For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

APM Sharepoint authentication

Problem this snippet solves: Updated version to support Webdav with windows explorer after Nicolas's comment. APM is a great authentication service but it does it only with forms. The default be...
Published Apr 20, 2016
Version 1.0
BIG-IP Access Policy Manager (APM)
editing office documents
iRules
ms-ofba
programmability contest
security
sharepoint
Andy_from_Sandy's avatar
Andy_from_Sandy
Icon for Nimbostratus rankNimbostratus
Sep 07, 2016

Thank you for sharing, it has got me a long way to a successful configuration.

 

I have built up a sharepoint installation using SSO with PKI to Kerberos. So the user presents there certificate because of client ssl profile. After client cert inspection and OCSP in access profile a SSO configuration does the Kerberos lookup to pass to SharePoint.

 

Now I have added OWA on a separate VIP which also checks client certificate.

 

The iRule takes care of switching to clientless mode when OWA connects to SharePoint VIP. I have modified it to also check for the OWA request is from a known list. I have modified the access policy to bypass client cert inspection based on above change to iRule. I also found I had to switch to clientless mode when user-agent = microsoft office protocol discovery.

 

I don't think I have any forms based authentication so I have removed that code from the iRule.

 

What I would be interested in is some commentary as to how the iRule works please. Are you able to share the access policy as well please? Thank you.