For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Alvin_94738's avatar
Alvin_94738
Icon for Nimbostratus rankNimbostratus
Aug 28, 2013

Sharepoint 2013 APM Session Expiration

I would like that when a user logs out of the Sharepoint 2013 site the APM/LTM session is cleared. Instead the APM sessions remains so when the user goes back to the URL, they are not prompted to authenticate again they go directly to the site. I have another portal site that doesn't display this behavior, the APM session disappears as soon as the person logs out.

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iApps
iRules
security
TMSH

11 Replies

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Aug 29, 2013

    Hi Alvin,

     

    I don't know if it is a SHRP13 issue but I have the same behavior here. I'm investigating. Actually, you need to set the Logout URI in your Policy configuration so that this URI can be caught by APM to close the APM session. Did you set it up ? What is the BIGIP release ?

     

    I encountered this issue yesterday and will investigate this week because APM does not seems to catch the URI.

     

    If someone else can help us, it will be really appreciated :-)

     

    Take care. Matt

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 29, 2013

    I believe that's exactly what you need to do. You can specify multiple logout URIs in the access policy configuration (Logout URI Include). You can alternately do this in an iRule, but I'd try the GUI config first.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Aug 29, 2013

    I've filed a request to get this updated in the next release of the SharePoint iApp. Thanks for bringing it to our attention.

     

    Mike

     

  • Alvin_94738's avatar
    Alvin_94738
    Icon for Nimbostratus rankNimbostratus
    Aug 29, 2013

    Thanks all. The issue resolved itself. The logout URI I have is /_layouts/15/SignOut.aspx. This setting was in place when I experienced the issue. All I did yesterday was to remove the URI and put it back in. Now the APM sessions are closing when the users log out.

     

    • Eric_Raff_11012's avatar
      Eric_Raff_11012
      Icon for Nimbostratus rankNimbostratus
      Feb 03, 2015
      The issue seems to be the lack of support for * logic in the Logout URI. For example if I have /_layouts/15/SignOut.aspx listed, it works fine IF I invoke logout from a site at this URI: https://myapps.example.com which produces a logout URI of https://myapps.example.com/_layouts/15/SignOut.aspx and all works well. However if I invoke logout from a site at this URI: https://myapp.example.com/sites/foobar which produces a logout URI of https://myapp.example.com/sites/foobar/_layouts/15/SignOut.aspx then APM does NOT pick up up the match in the logout URI field and it does NOT clear my APM session. Not cool.
    • BrettReed_16317's avatar
      BrettReed_16317
      Icon for Nimbostratus rankNimbostratus
      Aug 25, 2016

      Did anyone ever find an answer to this issue? I am experiencing it too - SharePoint 2013 BigIP 11.6.1

       

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      Aug 25, 2016

      there is a logout uri for each sharepoint site:

       

      • /site1/_layouts/15/SignOut.aspx
      • /site2/_layouts/15/SignOut.aspx
      • /site3/_layouts/15/SignOut.aspx

      APM does not support wildcard in signet URI, so you need to list all logout uri or create an irule.

       

      You can use the following code which allow logout (with redirect to APM logout page) and much more features:

       

      https://devcentral.f5.com/s/articles/apm-sharepoint-authentication

       

  • HussainT_289006's avatar
    HussainT_289006
    Icon for Nimbostratus rankNimbostratus
    Sep 06, 2016

    If you have set your LTM as round robin then create a cookie persistence profile and link it to the Virtual server ==> resources ==> Default persistence profile. This should solve the issue in SharePoint.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Sep 06, 2016

    Alvin, Eric, Stanislas, Brett:

    Try assigning this iRule to the SharePoint virtual server (if you are using the iApp template, you can attach it with the iApp and you won't need to disable strictness like you would if you edited the logout URI list manually):

    when HTTP_REQUEST {
  if { [string tolower [HTTP::uri]] contains "_layouts/15/signout.aspx" } {
    ACCESS::session remove
    HTTP::redirect https://[HTTP::header host]/vdesk/hangup.php3 
  }
}
    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      Sep 06, 2016

      mikeshimkus,

       

      In the code I redirected to, this is what I did.

       

      I have some comments about your irule:

       

      • As the URI always ends with /_layouts/15/signout.aspx, it is better to use ends_with instead of contains.

         

      • When the browser hit the URI /vdesk/hangup.php3 , the session is closed. there is no need to close the session in the irule.

         

      • ACCESS_ACL_ALLOWED is better than HTTP_REQUEST. Unauthenticated requests do not need to be redirected to the logout uri.

         

      • And why lots of irules contains Host in redirect?

         

      The irule is :

       

      when ACCESS_ACL_ALLOWED {
  if { [string tolower [HTTP::path]] ends_with "_layouts/15/signout.aspx" } {
    ACCESS::respond 302 noserver Location "/vdesk/hangup.php3" 
  }
}
    • eric_haupt1's avatar
      eric_haupt1
      Icon for Nimbostratus rankNimbostratus
      Dec 28, 2016

      Stanislas, I like your solution and it works well for my deployment. Thanks.