Forum Discussion
Adam_Borders_10
Nimbostratus
NimbostratusSharePoint 2013 Search re-write host
I am trying to solve a SharePoint 2013 search issue using the F5. We are using ADFS for our authentication so we had to extend the web app to enable NTLM authentication to get the search crawl featur...
noodleNT_67930Nimbostratus
NimbostratusAdam,
I am running into the same issue with our SharePoint 2013 + ADFS deployment. First off, you can't have search crawl a non-Default zone. Other things start blowing up. You are also correct with the server name mappings... changing those just change the "Green" link displayed on the page but not the URL to the item itself. (So what's the point of this option? Really, I want to know!)
In our config we did the following:
- Configured the Default Zone for HTTPS on Port 444 using NTLM as the Auth provider.
- Make sure all other sites like My and Search are configured the same.
- Extend the sites to one of the other zones. It doesn't matter which, just make sure they are the same zones. In our case we used HTTPS on Port 443 and picked our SAML claims provider in the "Custom" zone.
- We then send internal and external traffic through the F5 using the most current iApp Template for SharePoint (V1.1)
This will get you 95% of the way. I have three issues that I can't resolve. NewsFeeds always have the Default Zone URLS. Not sure why this is. So when you follow people, sites or documents the URL to them will contain the 444 site. The other issue we have ran into with SAML is that the WebDAV mapped drives to SharePoint document libraries time out. WebDAV doesn't know how to re-auth with SAML. The last issue is that none of the Microsoft iOS office apps work with On-Prem SAML SharePoint.
I was hoping that I could do a "re-write" for the NewsFeeds with the F5. The issue we have with WebDAV is a little harder to fix. It doesn't look like you can tweak the Auth Token to make it work. Maybe one of you F5 wiz kidz can figure something out. the closest thing I can get to work is changing the ADFS auth token to 8 hours and then change everyone's IE home page to SharePoint. :) It will authenticate them when they go to check the morning news and keep it active for the "working" hours. However this opens some possible security issues.
Now the mobile app thing is another strange beast. When I go through the F5 I can't get them to work at all. Yet if I bypass the F5 and go to the WFE I can get the Android mobile app to work 100% of the time and the iOS app to work during the life of the Auth Token.
I have a case open with Microsoft on the NewsFeeds and iOS app issues but I would be interested if you or anyone here has figured out a work around with the F5. In short SAML "works" with SharePoint 2013. Just not fully from what I can tell. However, these short coming should be manageable with some F5 hackery. Any ideas community?