Load balancer + Fed auth cookies + Sharepoint
I have a login page which creates a fed auth cookie and establishes session in sharepoint
Now, Since the time site moved to load balancer environment, it started behaving differently
The fed auth cookie is being created. But still I am not logged in!! Which means I am again being redirected to login page for authentication
After another 2-3 attempts, things start working again. Can anyone help as to what is impacting cookies in load balancer? are they being rejected ?
Does the ext directory have the php_oci8.dll? In the original steps the PHP dir is renamed. In the given php.in the extension_dir looks like it has been updated correctly. Since PHP distributes php_oci8.dll by default I reckon there would be a very good chance that the problem was somewhere else. Since this is an old thread I don't think we'll get much value from speculation.
-- cj
Similar Messages
-
Load balancing and clustering in sharepoint
Hi,
Still i am confuse about load balancing with cluster in sharepoint level.please let me know how to install and troubleshoot,how it is work, Advantage, etc..
Thanks,
InguruHi Inguru,
Per my knowledge, SharePoint only supports Load balancing and SQL support clustering.
Here is a similar thread for you to take a look:
http://social.technet.microsoft.com/Forums/en-US/2b20d1d5-de35-486e-9b0e-37222a307615/clustering-and-load-balancing?forum=sharepointgeneralprevious
To configure load balancing for SharePoint, please follow the links below:
http://blogs.technet.com/b/praveenh/archive/2010/12/17/setting-up-load-balancing-on-a-sharepoint-farm-running-on-windows-server-2008.aspx
http://community.bamboosolutions.com/blogs/sharepoint-2013/archive/2014/01/07/network-load-balancing-for-sharepoint-2013-part-three-installing-network-load-balancing-on-wfe1-in-a-three-server-farm.aspx
Best regards.
Thanks
Victoria Xia
TechNet Community Support -
Office Web Apps Load Balancing Configuration Issue for SharePoint 2013
I have load balanced servers dedicated for Office Web Apps with name “md1xxxwfe1” and “md1xxxwfe2”
, both this servers are load balanced by CISCO Load balancer. And I have mapped Load Balancer Virutal IP with host name officeapps.jda.corp.local in the DNS records.
Things are working fine if I add new farm by using New-OfficeWebAppsFarm
with server name as internalurl in PowerShell console
as like “ -internalurl http://
md1xxxwfe1 but when I use –internalurl officeapps.jda.corp.local it is not working at all. I’m not getting what to do at this point.
I have gone through following blogs but no luck.
http://blogs.technet.com/b/meamcs/archive/2013/03/27/office-web-apps-2013-multi-servers-nlb-installation-and-deployment-for-sharepoint-2013-step-by-step-guide.aspx
http://blogs.technet.com/b/office_resource_kit/archive/2012/09/11/introducing-office-web-apps-server.aspx
http://davidlimsharepoint.blogspot.in/2013/02/installing-and-configuring-office-web.html
http://sps2013.blogspot.in/2013/09/office-web-apps-with-sharepoint-2013.html
The output of the wfe1 server is attached with this. When I open http:// /hosting/discovery in wfe1 I’m getting following result (attached
screenshot) but it should show hostname rather than server name.
Please help me
Thanks, Ram ChHi Ram ,
For troubleshooting your issue, please take steps as below:
Just about any load balancing solution will work, including a server that runs the Web Server (IIS) role running Application Request Routing (ARR):Install
Application Request Routing
Install the certificate on the load balancer as described under Securing Office Web Apps Server communications by using
HTTPS.
Make sure you have configured the cluster correctly for full internet name:
Reference:
http://technet.microsoft.com/en-us/library/jj219435.aspx#loadbalancer
Thanks,
Eric
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
contact [email protected]
Eric Tao
TechNet Community Support -
CSS - Load balancing to Microsoft 2008 Sharepoint Application
We are tring to load balance using the CSS 11503 to two Servers running Microsoft Sharepoint 2008. Everything is working fine as far as load balancing is cocerned. But what we want is if the Microsoft Sharepoint 2008 Application is down one one server then we do not want any request for this application to be sent to this server. What sort of keepalive should we be using, because TCP port 80 is still up and responds when the Microsoft Sharepoint 2008 Application is down on this server.
I do not know much about how Microsoft Sharepoint 2008 Application interfaces / interacts with IIS and port 80, etc.
Any suggestions?Partial Config:
===============
service FRED30
ip address x.x.x..100
protocol tcp
port 80
redundant-index 3
keepalive port 80
keepalive type http
active
service FRED31
ip address x.x.x.101
protocol tcp
port 80
redundant-index 4
keepalive port 80
keepalive type http
active
When we do the above where we have
"keepalive type http"
and then do a show keepalive we get the State as DOWN - why? But if we take out the keepalive type http command from the above services then we don't see the state as DOWN.
But even when it says DOWN we can still connect to port 80 without problem.
CSS# sh keepalive AUTO_FRED30
Name: AUTO_FRED30 Index: 7 State: Down
Description: Auto generated for service for FRED30
Address: x.x.x.100 Port: 80
Type: HTTP:HEAD:/
Keepalive Error: General failure
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
FRED30
sh keepalive FRED31
Name: AUTO_FRED31 Index: 9 State: Down
Description: Auto generated for service FRED31
Addresess: x.x.x.101 Port: 80
Type: HTTP:HEAD:/
Keepalive Error: General failure
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
FRED31 -
ACE 4710 and load balancing with sticky cookie
Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers. I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall. The ACE is in bridged mode to load balance web servers that reside in the DMZ. Everything seems to work just fine, but the cookie stickiness does not seem to be working.
Hi David,
As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
When using cookie-insert, the ACE will not create any dynamic cookie entries. It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value. So what you see there is what is expected.
You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie. The cookie is included in the server's response, and the ACE will look for the value as configured. The cookie will also be sent to the client. If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses. If the browser opens new connections with that cookie, then the ACE will stick to the same server.
My suggestion would be to get sticky working with cookie-insert first. Then if that meets your needs, go with that permanently. If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
Sean -
CSS Load Balancing with Cookies
We are trying to load balance 2 backend servers hosted on Websphere with advance balance cookies method.
Restrictions
ServerA is unable to accept cookies generated from ServerB.
ServerA and ServerB are generating random cookies
Unable to modify cookie string with a constant.
How can we load balance based on cookies considering the above restrictions?
We have attempted to do hash based load balancing with cookies but the problem we run into is the servers do not accept cookies generated from another server.
The configuration we tried is written below:
service ServerA
ip address 192.168.10.2
keepalive type tcp
keepalive port 80
active
service ServerB
ip address 192.168.20.2
keepalive type tcp
keepalive port 80
active
content ABC
url "/*"
add service ServerA
string prefix "JSESSIONID="
advanced-balance cookies
port 80
add service ServerB
string skip-length 5
string process-length 16
string operation hash-xor
protocol tcp
vip address 172.16.32.1
active
Can we change the string prefix to JSESSION instead of JSESSIONID= ?
The only place the app guys can add a constant string to match on is before the = sign.
Is it possible for CSS to match on a constant string before = sign e.g below:
service ServerA
ip address 192.168.10.2
keepalive type tcp
keepalive port 80
string id567=
active
service ServerB
ip address 192.168.20.2
keepalive type tcp
keepalive port 80
string id123=
active
content ABC
url "/*"
add service ServerA
string prefix "JSESSION"
advanced-balance cookies
port 80
add service ServerB
string skip-length 0
string process-length 6
protocol tcp
vip address 172.16.32.1
activeIt should work.
There is no reason for it not to work...
This is the best method you can have on the CSS for stickyness.
Get a sniffer trace on the client and server with arrowpoint cookie configured on the CSS and capture a failure so we can see what is going on.
also send me the config so I can verify everything is ok.
If you have a service request open with the TAC, you can also give the SR # so I can review what has been done.
Gilles. -
CSS 11503 Load Balancing Verification
Alright, so I have toiled long and hard to get this right. I think I have the config down but I am unsure on how to verify how this load balancing is working.
Here is the Content Config that I am speaking of:
content cad-rule
add service wls1-e0
add service wls1-e1
add service wls2-e0
add service wls2-e1
add service wls3-e0
add service wls3-e1
add service wls4-e0
add service wls4-e1
add service wls5-e0
add service wls5-e1
add service wls6-e0
add service wls6-e1
arrowpoint-cookie expiration 00:00:15:00
advanced-balance arrowpoint-cookie
redundant-index 2
vip address 172.30.194.195 range 2
arrowpoint-cookie name TOQ
protocol tcp
port 8001
url "/*"
active
Each service in the rule above is configured as follows:
service wls1-e1
port 8001
protocol tcp
strin ags001-e1
ip address 172.30.193.81
keepalive type http
keepalive uri "/cad/index.html"
redundant-index 12
keepalive frequency 20
keepalive maxfailure 10
keepalive retryperiod 2
active
I am using the advanced arrowpoint cookies because I need some stickiness here. Straight round-robin would not have done what I needed it to do.
Now, when I go to my show summary, this is what I see for this rule:
cad-rule Master wls1-e0 84274
wls1-e1 13144
wls2-e0 96884
wls2-e1 26374
wls3-e0 71145
wls3-e1 16592
wls4-e0 76403
wls4-e1 8657
wls5-e0 118623
wls5-e1 22760
wls6-e0 30836
wls6-e1 20464
The far right column indicates the services hits. I originally had the E1's suspended and activated them later on. So if this was true round robin, all the E0's should have the same number of service hits and all the E1's should have the same number of service hits. But as you can see, the wls5 server is getting hit the most while the wls6 server is sitting there twiddling its thumbs.
Now understanding how the arrowpoint cookies do their load balancing (inserting a cooking into the flow and then timing out after 15 mins as configured above) I would not expect a 1:1 ratio of load balancing between servers. But the distribution above seems rather extreme.
Does anyone have any suggestions on how to both A) verify that this is the right config and B) suggest to my boss that this is working the way it should be working?
Thanks!
JamesHi James,
There are several reasons of the uneven load balancing that you are seeing (based on the show summary). First
of all, the CSS is configured to do stickiness (advance-balance).
With arrowpoint-cookies (for HTTP only) method for stickiness, only the requests coming with the same cookie
are going to get stuck to the same server, since the cookie is
lost when the browser is closed (or based on the expiration), then the stickiness is going to be session
based and if the same client open a new session is going to be load balanced.
Is important to understand that when using stickiness, no real even load balancing is
going to happen since we are sticking new flows to the same server; even when layer 5 stickiness would
permit more even balancing than layer 3 stickiness (source IP based).
Also consider that the "show summary" is a command to see the hits (requests) being balanced to an specific
server, this is a good command to see the load balancing, anyway since the CSS balance
connections (flows), a persistent connection could have a lot of requests, so all those requests are
always going to the same server (incrementing the amount of hits in the counter) while a non-persistent
connection would be just one request (refer to HTTP persistence).
Also keep in mind that if a service is take out for maintenance, or is added to the load balancing later
than another, or if goes down for a period of time, then the CSS will be balancing among the remaining alive
servers. When you add the server again, the another servers are going to have connections
already established, so since the CSS is doing round robin, the server last added will
never have the same amount of connections (nor hits) that the other ones, because while one could
have 55 for example, the new one will have it first connection, and when the first one
gets the 56, the another will get the second, and so on.
Please let me know if this makes any sense.
Diego M -
Does ADFS work with SharePoint 2013 with WFEs SSL-offloaded to a F5 load balancer?
Currently we are implementing a SharePoint 2013 Production environment with 2 WFEs load-balanced by F5. SSL is offloaded to F5 and is currently working fine with Integrated Windows Authentication with NTLM. We would like to implement ADFS 3.0
later for Single Sign-on, and we are wondering if ADFS supports SSL offload.
Do we need to bind the certificate to the WFEs as well to use ADFS?
Thank you!Just got it confirmed that ADFS supports SSL offload. There is no direct communication between SharePoint and ADFS server during the authentication process. It is always the browser that's talking to ADFS server. We just need to do the following:
Configure SharePoint URLs in ADFS as replying parties with https.
Configure AAM in SharePoint to make sure internal URL is http and public URL is https. -
Site not accessible from the Load balanced web front end server - sharepoint 2010
I have a production environment with 2 WFE's(sp-wfe1 & sp-wfe2), 2 APP's and 2 SQL clustered VM's.
2 WFE's are load balanced using hardware load balancer.
An A-Record(PORTAL) is created in DNS for the virtual IP of the load balancer which points to the 2 WFE's.
A web application is created on the WFE's on port 80.
alternative access mapping is configured and the load balanced record "http://PORTAL" is used under the default zone.
Under IIS I have edited the bindings for the sharepoint site at port 80 and added the HOSTNAME as PORTAL.
Result: The site is accessible from outside the server and works fine.
ISSUE: The site is not accessible within the WFE's(sp-wfe1 & sp-wfe2).
When I browse the site from the WFE's server it ask for the credentials and when I enter the credentials and click OK it ask the credentials again and again and in the end displays a blank page.
Kindly help me in this issue because I am clueless and couldn't find anything helpful on the internet.
Regards,
Mudassar
MADDY-DEV Forum answers from Microsoft ForumLoop back check.
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx -
Dears,
My SharePoint farm is with the below configuration in our office :
Batch processing server the with Central Administration
Web Front End Sever 1 (http://wfe01)
Web Front End Sever 2 (http://wfe02)
I do have the load balance URL as http://finance.mycompany.com and as per the system administrator it seems configured properly.
In AAM i have mapped the URLs as below for the web application in Central Administration portal:
http://finance.mycompany.com - Default Zone
http://wfe01 - Intranet Zone
http://wfe02 - Internet Zone
I was able to browse the site via the load balance URL : http://finance.mycompany.com, but couldn't open the site using the Share Point Designer 2013. It always says the site not found.
please advise,
thanks,
AmmarWhat do the wfe01 and wfe02 aams do?
Are you browsing to the SharePoint site and using SPD on the same computer, is it part of the farm or a seperate client computer?
thanks Alex a lot for your response and appreciate the same.
WFE01, WFE01 is connected to the one central admin on Batch Processing Server (central admin URL is http://SharepointCA:5555 and the SharePoint Web Application is hosted under port 80 on the same server). So the AAM configured on the batch processing server
central admin.
I can connect to the site using the SPD inside the Batch Processing server if i mention the site urs as http://localhost. But not from other client computers by putting the load balance URL - http://finance.mycompany.com.
I can browse the sites directly putting http://wfe01, http://wfe02 and as well as the load balance URL (http://finance.mycompany.com). The custom webparts are getting crashed when i put the web application URL as http://finance.mycompany.com.
thanks,
Ammar -
ACE load-balancing-Cookie problem
In our other load-balancing environments the load-balancer-cookie contains the encrypted (real) servername or ip-address.
We think it's the same on the cisco, for that reason it's in theory not possible, that there are two 'green'-cookies with different values in the same request.
There are only two possibilities how this could happen:
a) The healthmonitor (http_probe) fails, the loadbalancer 'thinks' that the realserver is down and redistributes the traffic.
But in that case we would expect, that the old cookie will be overwritten by the new one and not simply added to the http-header.
b) The predictor in the serverfarm chooses a new realserver within the same request.
If that is really the cause of that problem this would be bug in the cisco ace.
What we found out, is that the loadbalancer performs a 'Set-Cookie'-Operation an every request even if the client submits the cookie correctly.
For example:
GET /ips-opdata/scripts/jquery.js HTTP/1.1
Host: www.xxxxx.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.xxxxx.com/
Cookie: green=R339366665; JSESSIONID=28D91FC6FD62A3921354BB36826294C4
HTTP/1.1 200 OK
Set-Cookie: green=R339366665; path=/; expires=Tue, 29-Mar-2011 06:33:00 GMT
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
ETag: W/"72181-1298537508000"
Last-Modified: Thu, 24 Feb 2011 08:51:48 GMT
Content-Type: text/javascript
Content-Length: 72181
Date: Mon, 28 Mar 2011 06:15:19 GMT
As you can see the cookies: green=R339366665 is transmitted from the client, but the loadbalancer does a Set-Cookie Operation of the same cookie once again. This is an unexpected behaviour.
We hope that this helps you to figure out the reason of the problem.The cookie is sent by the ACE on each response to refresh the timeout value on the client. The value of the cookie doesn't change. This is the expected behaviour and shouldn't break anything in the application / browser.
For browser-based applications, don't forget to add the "browser-expire" parameter to your cookie-based stickyness config. -
Setting up SharePoint 2013 Apps in a load balanced environment
All,
Looking for some articles on how to configure SharePoint 2013 Apps in a load balanced farm (2 WFEs, 2 APP servers, 2 SQL DBs).
Thank you!if the load balancing environment is already well configured, thes rest is very easy, there is no difference between a configuration of load balancing environment and a simple one, for you that is transparent, except the manual deployment and manual copying
of files in the directory 15 -
If 3 Real servers in a non-load balancing environmet are setting session cookies with diffrenet cookie names e.g.
server1 response
set-Cookie: SESSIDSAAAAAA=DMNNNELCECNCKDIIDCPOIMGG
Server2 response
set-Cookie: SESSIDSBBBBBB=DAAMMNELCECNCKPYTWPOIPOP
Server3 response
set-Cookie: SESSIDSCCCCCC=POHYTUOIPOPPLKJHTERIQOKJ
then how can CSM be configured with cookie based stickiness.
I tried cookie insert on CSM with NULL value Assigned to "COOKIE_INSERT_EXPIRATION_DATE".
It resulted in two set cookie responses (one from server and one from CSM).
I am wondering how csm will react ( cookie insert is used) if client request carries two cookie name-value pairs.
clients are behind megaproxy so cookie based stickiness is needed.
Thanksif you look into a http client request you will see that many times there are more than 1 cookies.
The most important is to make sure the CSM insert a cookie with a different name.
Create your own name.
The client will receive both the csm cookie and the server cookie and will send both when opening a new connection.
The CSM is able to locate its own cookie in the list and do the stickyness.
Gilles. -
SharePoint Central Administration: High Availability and Load Balancing
Running Central Administration on more than one server in the farm is 100% supported and indeed a recommended best practice on SharePoint 2010.
Is Load Balancing on Central Administration
supported for SharePoint 2013?
Is Implementing Kerberos Authentication for load balanced Central Administration 100% supported in SharePoint 2013?
Is Implementing Central Administration on Port 80 or 443 100% supported on SharePoint 2013?
I’ve read a article about from Spence
Harbar. I would like to know of this is supported for SharePoint 2013?
Source:
http://www.harbar.net/articles/spca.aspx
jtjscholtenThanks! Disappointed there is no description from Microsoft :(
jtjscholten -
SharePoint 2010 Kerberos on Load balance farm
I have a SharePoint Load balance farm and my site address is https://sharepoint.com(SharePoint alias creates in ADDS which resolves to virtual IP address VIP), do I need to setup spns for https://sharepoint.com or to all the ip adresses of the webservers
used or to VIP?
Thanks,
DHi,
you need to set up Kerberos for the URL your users are typing in the browser and for which you have IIS listening. In your case that is
https://sharepoint.com. This address will be registered with IIS on all load-balanced Servers and the application pool should run under the same service account on all servers.
Regards,
Andrei
Maybe you are looking for
-
My iPod Classic is not detected by my Windows 8 computer when I connect it via USB port. How can I get windows to detect this device? A message from windows says: the device has malfunctioned.
-
I need to know how to be able to set my iPhone number as my iMessage sender & receiver. It shows my number, but it's like blacked out where I can't choose it.. PLEASE HELP! It's about to drive my crazy!
-
Line after item in table ?
In my smartform , I have a table that prints line items...I need to add a line after each line item to seperate them ...how can i get that ? I tried adding a text element after the item ....but i cant get the line to span the entire table width ?
-
Hi In a non-BPM scenario how many message ID's are created ?? If I am not wrong these message id's can be seen in audig log. Could you plz tell me where can I see this audit log ?? Is there any transaction code or link to view the same ?? What is the
-
Graphic Frames Corrupted When Exporting to PDF
I'm trying to figure out what is happening to random graphic frames in my InDesign document. I'm working in a 68 page document. I exported to PDF using the lo-res no bleed setting. The PDF exported fine but when I went back to my InDesign doc, som