhsession [HTTP::cookie value "MRHSession"] set isset 1 } } } } when HTTP_RESPONSE { if { $isset == 1 } { if { $mrhsession != "" && [HTTP::status] == 440 } { table set $apm_mrhsession "EXCHANGE_LOGOUT" return } } }
`We also ran into an issue with being prompted that the Access Policy was already being evaluated (whenever we opened a new browser to connect). This is referenced in the iApp guide as a known issue. Use the following iRule:` when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } }
- Stanislas_Piro2Cumulonimbus
Hi,
 
Instead of disabling client App cache with APM, you can use this code to prevent "Access policy evaluation is already in progress" page and keep cache App cache enabled.
 
https://devcentral.f5.com/s/articles/outlook-web-access-client-cache-with-apm-1018
 
- Garsa_163306Nimbostratus
Hello All,
The issue here is that the condition on the portion below of the current irule does not match.
when HTTP_REQUEST { set isset 0 if { [string tolower [HTTP::uri]] starts_with "/owa" } { if {[string tolower [HTTP::uri]] contains "logoff" } { ACCESS::session remove HTTP::respond 302 Location "https://[HTTP::host]/vdesk/hangup.php3" "Set-Cookie" $static::cookie_sessionid "Set-Cookie" $static::cookie_cadata "Set-Cookie" $static::cookie_usercontext .....
With Portal Access the URL gets rewritten to something like:
https:///f5-w-474736e612e6174736175746f2e6e6574$$/owa/
so the condition below does not longer match.
[string tolower [HTTP::uri]] starts_with "/owa" }
Therefore the solution I came up with was to modify that portion as per below:
if {[string tolower [HTTP::uri]] matches_regex {\/f5-w-.*\$\$\/owa.*/} } {
So far no issues for me and the logout works as expected. Hopefully it helps.
Regards,
Simon
- Stanislas_Piro2Cumulonimbus
Hi,
a better solution is to evaluate
instead ofACCESS_ACL_ALLOWED
.HTTP_REQUEST
when ACCESS_ACL_ALLOWED { set isset 0 if { [string tolower [HTTP::uri]] starts_with "/owa" } { if {[string tolower [HTTP::uri]] contains "logoff" } { Do not remove the session within irule but redirect to /vdesk/hangup.php3 ACCESS::session remove Redirect to relative URI and use ACCESS::respond (HTTP::respond not supported in ACCESS_ACL_ALLOWED HTTP::respond 302 Location "https://[HTTP::host]/vdesk/hangup.php3" ACCESS::respond 302 Location "/vdesk/hangup.php3" "Set-Cookie" $static::cookie_sessionid "Set-Cookie" $static::cookie_cadata "Set-Cookie" $static::cookie_usercontext .....
ACCESS_ACL_ALLOWED is evaluated after rewrite.
if you want to use HTTP_REQUEST, scan is better than regex
if {[scan [string tolower [HTTP::uri]] {/f5-w-%[^$]$$/%[^/]} encresource baseuri] == 2 && $baseuri starts_with "owa" } {
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com