Forum Discussion

Jason_46956's avatar
Icon for Nimbostratus rankNimbostratus
Dec 15, 2011

Placing APM in front of SharePoint 2010




Having some difficulties in getting APM to work with Sharepoint 2010. This is on a F5 running latest 11.1 version.



The APM bit to collect username and password and authenticating to our AD server works fine. The problem is that Sharepoint is insisting on asking for its own Form based authentication credentials as well - we want to use SSO.



I have tried basic, ntlm's and form based SSO - none of them seem to want to work.



I am no expert in Sharepoint, but I have been assured that using the Forms based authentication is required as Basic authentication wont work with an external LDAP provider.



The Form that Sharepoint presents has silly field names like:









When plug these into the SSO and try to connect I can see from a network snoop that Sharepoint is just sending back the logon form again - no reason why it is rejecting it.



I suspect that it requires some extra hidden fields or cookies to work - but how do I work out what?



As a debugging tool I am trying commands like this from the F5 console:


curl --trace - -d 'ctl00$PlaceHolderMain$signInControl$login=Sign%20In' -d 'ctl00$PlaceHolderMain$signInControl$UserName=wilsonjp' -d 'ctl00$PlaceHolderMain$signInControl$password=BOGUS' http://spointextweb/_forms/default.aspx



Anybody have any ideas? We have SSO working with Apache, Tomcat, Weblogic, etc - this is the first Sharepoint deployment.



Thanks for any assistance!





8 Replies

  • mikeshimkus_111's avatar
    Historic F5 Account
    hi Jason, our guidance for using SharePoint with an SSO in APM requires setting the SharePoint servers to NTLM authentication. I don't believe we have anything yet for using a forms-based SSO, but I will double-check. Is it possible to change the authentication mode on your SharePoint farm?
  • Thanks for the advice.



    After much effort I have managed to get the business o rebuuld heir SharePoint and configured it to use NTLM based authentication - this is now working well with SSO.



    The next problem comes when they wish to use the 'feature' of allowing users to download, for example, a Microsoft Word document and edit he document. Internet Explorer offloads the downloading to Word, which when it hits the APM module fails as it doesn't seem to understand cookies and web logon forms.



    I am trying to find some information on how Microsoft handles passing authentication credentials between IE and Word - does anybody have any idea?



  • Jason,



    Assuming you are still running v11.1, just check Persistent cookie option under SSO/Auth tab of the Access Policy, and you should be good to go.
  • Michael,



    Thanks for that - did the trick. Customer is now happy (always a good sign!).





  • InnO's avatar
    Icon for Nimbostratus rankNimbostratus



    I was able to make any form of SSO work well with Sharepoint 2010 and 2013 : NTLM, Kerberos, and Form-Based with 11.4.x. For this last one, you have to use the Form-Based Client Initiated. Be careful though, using this feature can make a TMM core occur. Opened a support ticket with F5, they were able to identify a bug, and recently provided us an engineering hotfix which correct that (among 300+ other bugs).


  • Would you share your Form Based SSO config details? Unless it's that same as in F5 Guide for APM




  • InnO's avatar
    Icon for Nimbostratus rankNimbostratus

    I had to use a Form-Based Client Initiated SSO with the config described in the 11.4 manual. Originally designed for SP2010, this works fine with SP2013 as the form is the same. I was not able to use the standard APM Form-Based SSO though.


  • Here is a write-up with similar characteristics. Write up by Joe