APM Sharepoint authentication

Problem this snippet solves: Updated version to support Webdav with windows explorer after Nicolas's comment. APM is a great authentication service but it does it only with forms. The default be...
Published Apr 20, 2016
Version 1.0
BIG-IP Access Policy Manager (APM)
editing office documents
iRules
ms-ofba
programmability contest
security
sharepoint
Andy_from_Sandy's avatar
Andy_from_Sandy
Icon for Nimbostratus rankNimbostratus
Sep 07, 2016

Thank you for sharing, it has got me a long way to a successful configuration.

 

I have built up a sharepoint installation using SSO with PKI to Kerberos. So the user presents there certificate because of client ssl profile. After client cert inspection and OCSP in access profile a SSO configuration does the Kerberos lookup to pass to SharePoint.

 

Now I have added OWA on a separate VIP which also checks client certificate.

 

The iRule takes care of switching to clientless mode when OWA connects to SharePoint VIP. I have modified it to also check for the OWA request is from a known list. I have modified the access policy to bypass client cert inspection based on above change to iRule. I also found I had to switch to clientless mode when user-agent = microsoft office protocol discovery.

 

I don't think I have any forms based authentication so I have removed that code from the iRule.

 

What I would be interested in is some commentary as to how the iRule works please. Are you able to share the access policy as well please? Thank you.