Forum Discussion

riraccuia's avatar
riraccuia
Icon for Cirrus rankCirrus
Jul 09, 2015

F5 APM OWA o365 SSO Form Based Authentication Issues

Hello there, we'd like to configure our v11.6 F5 box to provide access to an Exchange 2013 / MS o365 web based email using APM to enforce two factor authentication (AD + OTP) on an HTTPS Virtual Server. The authentication part is ok and the policy log shows that the ending is "allow". On the other end the authenticated user is redirected to his o365 landing home page that displays his latest emails. At this point any attempt to click on any item in the page won't produce any result. When looking at the session logs, I noticed that right after the webtop gets assigned and the Websso form-based auth is triggered, APM says "Session deleted due to user logout request." which of course the user has not done.

What am i missing ?

Session Logs:

Jul  9 17:47:02 MY-F5 notice apd[5923]: 01490220:5: c1f370de: Pool '/Common/mail.o365.mydomain.com' assigned
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490004:6: c1f370de: Executed agent '/Common/WEBMAIL_act_resource_assign_2_ag', return value 0
Jul  9 17:47:02 MY-F5 notice apd[5923]: 01490005:5: c1f370de: Following rule 'fallback' from item 'TEST_OWA' to ending 'Allow'
Jul  9 17:47:02 MY-F5 notice apd[5923]: 01490102:5: c1f370de: Access policy result: Web_Application
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490004:6: c1f370de: Executed agent '/Common/WEBMAIL_end_allow_ag', return value 0
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.pool' set to '/Common/mail.o365.mydomain.com'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.resources.pa' set to '/Common/OWA_TEST'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.uuid' set to 'tmm.uuid./Common/WEBMAIL.userid'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.assigned.webtop' set to '/Common/WebTop_Test'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.authresult' set to '1'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.errmsg' set to ' '
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.errmsgext' set to ' '
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap./Common/WEBMAIL_act_ldap_auth_ag.totalEntries' set to '0'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.authresult' set to '1'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.errmsg' set to ' '
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.errmsgext' set to ' '
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.ldap.last.totalEntries' set to '0'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.logon.last.password' set to '**********'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.logon.last.username' set to 'userid@mydomain.ad'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.logon.page.errorcode' set to '0'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.policy.result' set to 'allow'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.policy.result.start_uri' set to '/f5-w-68747470733a2f2f7765626d61696c2e6d79646f6d61696e2e636f6d$$/owa/'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.policy.result.webtop.type' set to 'web_application'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.attr.class' set to '0x661905fe00000137000102000aef19aa00000000000000000000000001d0b703690c67f0000000000000129d'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.attr.framed-protocol' set to '1'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.attr.service-type' set to '2'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.errmsg' set to ' '
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius./Common/WEBMAIL_act_radius_auth_ag.result' set to '1'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.attr.class' set to '0x661905fe00000137000102000aef19aa00000000000000000000000001d0b703690c67f0000000000000129d'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.attr.framed-protocol' set to '1'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.attr.service-type' set to '2'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.errmsg' set to ' '
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.radius.last.result' set to '1'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.sso.token.last.password' set to '**********'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.sso.token.last.username' set to 'userid@mydomain.ad'
Jul  9 17:47:02 MY-F5 info apd[5923]: 01490007:6: c1f370de: Session variable 'session.webtop.customization.group' set to '/Common/WebTop_Test_customization'
Jul  9 17:47:02 MY-F5 info websso.0[12351]: 014d0015:6: c1f370de: Websso form-based authentication for user 'userid@mydomain.ad' using config '/Common/OWA_365'
Jul  9 17:47:06 MY-F5 notice tmm2[11808]: 01490501:5: c1f370de: Session deleted due to user logout request.
Jul  9 17:47:44 MY-F5 notice tmm2[11808]: 01490521:5: c1f370de: Session statistics - bytes in: 161950, bytes out: 1593105
`


And here's the sso config

`apm sso form-based /Common/OWA_365 {
    form-action https://webmail.mydomain.com/owa/auth.owa
    form-field "destination https://webmail.mydomain.com/owa/
flags 4
forcedownlevel 0
passwordText
isUtf8 1
trusted 4"
    form-password password
    form-username username
    start-uri /owa/auth/logon.aspx*
}
apm resource portal-access /Common/OWA_TEST {
    acl-order 2
    customization-group /Common/OWA_TEST_resource_web_app_customization
    flash-patching false
    items {
        item {
            client-caching-type no-cache
            compression-type none
            home-tab false
            host webmail.mydomain.com
            log packet
            order 1
            paths /*
            port 443
            scheme https
            session-timeout false
            session-update false
            sso /Common/OWA_365
            subnet 0.0.0.0/0
        }
    }
    path-match-case false
    scheme-patching true
}
apm resource webtop /Common/WebTop_Test {
    customization-group /Common/WebTop_Test_customization
    portal-access-start-uri https://webmail.mydomain.com/owa/
    webtop-type portal-access
}

Thanks in advance for your help

  • For everyone's information, this is how I solved the problem:

    when HTTP_REQUEST {
            For OWA 2013
            if { [HTTP::uri] starts_with "/owa/manifests/appCacheManifestHandler.ashx" }{
                HTTP::respond 200 content {} noserver
    
            }
    }
    
  • The Policy:

    apm policy access-policy /Common/WEBMAIL {
        default-ending /Common/WEBMAIL_end_deny
        items {
            /Common/WEBMAIL_act_empty { }
            /Common/WEBMAIL_act_empty_1 { }
            /Common/WEBMAIL_act_empty_2 { }
            /Common/WEBMAIL_act_empty_3 { }
            /Common/WEBMAIL_act_irule_event { }
            /Common/WEBMAIL_act_ldap_auth { }
            /Common/WEBMAIL_act_ldap_auth_1 { }
            /Common/WEBMAIL_act_ldap_query { }
            /Common/WEBMAIL_act_ldap_query_1 { }
            /Common/WEBMAIL_act_logon_page { }
            /Common/WEBMAIL_act_message_box { }
            /Common/WEBMAIL_act_message_box_1 { }
            /Common/WEBMAIL_act_message_box_2 { }
            /Common/WEBMAIL_act_message_box_3 { }
            /Common/WEBMAIL_act_message_box_4 { }
            /Common/WEBMAIL_act_message_box_5 { }
            /Common/WEBMAIL_act_radius_auth { }
            /Common/WEBMAIL_act_radius_auth_1 { }
            /Common/WEBMAIL_act_resource_assign { }
            /Common/WEBMAIL_act_resource_assign_1 { }
            /Common/WEBMAIL_act_resource_assign_2 { }
            /Common/WEBMAIL_act_resource_assign_3 { }
            /Common/WEBMAIL_act_sso_credential_mapping { }
            /Common/WEBMAIL_act_sso_credential_mapping_1 { }
            /Common/WEBMAIL_act_variable_assign { }
            /Common/WEBMAIL_act_variable_assign_1 { }
            /Common/WEBMAIL_act_variable_assign_2 { }
            /Common/WEBMAIL_end_allow {
                priority 1
            }
            /Common/WEBMAIL_end_deny {
                priority 2
            }
            /Common/WEBMAIL_end_redirect { }
            /Common/WEBMAIL_ent { }
        }
        start-item /Common/WEBMAIL_ent
    }
    
    apm profile access /Common/WEBMAIL {
        accept-languages { en ja zh-cn zh-tw }
        access-policy /Common/WEBMAIL
        app-service none
        customization-group /Common/WEBMAIL_logout
        default-language en
        domain-cookie none
        eps-group /Common/WEBMAIL_eps
        errormap-group /Common/WEBMAIL_errormap
        exchange-profile none
        framework-installation-group /Common/WEBMAIL_frameworkinstallation
        general-ui-group /Common/WEBMAIL_general_ui
        generation 64
        generation-action noop
        inactivity-timeout 2700
        logout-uri-include { /owa/auth/logoff.aspx }
        logout-uri-timeout 5
        max-failure-delay 0
        min-failure-delay 0
        modified-since-last-policy-sync true
        secure-cookie true
        sso-name none
        type all
        user-identity-method http
    }
    

    And here are the relevant ending items of my policy, everything I do before is just AD and OTP/Radius authentication.

    apm policy policy-item /Common/WEBMAIL_act_empty {
        caption "User Agent"
        color 1
        item-type action
        rules {
            {
                caption "Test Branch"
                expression "expr { [mcget {session.user.agent}] contains \"test-o365\"}"
                next-item /Common/WEBMAIL_act_resource_assign_2
            }
            {
                caption "Mobile Phones"
                expression "expr { [mcget {session.user.agent}] contains \"BlackBerry\" } "
                next-item /Common/WEBMAIL_act_resource_assign_1
            }
            {
                caption fallback
                next-item /Common/WEBMAIL_act_resource_assign
            }
        }
    }
    apm policy policy-item /Common/WEBMAIL_act_resource_assign_2 {
        agents {
            /Common/WEBMAIL_act_resource_assign_2_ag {
                type resource-assign
            }
        }
        caption TEST_OWA
        color 1
        item-type action
        rules {
            {
                caption fallback
                next-item /Common/WEBMAIL_end_allow
            }
        }
    }
    apm policy agent resource-assign /Common/WEBMAIL_act_resource_assign_2_ag {
        rules {
            {
                pool /Common/mail.o365.mydomain.com
                portal-access-resources { /Common/OWA_TEST }
                webtop /Common/WebTop_Test
            }
        }
    }
    
  • For everyone's information, this is how I solved the problem:

    when HTTP_REQUEST {
            For OWA 2013
            if { [HTTP::uri] starts_with "/owa/manifests/appCacheManifestHandler.ashx" }{
                HTTP::respond 200 content {} noserver
    
            }
    }