For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

eirikn's avatar
eirikn
Icon for Nimbostratus rankNimbostratus
Apr 27, 2016

Sharepoint 2013 Login redirect iRule problems

Hi,

I'm having a problem with a Irule applied to a VS loadbalancing a sharepoint site.

 when HTTP_REQUEST {
  switch [HTTP::host] {

    sh.domain.com {


      if { [active_members SHAREPOINT_2013_HTTPS_pool] < 1 } { HTTP::respond 200 content {some content} }  
     if { ( [string tolower [HTTP::uri]] contains "login.aspx" ) and ( [IP::addr [IP::client_addr] equals 10.0.0.0/8]) } { HTTP::redirect "https://sh.domain.com/_windows/default.aspx?ReturnUrl=/" }

      pool SHAREPOINT_2013_HTTPS_pool
    }

    sh.domain2.com {
      if { [active_members SHAREPOINT_2013_HTTPS_pool] < 1 } { HTTP::respond 200 content {some content} }  
      if { ( [string tolower [HTTP::uri]] contains "login.aspx" ) and ( [IP::addr [IP::client_addr] equals 10.0.0.0/8] ) } { HTTP::redirect "https://sh.domain2.com/_windows/default.aspx?ReturnUrl=/" }
      pool SHAREPOINT_2013_HTTPS_pool
    }
  }
}

What happens:

Internal users:

User wants to access URL: https://sh.domain.com/testguy

Without the irule, internal clients connects to the sharepoint site from a ip in the 10.0.0.0/8 subnet, and are automaticly redirected to a sharepoint login page. The user then has to click a link to log inn. Clicking this link does nothing but redirect to https://sh.domain.com/_windows/default/.aspx?ReturnUrl=/testguy

With the iRule, internal clients buypass the login screen correctly, but they are riderected to the home page of sharepoint (another redirect that happens when you request https://sh.domain2.com/_windows/default.aspx?ReturnUrl=/)

Trying to access the original URL : https://sh.domain.com/testguy again within the same browser now works correctly because the user is never redirected to login page, and therefor just sent straight to the pool.

External users:

Is currently working as expected. They are sent to login page, and have to click the login button and present credentials, and then redirected to the correct page.

How can I have my internal users buypass the login page, and automaticly redirected to the requested URI?

Is there a way to append the original URI to https://sh.domain2.com/_windows/default.aspx?ReturnUrl=/[HTTP::uri] without causing a redirection loop?

I have tried the above statement, but it creates a loop because the HTTP:uri is now the login page.

Appreciate all input!

application delivery
http redirection
iRules
LTM
sharepoint
sharepoint 2013

1 Reply

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Apr 27, 2016

    Hello,

     

    I think that the login page does a little more than just redirecting an internal user to the initially requested page. Maybe, Sharepoint do kerberos auth or add some session cookies.

     

    Maybe you can try to replace ReturnURL=/ by ReturnURL=[HTTP::path] or returnURL=[HTTP::uri]

     

    can you post the complete URI used for the login page ?

     

    One way can be to trap the original uri when seeing the Login.aspx request and replace the returnURL query string present in the header Location of the 302 redirect response.