Solved: ACE 4710 breaks single sign-on on IE

Chris Normand · ‎10-16-2012

I haven't run into this before and I can't find anything in the documentation regarding it. (Our 2 4710 were setup prior in a routed configuration although I personally see no reason for it.) Regardless, we have 2 servers that host 4 websites on them. We built everything on the ACE with a new VIP and matching the http header. If we use firefox/chrome, it load balances properly and we are prompted for credentials as those browsers don't support single sign on. We enter our credentials and are able to get to the appropriate website on the server.

When we use IE, it fails to open the page. A sniffer capture shows an authentication failure packet and a reset and that's it. We built the ACE both as sticky and non-sticky but neither worked properly with IE.

Is there something else in the ACE we need to configure to get SSO to work? Thanks in advance!

Chris

**NEW CONFIGURATION**

probe icmp PING

description ICMP echo request probe

interval 5

passdetect interval 5

passdetect count 12

receive 4

probe tcp TCP-80

description TCP port 80 probe

interval 5

passdetect interval 5

passdetect count 12

receive 4

connection term forced

open 1

rserver host corp-w-sp-lab01

ip address 10.250.1.52

probe PING

inservice

rserver host corp-w-sp-lab02

ip address 10.250.1.53

probe PING

inservice

serverfarm host sharepoint-test-80

failaction purge

predictor leastconns

probe TCP-80

rserver corp-w-sp-lab01 80

inservice

rserver corp-w-sp-lab02 80

inservice

!

class-map match-any sharepoint-test-vip

2 match virtual-address 10.250.89.10 tcp eq www

class-map type http loadbalance match-any intranet-test

match http header Host header-value http://intranettest

class-map type http loadbalance match-any dashboards-test

match http header Host header-value http://dashboardstest

class-map type http loadbalance match-any odpeople-test

match http header Host header-value http://odpeopletest

class-map type http loadbalance match-any sandbox-test

match http header Host header-value http://sandbox

!

policy-map type loadbalance http first-match sharepoint-test-lb

class intranet-test

serverfarm sharepoint-test-80

class dashboards-test

serverfarm sharepoint-test-80

class odpeople-test

serverfarm sharepoint-test-80

class sandbox-test

serverfarm sharepoint-test-80

class class-default

serverfarm sharepoint-test-80

!

policy-map multi-match sharepoint-test-80-pol

class sharepoint-test-vip

loadbalance vip inservice

loadbalance policy sharepoint-test-lb

loadbalance vip icmp-reply active

nat dynamic 1 vlan 92

!

interface vlan 88

service-policy input sharepoint-test-80-pol

***CONFIGURATION ALREADY ON INTERFACES PRIOR TO NEW CONFIG***

---------------------------

interface vlan 88

description Client_Connections

ip address 10.250.88.51 255.255.252.0

alias 10.250.88.50 255.255.252.0

peer ip address 10.250.88.52 255.255.252.0

access-group input Client

service-policy input remote_mgmt_allow_policy

service-policy input PM_LB_FRONTEND

no shutdown

interface vlan 92

description RealServer_Network

ip address 10.250.92.51 255.255.252.0

alias 10.250.92.50 255.255.252.0

peer ip address 10.250.92.52 255.255.252.0

nat-pool 1 10.250.93.1 10.250.93.1 netmask 255.255.255.255 pat

service-policy input remote_mgmt_allow_policy

no shutdown

-------------------------------------------

Cesar Roque · ‎10-18-2012

Hi Chris,

Try this:

parameter-map type http sample

persistence-rebalance

set header-maxparse-length 65535

set content-maxparse-length 65535

length-exceed continue

policy-map multi-match sharepoint-test-80-pol

class sharepoint-test-vip

loadbalance vip inservice

loadbalance policy sharepoint-test-lb

loadbalance vip icmp-reply active

appl-parameter http advanced-options sample

nat dynamic 1 vlan 92

Let me know if you see any difference

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

View solution in original post

sivaksiv · ‎10-16-2012

Hi,

It doesn't looks like ACE issue as it works with chrome and FF.

Do you see the reset coming from ACE or from server?

What i would recommend is to take a working and non-working captiure and compare the differences to tune the configuration as required.

-

Siva

Chris Normand · ‎10-16-2012

If we open an IE web browser to either server directly, single sign-on works and we get right to the website. When we go through the ACE using the VIP, it doesn't work at all, so my feeling is something in the ACE is causing it.

Chrome/Firefox don't support single sign-on so I suppose I shouldn't have mentioned it but my point was that at least the ACE is load balancing correctly to the correct website on each server so that part of the config is correct.

The load balancer VIP was sending the packets back to the host.

sivaksiv · ‎10-17-2012

Can you try with a single server and see if it works?

-

Siva

Chris Normand · ‎10-17-2012

We did also try that. We no inservice one of the rservers in the serverfarm and tried but it had the same results on both the sniffer and the ie webpage. Does single sign-on with IE typically work with no issues through an ACE?

sivaksiv · ‎10-17-2012

I dont see why this shouldn't work. If the reset is coming from ACE then we require more information of how the flow being setup from the client. Which SSO implementation involved and how many parties are involved, is client making any additional requests (to AD server, for e.g.)?

I would recommend to raise a tac case and attach a sniffer capture taken on the ACE along with show tech. We can analyze further and see if any configuration tweak required to allow this traffic on ACE.

ajayku2 · ‎02-04-2013

Hi, 

In some cases what I have seen is "The single sign-on app was putting the 'client's' destination URL
IP addr inside the HTTP header."

This IP was used on back-end to validate against authorized list of IP's. 

Resolution was to add all the VIP IP address space (from ACE) to the allowed and authorized IP range on the AD server.

regards,

Ajay Kumar

Cesar Roque · ‎10-18-2012

Hi Chris,

Try this:

parameter-map type http sample

persistence-rebalance

set header-maxparse-length 65535

set content-maxparse-length 65535

length-exceed continue

policy-map multi-match sharepoint-test-80-pol

class sharepoint-test-vip

loadbalance vip inservice

loadbalance policy sharepoint-test-lb

loadbalance vip icmp-reply active

appl-parameter http advanced-options sample

nat dynamic 1 vlan 92

Let me know if you see any difference

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

aijazbeigh · ‎02-04-2013

Hi,

Did you get this resolved. We are having same issue and it results in account lockout. If someone has got this fixed please confirm what was solution. Have raised TAC case for this but still not working.

Thanks

Aijaz

Andras Dosztal · ‎02-05-2013

Shouldn't stickiness be configured? For me it seems you authenticate on one realserver, but your next request lands on another server.

Sent from Cisco Technical Support Android App

aijazbeigh · ‎02-05-2013

We fixed it by removing connection reuse.

But we have horrible performace issues. all works but response times via ACE are very bad about 30-40 times worst.