Case Study:- Sharepoint 2010 can't edit/upload the document via Netscaler LB/CS VIP with AAA
Article ID: CTX209054
Updated On:
Description
User getting the error " Sorry, we couldn't openhttps://sahrepoint.xyz.com/abc/x/edit.doc or 401 auth prompt while uploading or editing the document. In this case SharePoint 2010 was used
Resolution
When user open the site then it will open in the browser but while editing the document session will be transferred from the browser to the Word application. During this time the cookies should be transferred from the browser to the Word application.
Basic check for cookie to be transferred:-
Configuration on NS:-
There could be following reason for this issue.
Basic check for cookie to be transferred:-
- The Sharepoint LB VIP and the AAA vip should be in the trusted site of the browser (preferred IE browser as IE and Word both are Microsoft application)
- The cookie type should not be HTTP only else the cookie wont’ be shared
- Cookie should be Persistent cookie (In latest NS firmware we have this option)
- Time/Timezone should be correct on NS and the Client and Sharepoint server so that cookie doesn’t get expired
Configuration on NS:-
1. LB vip/CS VIP pointing to the Sharepoint server ( sharepointcs.emea.in)
2. AAA vserver bound to the LB/CS vip
3. Below session policy bound to the AAA vserver
Configuration on the Netscaler Session Profile
4. In the above you have to verify that HTTPOnly cookie is NO so that it can be shared between the applications and Enable Persistent Cookie is ON ( this will set a NSC_PERS cookie which can be shared between application)
Packet Flow:-
2. Client goes to the above url and is redirected to /vpn/tmindex.html this time NS sets the cookie NSC_TASS
3. Client come to tmindex.html and then we see a POST happening with the credentials with TASS cookie after user entering the credentials
4. For this AAA sends a 302 back to sharepointcs.emea.in/cgi/selfauth where it sets NSC_TMAA and NSC_TMAS cookie and will expire the NSC_TASS cookie after authenticating the user
5. Now client comes to the sharepointcs.emea.in/cgi/selfauth without cookie and gets redirected to the sharepointcs.emea.in and again the same cookies were set
6. Now Client will send a GET to sharepointcs.emea.in with NSC_TMAA and NSC_TMAS cookie . NS will pass this to the Sharepoint backend server and server will ask for 401, NS will do SSO
7. After sso is successful then Sharpoint will send a 302 redirect to /SigeePages/Home.aspx and will set cookie:- WSS_KeepSessionAuthenticated
8. NS will pass the cookie to the client and will add one more NSC_PERS cookie and will send to the client
9. NSC_PERS is the persistent cookie set by the Netscaler based on the configuration and is very important since this cookie will be shared between the Internet Explorer and the Microsoft Word application and will keep the session authenticated
10. Page will load up
11. Now client will hit on upload/edit document on the Sharepoint page. During this time the Client Internet explorer will pass the cookies to the Microsoft word and you will notice a OPTIONS coming to Netscaler with user-agent as Microsoft work and very important NSC_PERS cookie and WSS_KeepSessionAuthenticated cookie should be present
12. Netscaler will pass this to the SharePoint server by striping the NSC_PERS cookie and keeping the WSS_KeepSessionAuthenticated cookie
13. After this you will see a 401 from backed and a SSO from Netscaler as above and it will work.
Basically you have to see if the NSC_PERS cookie came in the OPTIONS field ( else NS will expire the session) and if WSS_KeepSessionAuthenticated came (else backend Sharepoint will expire the session)
Packet Flow:-
1. Client came to sharepointcs.emea.in VIP and was redirect to aaa.emea.in/cgi/tm/tm?SvBubase64work
3. Client come to tmindex.html and then we see a POST happening with the credentials with TASS cookie after user entering the credentials
4. For this AAA sends a 302 back to sharepointcs.emea.in/cgi/selfauth where it sets NSC_TMAA and NSC_TMAS cookie and will expire the NSC_TASS cookie after authenticating the user
5. Now client comes to the sharepointcs.emea.in/cgi/selfauth without cookie and gets redirected to the sharepointcs.emea.in and again the same cookies were set
6. Now Client will send a GET to sharepointcs.emea.in with NSC_TMAA and NSC_TMAS cookie . NS will pass this to the Sharepoint backend server and server will ask for 401, NS will do SSO
7. After sso is successful then Sharpoint will send a 302 redirect to /SigeePages/Home.aspx and will set cookie:- WSS_KeepSessionAuthenticated
8. NS will pass the cookie to the client and will add one more NSC_PERS cookie and will send to the client
9. NSC_PERS is the persistent cookie set by the Netscaler based on the configuration and is very important since this cookie will be shared between the Internet Explorer and the Microsoft Word application and will keep the session authenticated
10. Page will load up
11. Now client will hit on upload/edit document on the Sharepoint page. During this time the Client Internet explorer will pass the cookies to the Microsoft word and you will notice a OPTIONS coming to Netscaler with user-agent as Microsoft work and very important NSC_PERS cookie and WSS_KeepSessionAuthenticated cookie should be present
12. Netscaler will pass this to the SharePoint server by striping the NSC_PERS cookie and keeping the WSS_KeepSessionAuthenticated cookie
13. After this you will see a 401 from backed and a SSO from Netscaler as above and it will work.
Basically you have to see if the NSC_PERS cookie came in the OPTIONS field ( else NS will expire the session) and if WSS_KeepSessionAuthenticated came (else backend Sharepoint will expire the session)
Problem Cause
Cause:-There could be following reason for this issue.
- Single sign on domain is not correct for the backend sharepoint server in the session policy
- Cookie is not being shared between the browser to the Word application
- The cookie in the traffic policy is wrongly set as "Http ONly" to yes, due to which it was not being passed to word application
Issue/Introduction
This article describes how to troubleshoot the issue with Sharepoint 2010 can't edit/upload the document via Netscaler LB/CS VIP with AAA
Was this article helpful?
Yes
No
Powered by
