Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Feb 01, 2017

APM SAML + Kerberos + Persistent cookie + Word

I have a strange thing that is occurring in my environment that I'm trying to isolate.

 

We have a merged company with half of our users on one AD domain and the other half on another AD domain and then a new domain slowly coming up that we are all migrating to. For the sake of conversation I'm going to call them "old_domain_a", "old_domain_b" and "new_domain".

 

We have SharePoint set up in both "old_domain_a" as well as "new_domain".

 

SharePoint is behind LTM in both environments.

 

We are using an external IDP so when a user accesses SharePoint (in either environment) they hit the F5, the F5 has an access policy with SAML authentication that redirects them to the external IDP. They authenticate against the external IDP and then come back to the F5. The F5 then takes the username that is presented in the SAML assertion and reaches out to Kerberos to obtain a ticket/token for the user and then the user is SSO'd into the application (SharePoint).

 

All of this works well.

 

This past week we released a corporate communication that included a link to a word document that is located in SharePoint.

 

In the past I have encountered issues with users authenticating to sharepoint but having issues opening up documents in the thick clients b/c Word, Excel, etc; didn't know about the authenticated session. So we have the "persistent" cookie setting within APM.

 

So here's the scenario. The user from "old_domain_a" goes to this email and clicks the link for the document. They go out to the IDP, they authenticate and they are able to successfully open the document in a browser like word window. That works fine. However, if the user clicks "open in word" then they suddently get a windows security popup with their "old_domain_a" listed as the domain. From there on any link that they select within the new sharepoint environment that is in "new_domain" prompts them for authentication. It's almost as if once they click "open in word" their Kerberos ticket gets ignored, discarded. I would expect it to work b/c of the persistent setting, but it doesn't appear to.

 

With that said, if users from "old_domain_b" click this same link they login the same way (via the external IDP) but when they click "open in word" it opens up and they don't run into any issues.

 

...lost