Jump to content


Photo

Sharepoint Log Out AAA VSERVER

Started by Esteban Herrera , 16 November 2015 - 06:56 PM
11 replies to this topic

Best Answer Joe Brozzetti , 24 November 2015 - 06:37 PM

Try a Responder policy:

 

Policy Expression:  HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/_layouts/signout.aspx)  

 

-You would use the signout.aspx or whatever your SP Logout URL is.

 

Action:  Respond With

 

"HTTP/1.1 302 OBJECT MOVED\r\n" + "Location: https://YOURSHAREPOINTSITE.com" + "\r\n"+ "Set-Cookie: NSC_TMAA=" + HTTP.REQ.COOKIE.VALUE("NSC_TMAA")+ ";HttpOnly;Path=/;DOMAIN=.yourdomain.com;expires=Thu, 01-Jan-1970 00:00:01 GMT;"+ "\r\n"+ "Set-Cookie: NSC_TMAS=" + HTTP.REQ.COOKIE.VALUE("NSC_TMAS")+ ";Secure;HttpOnly;Path=/;Domain=.yourdomain.com;expires=Thu, 01-Jan-1970 00:00:01 GMT;"+ "\r\n" + "\r\n"

 

What this will do is redirect on logout back to your SharePoint site but it will expire the NSC_TMAA and NSC_TMAS cookies which are needed to keep the AAA session.  Since you will land back on your sharepoint page without your auth cookies, you will be redirected to your AAA page.

 

Variables above:  YOURSHAREPOINTSITE, yourdomain.com - everything else is correct syntax

Esteban Herrera Members

Esteban Herrera
  • 63 posts

Posted 16 November 2015 - 06:56 PM

Guys,

 

Im protecting a Sharepoint site using AAA vServer and all works ok, the only problem that  I have is when the user logout sharepoint... I created a traffic policy following this KB http://support.citrix.com/article/CTX133537

and the session is logged out, but im also need to redirect the user to the home page so the NS ask for the credentials again... i cant not figure how to do that... I created a few RW policies but it seams netscaler doesnt act as I spect.

The NS responds with the following in the body "You are logged out. Please login again."

 

Any ideas?

 

Kind regards.



Leopoldo Torres Members

Leopoldo Torres
  • 40 posts

Posted 18 November 2015 - 01:10 PM

You can check out this other KB used for OWA but I'm sure you can adapt it to your scenario by changing the redirect action

 

http://support.citrix.com/article/CTX124560



Joe Brozzetti Members

Joe Brozzetti
  • 180 posts

Posted 24 November 2015 - 06:37 PM

Try a Responder policy:

 

Policy Expression:  HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/_layouts/signout.aspx)  

 

-You would use the signout.aspx or whatever your SP Logout URL is.

 

Action:  Respond With

 

"HTTP/1.1 302 OBJECT MOVED\r\n" + "Location: https://YOURSHAREPOINTSITE.com" + "\r\n"+ "Set-Cookie: NSC_TMAA=" + HTTP.REQ.COOKIE.VALUE("NSC_TMAA")+ ";HttpOnly;Path=/;DOMAIN=.yourdomain.com;expires=Thu, 01-Jan-1970 00:00:01 GMT;"+ "\r\n"+ "Set-Cookie: NSC_TMAS=" + HTTP.REQ.COOKIE.VALUE("NSC_TMAS")+ ";Secure;HttpOnly;Path=/;Domain=.yourdomain.com;expires=Thu, 01-Jan-1970 00:00:01 GMT;"+ "\r\n" + "\r\n"

 

What this will do is redirect on logout back to your SharePoint site but it will expire the NSC_TMAA and NSC_TMAS cookies which are needed to keep the AAA session.  Since you will land back on your sharepoint page without your auth cookies, you will be redirected to your AAA page.

 

Variables above:  YOURSHAREPOINTSITE, yourdomain.com - everything else is correct syntax


Best Answer Helpful Answer

Esteban Herrera Members

Esteban Herrera
  • 63 posts

Posted 26 November 2015 - 02:35 AM

Joe,

Thank you for the help, I was trying to do the same but using rewrite.. I think that maybe was the error... also i was just expiring the TMAA cookie and not the TMAS; I was debuging using safari and notice that when you delete the cookies (both you mention) the NetScaler sends you directly to the login Page on the next request
I will test this tomorrow and post the update here.

Again, thank you so much for your input.



Joe Brozzetti Members

Joe Brozzetti
  • 180 posts

Posted 17 December 2015 - 04:35 PM

Did this work for you?



Esteban Herrera Members

Esteban Herrera
  • 63 posts

Posted 17 December 2015 - 05:00 PM

Hi Joe, YES! 

that works perfect!

im trying to understand why it doesnt work with RW, but thats another story.

Thank you so much for the help!



Christian Reimold Members

Christian Reimold
  • 38 posts

Posted 24 March 2016 - 11:38 PM

Hi It worked perfect for me within NEtscaler 10.5 58.11 but since I updated to 10.5. 61.11 the redirect is still working but the Cookies are not revoked. How can I figure out why the Cookies are not revoked? Had anybody else this issue with Netscaler 10.5 61.11?



Joe Brozzetti Members

Joe Brozzetti
  • 180 posts

Posted 09 March 2017 - 07:41 PM

Christian, this functionality breaks once you get past BUild 56 or 58 on 10.5

 

Here is an article:  https://support.citrix.com/article/CTX209057

 

You have to use http.req.user.sessionid() now.  Syntax is different so let me know if you still need help.



Koen van der Hoeven Members

Koen van der Hoeven
  • 3 posts

Posted 16 March 2017 - 08:49 AM

Joe can you please post an example of this new method. I really need this for our Sharepoint solution.

Currently we are logged out of SP and from the AAA session but users can re-logon using sso if they don't close the full browser.

Joe Brozzetti Members
  • #10

Joe Brozzetti
  • 180 posts

Posted 16 March 2017 - 04:42 PM

"HTTP/1.1 302 OBJECT MOVED\r\n" + "Location: "+HTTP.REQ.URL + "\r\n"+ "Set-Cookie: ns_dev=1;Path=/;Domain=.company.com;expires="+ SYS.TIME.ADD(36000).TYPECAST_TIME_AT + "\r\n"+ "Set-Cookie: NSC_TMAA=" + HTTP.REQ.USER.SESSIONID + ";HttpOnly;Path=/;DOMAIN=.company.com;expires="+ SYS.TIME.ADD(36000).TYPECAST_TIME_AT + "\r\nContent-Length: 0"+ "\r\n" + "Cache-Control: no cache, no store" + "\r\n" + "Pragma: no cache" + "/r/n" + "Content-Type: text/html" + "\r\n" + "\r\n"

 

The ns_dev is a dummy cookie we set to prevent this policy from firing for every request.  If you set a dummy cookie like this, use a Rewrite policy to remove it at logoff.

 

RW:  

 

Insert_HTP_Header

Set-Cookie

"ns_dev=deleted;Path=/;Domain=.company.com;expires=Thu,01-Jan-1970 00:00:01 GMT;"



Mikael Modin Members
  • #11

Mikael Modin
  • 7 posts

Posted 13 June 2017 - 08:19 AM

Hi Joe

I am trying this last post you wrote and cannot get it to work.

The setup for me is in conjunction with Sharefile

When a user press logout the cookie is alive in 2 min etc.

 

I am running NS11.1 48.10.nc

 

I get redirected to the share file login when pressing log out, but if a user clicks the sign in button the user are not prompted for password. Only after a 2 minute timeout

 

Is the RW you mentioned needed to get this to work?

 

Mikael



Joe Brozzetti Citrix Employees
  • #12

Joe Brozzetti
  • 4 posts

Posted 13 June 2017 - 04:46 PM

Mikael,

 

This functionality changed with v11 Netscaler.  I got it to work using a new policy:

 

{"HTTP/1.1 302 OBJECT MOVED\r\n" + "Location: "+HTTP.REQ.URL + "\r\n"+ "Set-Cookie: ns_dev=1;Path=/;Domain=.company.com;expires="+ SYS.TIME.ADD(36000).TYPECAST_TIME_AT + "\r\n"+ "Set-Cookie: NSC_TMAA=" + HTTP.REQ.USER.SESSIONID + ";HttpOnly;Path=/;DOMAIN=.company.com;expires="+ SYS.TIME.ADD(36000).TYPECAST_TIME_AT + "\r\nContent-Length: 0"+ "\r\n" + "Cache-Control: no cache, no store" + "\r\n" + "Pragma: no cache" + "/r/n" + "Content-Type: text/html" + "\r\n" + "\r\n"}

 

I also had to use a Rewrite to expire the cookie, responder was not working.  Sharepoint for example:

 

Policy:  HTTP.REQ.URL.CONTAINS(\"/_layouts/SignOut.aspx\")

Action:  insert_http_header 

Header:  Set-Cookie

"ns_dev=deleted;Path=/;Domain=.bayada.com;expires=Thu,01-Jan-1970 00:00:01 GMT;\"\n\n"

 

Hope this helps.