cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1366
Views
0
Helpful
10
Replies
Chris Normand
Beginner

ACE 4710 breaks single sign-on on IE

I haven't run into this before and I can't find anything in the documentation regarding it.  (Our 2 4710 were setup prior in a routed configuration although I personally see no reason for it.)  Regardless, we have 2 servers that host 4 websites on them.  We built everything on the ACE with a new VIP and matching the http header.  If we use firefox/chrome, it load balances properly and we are prompted for credentials as those browsers don't support single sign on.  We enter our credentials and are able to get to the appropriate website on the server.

When we use IE, it fails to open the page.  A sniffer capture shows an authentication failure packet and a reset and that's it.  We built the ACE both as sticky and non-sticky but neither worked properly with IE.

Is there something else in the ACE we need to configure to get SSO to work?  Thanks in advance!

Chris

**NEW CONFIGURATION**

probe icmp PING

  description ICMP echo request probe

  interval 5

  passdetect interval 5

  passdetect count 12

  receive 4

probe tcp TCP-80

  description TCP port 80 probe

  interval 5

  passdetect interval 5

  passdetect count 12

  receive 4

  connection term forced

  open 1

rserver host corp-w-sp-lab01

  ip address 10.250.1.52

  probe PING

  inservice

rserver host corp-w-sp-lab02

  ip address 10.250.1.53

  probe PING

  inservice

serverfarm host sharepoint-test-80

  failaction purge

  predictor leastconns

  probe TCP-80

  rserver corp-w-sp-lab01 80

    inservice

  rserver corp-w-sp-lab02 80

    inservice

!

class-map match-any sharepoint-test-vip

  2 match virtual-address 10.250.89.10 tcp eq www

class-map type http loadbalance match-any intranet-test

  match http header Host header-value http://intranettest

class-map type http loadbalance match-any dashboards-test

  match http header Host header-value http://dashboardstest

class-map type http loadbalance match-any odpeople-test

  match http header Host header-value http://odpeopletest

class-map type http loadbalance match-any sandbox-test

  match http header Host header-value http://sandbox

!

policy-map type loadbalance http first-match sharepoint-test-lb

  class intranet-test

      serverfarm sharepoint-test-80

  class dashboards-test

      serverfarm sharepoint-test-80

  class odpeople-test

      serverfarm sharepoint-test-80

  class sandbox-test

      serverfarm sharepoint-test-80

  class class-default

      serverfarm sharepoint-test-80

!

policy-map multi-match sharepoint-test-80-pol

  class sharepoint-test-vip

    loadbalance vip inservice

    loadbalance policy sharepoint-test-lb

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 92

!

interface vlan 88

  service-policy input sharepoint-test-80-pol

***CONFIGURATION ALREADY ON INTERFACES PRIOR TO NEW CONFIG***

---------------------------

interface vlan 88

  description Client_Connections

  ip address 10.250.88.51 255.255.252.0

  alias 10.250.88.50 255.255.252.0

  peer ip address 10.250.88.52 255.255.252.0

  access-group input Client

  service-policy input remote_mgmt_allow_policy

  service-policy input PM_LB_FRONTEND

  no shutdown

interface vlan 92

  description RealServer_Network

  ip address 10.250.92.51 255.255.252.0

  alias 10.250.92.50 255.255.252.0

  peer ip address 10.250.92.52 255.255.252.0

  nat-pool 1 10.250.93.1 10.250.93.1 netmask 255.255.255.255 pat

  service-policy input remote_mgmt_allow_policy

  no shutdown

-------------------------------------------

1 ACCEPTED SOLUTION

Accepted Solutions
Cesar Roque
Enthusiast

Hi Chris,

Try this:

parameter-map type http sample

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

  length-exceed continue

policy-map multi-match sharepoint-test-80-pol

  class sharepoint-test-vip

    loadbalance vip inservice

    loadbalance policy sharepoint-test-lb

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options sample

    nat dynamic 1 vlan 92

Let me know if you see any difference

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

View solution in original post

10 REPLIES 10
sivaksiv
Cisco Employee

Hi,

It doesn't looks like ACE issue as it works with chrome and FF.

Do you see the reset coming from ACE or from server?

What i would recommend is to take a working and non-working captiure and compare the differences to tune the configuration as required.

-

Siva

If we open an IE web browser to either server directly, single  sign-on works and we get right to the website.  When we go through the  ACE using the VIP, it doesn't work at all, so my feeling is something in  the ACE is causing it. 

Chrome/Firefox don't support single sign-on so I suppose I  shouldn't have mentioned it but my point was that at least the ACE is  load balancing correctly to the correct website on each server so that  part of the config is correct.

The load balancer VIP was sending the packets back to the host.

Can you try with a single server and see if it works?

-

Siva

We did also try that.  We no inservice one of the rservers in the serverfarm and tried but it had the same results on both the sniffer and the ie webpage.  Does single sign-on with IE typically work with no issues through an ACE?

I dont see why this shouldn't work. If the reset is coming from ACE then we require more information of how the flow being setup from the client. Which SSO implementation involved and how many parties are involved, is client making any additional requests (to AD server, for e.g.)?

I would recommend to raise a tac case and attach a sniffer capture taken on the ACE along with show tech. We can analyze further and see if any configuration tweak required to allow this traffic on ACE.

Hi, 

In some cases what I have seen is "The single sign-on app was putting the 'client's' destination URL
IP addr inside the HTTP header."

This IP was used on back-end to validate against authorized list of IP's. 

Resolution was to add all the VIP IP address space (from ACE) to the allowed and authorized IP range on the AD server. 

regards,

Ajay Kumar

Cesar Roque
Enthusiast

Hi Chris,

Try this:

parameter-map type http sample

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

  length-exceed continue

policy-map multi-match sharepoint-test-80-pol

  class sharepoint-test-vip

    loadbalance vip inservice

    loadbalance policy sharepoint-test-lb

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options sample

    nat dynamic 1 vlan 92

Let me know if you see any difference

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

View solution in original post

Hi,

Did you get this resolved. We are having same issue and it results in account lockout. If someone has got this fixed please confirm what was solution. Have raised TAC case for this but still not working.

Thanks

Aijaz

Andras Dosztal
Participant

Shouldn't stickiness be configured? For me it seems you authenticate on one realserver, but your next request lands on another server.


Sent from Cisco Technical Support Android App

We fixed it by removing connection reuse.

But we have horrible performace issues. all works but response times via ACE are very bad about 30-40 times worst.

Content for Community-Ad
This widget could not be displayed.