10-16-2012 05:09 AM
I haven't run into this before and I can't find anything in the documentation regarding it. (Our 2 4710 were setup prior in a routed configuration although I personally see no reason for it.) Regardless, we have 2 servers that host 4 websites on them. We built everything on the ACE with a new VIP and matching the http header. If we use firefox/chrome, it load balances properly and we are prompted for credentials as those browsers don't support single sign on. We enter our credentials and are able to get to the appropriate website on the server.
When we use IE, it fails to open the page. A sniffer capture shows an authentication failure packet and a reset and that's it. We built the ACE both as sticky and non-sticky but neither worked properly with IE.
Is there something else in the ACE we need to configure to get SSO to work? Thanks in advance!
Chris
**NEW CONFIGURATION**
probe icmp PING
description ICMP echo request probe
interval 5
passdetect interval 5
passdetect count 12
receive 4
probe tcp TCP-80
description TCP port 80 probe
interval 5
passdetect interval 5
passdetect count 12
receive 4
connection term forced
open 1
rserver host corp-w-sp-lab01
ip address 10.250.1.52
probe PING
inservice
rserver host corp-w-sp-lab02
ip address 10.250.1.53
probe PING
inservice
serverfarm host sharepoint-test-80
failaction purge
predictor leastconns
probe TCP-80
rserver corp-w-sp-lab01 80
inservice
rserver corp-w-sp-lab02 80
inservice
!
class-map match-any sharepoint-test-vip
2 match virtual-address 10.250.89.10 tcp eq www
class-map type http loadbalance match-any intranet-test
match http header Host header-value http://intranettest
class-map type http loadbalance match-any dashboards-test
match http header Host header-value http://dashboardstest
class-map type http loadbalance match-any odpeople-test
match http header Host header-value http://odpeopletest
class-map type http loadbalance match-any sandbox-test
match http header Host header-value http://sandbox
!
policy-map type loadbalance http first-match sharepoint-test-lb
class intranet-test
serverfarm sharepoint-test-80
class dashboards-test
serverfarm sharepoint-test-80
class odpeople-test
serverfarm sharepoint-test-80
class sandbox-test
serverfarm sharepoint-test-80
class class-default
serverfarm sharepoint-test-80
!
policy-map multi-match sharepoint-test-80-pol
class sharepoint-test-vip
loadbalance vip inservice
loadbalance policy sharepoint-test-lb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 92
!
interface vlan 88
service-policy input sharepoint-test-80-pol
***CONFIGURATION ALREADY ON INTERFACES PRIOR TO NEW CONFIG***
---------------------------
interface vlan 88
description Client_Connections
ip address 10.250.88.51 255.255.252.0
alias 10.250.88.50 255.255.252.0
peer ip address 10.250.88.52 255.255.252.0
access-group input Client
service-policy input remote_mgmt_allow_policy
service-policy input PM_LB_FRONTEND
no shutdown
interface vlan 92
description RealServer_Network
ip address 10.250.92.51 255.255.252.0
alias 10.250.92.50 255.255.252.0
peer ip address 10.250.92.52 255.255.252.0
nat-pool 1 10.250.93.1 10.250.93.1 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
no shutdown
-------------------------------------------
Solved! Go to Solution.
10-18-2012 03:17 PM
Hi Chris,
Try this:
parameter-map type http sample
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
policy-map multi-match sharepoint-test-80-pol
class sharepoint-test-vip
loadbalance vip inservice
loadbalance policy sharepoint-test-lb
loadbalance vip icmp-reply active
appl-parameter http advanced-options sample
nat dynamic 1 vlan 92
Let me know if you see any difference
---------------------
Cesar R
ANS Team
10-16-2012 05:18 AM
Hi,
It doesn't looks like ACE issue as it works with chrome and FF.
Do you see the reset coming from ACE or from server?
What i would recommend is to take a working and non-working captiure and compare the differences to tune the configuration as required.
-
Siva
10-16-2012 08:56 AM
If we open an IE web browser to either server directly, single sign-on works and we get right to the website. When we go through the ACE using the VIP, it doesn't work at all, so my feeling is something in the ACE is causing it.
Chrome/Firefox don't support single sign-on so I suppose I shouldn't have mentioned it but my point was that at least the ACE is load balancing correctly to the correct website on each server so that part of the config is correct.
The load balancer VIP was sending the packets back to the host.
10-17-2012 12:22 AM
Can you try with a single server and see if it works?
-
Siva
10-17-2012 05:57 AM
We did also try that. We no inservice one of the rservers in the serverfarm and tried but it had the same results on both the sniffer and the ie webpage. Does single sign-on with IE typically work with no issues through an ACE?
10-17-2012 09:56 AM
I dont see why this shouldn't work. If the reset is coming from ACE then we require more information of how the flow being setup from the client. Which SSO implementation involved and how many parties are involved, is client making any additional requests (to AD server, for e.g.)?
I would recommend to raise a tac case and attach a sniffer capture taken on the ACE along with show tech. We can analyze further and see if any configuration tweak required to allow this traffic on ACE.
02-04-2013 11:57 AM
Hi, In some cases what I have seen is "The single sign-on app was putting the 'client's' destination URL IP addr inside the HTTP header." This IP was used on back-end to validate against authorized list of IP's. Resolution was to add all the VIP IP address space (from ACE) to the allowed and authorized IP range on the AD server.
regards,
Ajay Kumar
10-18-2012 03:17 PM
Hi Chris,
Try this:
parameter-map type http sample
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
policy-map multi-match sharepoint-test-80-pol
class sharepoint-test-vip
loadbalance vip inservice
loadbalance policy sharepoint-test-lb
loadbalance vip icmp-reply active
appl-parameter http advanced-options sample
nat dynamic 1 vlan 92
Let me know if you see any difference
---------------------
Cesar R
ANS Team
02-04-2013 02:29 AM
Hi,
Did you get this resolved. We are having same issue and it results in account lockout. If someone has got this fixed please confirm what was solution. Have raised TAC case for this but still not working.
Thanks
Aijaz
02-05-2013 09:38 AM
Shouldn't stickiness be configured? For me it seems you authenticate on one realserver, but your next request lands on another server.
Sent from Cisco Technical Support Android App
02-05-2013 09:50 AM
We fixed it by removing connection reuse.
But we have horrible performace issues. all works but response times via ACE are very bad about 30-40 times worst.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide