Manual Chapter :
Configuring OFBA for Sharepoint documents
Applies To:
Show Versions
BIG-IP APM
- 17.0.0, 16.1.0, 16.0.1, 16.0.0, 15.1.0
Configuring OFBA for Sharepoint documents
Overview: Microsoft OFBA in APM
You can open a SharePoint document from a native Office application, such as Microsoft
Word. When you click the link in the document, the correct document type opens with
authentication using the Microsoft Office Forms Based Authentication (OFBA) protocol.
OBFA allows the client to produce a mini web browser control to handle the
authentication rather than using an internal authentication implementation. This browser
then handles the APM logon page.
Configuring OFBA in APM
Access Policy Manager supports the OFBA feature by providing a
built-in iRule,
_sys_APM_MS_Office_OFBA_Support
, in the iRules List in Local Traffic
Manager (LTM). The OFBA protocol authenticates Microsoft Office applications to
On-Premises SharePoint.The sample access policy below shows the following items configured to
support Microsoft OFBA:
- A Client Type item with branch rule set to MS-OFBA Compliant if you want a different authentication option for MS-OFBA supported Office applications.For more information about the Visual Policy editor, refer to the BIG-IP Access Policy Manager: Visual Policy Editor guide.
- A Variable Assign item with assigned session.logon.last.username, session.logon.last.password, and session.logon.last.domain.
- An SSO Credential Mapping item.
Sample access policy
Creating a virtual server for MS OFBA support
BIG-IP APM includes an OFBA iRule that allow
users to open a SharePoint document from a native Office application. To accomplish
this, as the administrator, you must configure the APM virtual server with the irule
_
.sys_
APM_MS_Office_OFBA_Support- At the top of the screen, clickConfiguration, then, on the left, click .The screen displays the list of virtual servers defined on this device.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type in a name for the virtual server you are creating.
- From theDevicelist, select the device on which to create the virtual server.
- For theDestination Address, type the IP address of the destination that you want this virtual server to send its traffic to.
- In theService Portfield, type a service port number, or select a type from the list.When you select a type from the list, the value in theService Portfield changes to reflect the associated default, which you can change.
- From theAccess Policylist, select the access policy with the MS OFBA VPE object.
- In theiRulessection, from theAvailablelist, select_sys_APM_MS_Office_OFBA_Supportand move it to theEnabledlist..
- Specify the additional settings needed to suit the requirements for this virtual server.The remaining parameters on this screen are optional and perform the same function as they do when you configure a virtual server on a BIG-IP device.
- ClickSave & Close.The system creates the new virtual server with the settings you specified.On configuring this, the supported MS Office apps are met with an APM logon page rather than an error page when no persistent web session cookie is available.The shared session cookie is not available if a browser besides Internet Explorer is used and/or if cookie persistence is not configured for the access policy.iRules that modify ACCESS::restrict_irule_events property for the connection flow will cause the OFBA iRule to fail. This includes the system default VDI profile. Do not use VDI together with OFBA.
Including MRHSession cookies in Office applications
Perform the following steps to ensure the Office applications include the MRHSession
cookies in the requests to be granted access to the document.
- Add virtual server URI to the trusted sites in .
- Make sure that the Virtual Server SSL certificate is signed by a Trusted Certificate Authoritity.
- Add virtual server to the Trusted locations list of Microsoft Office programs.Run a target Microsoft Office Program, for example, Excel. Navigate to , and select theAllow Trusted Locations on my networkoption. Click theAdd new locationbutton and then add the virtual server URI. Select theSubfolders of this location are also trustedoption. ClickOK.For additional information, refer to the Deploying the BIG-IP System with Microsoft SharePoint 2016 guide.
Microsoft OFBA protocol parameters supported in APM
Microsoft OFBA protocol parameters supported in APM
BIG-IP Access Policy Manager (APM) has a built-in iRule,
_sys_APM_MS_Office_OFBA_Support
, which alters how APM processes
connections from Microsoft Office browsers. An LTM object called
_sys_APM_MS_Office_OFBA_DG
handles the configuration of the iRule. This
object has the following parameters.Name |
Description |
Mandatory |
|---|---|---|
ofba_auth_dialog_size |
The OFBA dialog browser resolution size in width x height.
The default value is 800x600. |
No |
ie_sp_session_sharing_enabled |
A parameter to specify whether to enable or disable the IE session sharing using
a persistent cookie named "MRHSOffice." The default value is
Disabled . Possible values are:
|
No |
ie_sp_session_sharing_inactivity_timeout |
The inactivity timeout value for the persistent cookie value "MRHSOffice" every
time the SharePoint site refreshes or gets any response from SharePoint Server. The
default value is 60 seconds. |
No |
useragent |
Useragent strings are configured for OFBA clients to be identified. All the
user-agent strings should start with "useragent" and a number, such as useragent1 or
useragent2. All the useragent values should be provided. The data group already has
a predefined set of user agents for MS Office applications. |
Yes |
