For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Joseph_Irvine_1's avatar
Joseph_Irvine_1
Icon for Nimbostratus rankNimbostratus
Jan 11, 2016

Performance Point Errors with F5 & Kerberos

We use the F5 for certificate-based authentication with KCD to SharePoint 2013. We have just recently set this up and are seeing an issue with opening the PerformancePoint Dashboard Designer. It goes to open Dashboard Designer and then fails out with a hangup.php3. I am not sure why the F5 would be failing at this point. I have the SETSPN for the service account running PerformancePoint. In addition, I have Claims to Windows Token Service enabled. Everything else is working fine with the Kerberos authentication. This is the first failure. Any ideas?

 

Error:

 

OPERATION PROGRESS STATUS

 

  • [1/11/2016 10:54:21 AM] : Activation of https://[URL]/_layouts/15/ppsma/1033/designer.application?Operation=OpenWebsite&SiteCollection=https://[URL]/sites/performancepoint&SiteLocation= has started.

ERROR DETAILS

 

Following errors were detected during this operation.

 

  • [1/11/2016 10:54:22 AM] System.Deployment.Application.InvalidDeploymentException (ManifestParse)
  • Exception reading manifest from https://[URL]/vdesk/hangup.php3: the manifest may not be valid or the file could not be opened.

Thank you,

 

Joseph Irvine

 

application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)

3 Replies

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Jan 11, 2016

    It sounds like you're trying to use Microsoft "ClickOnce". This is basically a way for a Windows Client to grab a signed link from a web page to install a Windows thick client App, instead of the normal "save as", "run" operation that you have to do from a web browser. To the end user it looks sort of like a pseudo Web App, but in reality it's just the web browser calling Windows Explorer to download the URL, validate a signature, then install an app. It's not really integrated into the browser at all from a technical standpoint.

     

    If you're getting to hangup, it's probably because the client PC (Explorer process I think) isn't transmitting the APM session cookie (from the browser process) to APM. Try using Persistent Cookies in the Access Profile and IE browser and make sure APM is in Trusted Sites -- probably then Explorer will be able to read the browser's cookie and transmit it when it goes to grab the ClickOnce windows executable installer.

     

    Be sure to google up a bit more on ClickOnce. There are some important security considerations when using this type of system.

     

    Note also that ClickOnce does NOT (it's not technically possible) operate correctly via Portal Access or Application Tunnels.

     

  • Joseph_Irvine_1's avatar
    Joseph_Irvine_1
    Icon for Nimbostratus rankNimbostratus
    Jan 11, 2016

    I appreciate the response Lucas!

     

    What APM address would I be adding to Trusted Sites in IE? I have the address of our SharePoint portal in the IE Trusted Sites. Would I add the IP for our F5 to Trusted Sites?

     

    Thank you,

     

    Joseph Irvine

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Jan 11, 2016

    Security cannot be positively established by an IP-based address using HTTPS ( because of how certificates work -- you should be accessing it by hostname, like https://vpn.example.com. That's what you would add into the "Trusted Sites" security zone. To understand why these settings can be important when running what MS calls "Active Content", among other things, check out this MSDN article about security zones:

     

    https://technet.microsoft.com/en-us/library/dd361896.aspx