Cannot open MS Office docs when Sharepoint accelerated by Access Gateway Appliance

  • 7012002
  • 22-Mar-2013
  • 06-Nov-2013

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Support Pack 1 applied
NetIQ Access Manager 3.2 Access Gateway Appliance
SHarepoint 2010

Situation

Sharepoint 2010 setup and accelerated by Access Gateway Appliance based on the current Access Manager documentation. Everything works fine ie. users can access and view files on the Sharepoint server after having authenticated succesfully at the Identity Server. If they try and open the docs for modification, users will get an error claiming that the file cannot be opened.

Note 1: When a user selects the option to open a file, WebDAV requests are generated by the client. At this point, a WebDAV OPTIONS request is sent with another User-Agent (and therefor no AG IPCQZX03 session cookie) resulting in a HTTP 409 status response from the AG server. We can use the following Advanced Option to avoid this issue but we still have a problem opening the file from the browser:

 #NAGGlobalOptions AllowMSWebDavMiniRedir

When this is enabled, and the WebDAV client sends an OPTIONS request with MS-WebDAV-MiniRedir useragent to the Access Gateway, then it receives 409 conflict response. The client uses this response to change the user agent to MS Data Access Internet Publishing Provider DAV.

Note 2: We added the Access Manager Sharepoint domain to the browser’s trusted site and add the certificates to the Trusted Root Certification Authorities

Resolution

The issue stems from the fact that the WebDAV client fails to send the AG session cookie. By using the ws-federation protocol to integrate the NAM IDP server with Sharepoint, this limitation may be removed (Sharepoint is not accelerated by the Access Gateway and the need for the AG session cookies is removed).

There may be an option to workaround the issue when Sharepoint sits behind the AG. Try and manually perform the following steps:
a) add following line to the httpd.conf file

LoadModule headers_module libexec/mod_headers.so 

b) Add following entries to httpd.conf file

<LocationMatch ".*\.doc$">
  Header set Content-Disposition attachment
</LocationMatch>
<LocationMatch ".*\.docx$">
  Header set Content-Disposition attachment
</LocationMatch>
<LocationMatch ".*\.xls$">
  Header set Content-Disposition attachment
</LocationMatch>
<LocationMatch ".*\.xlsx$">
  Header set Content-Disposition attachment
</LocationMatch>
<LocationMatch ".*\.ppt$">
  Header set Content-Disposition attachment
</LocationMatch>
<LocationMatch ".*\.pptx$">
  Header set Content-Disposition attachment
</LocationMatch> 
c) restart novell-apache2 services

By adding the 'Content-Disposition' header in response to the WebDAV queries, the browser may be able to open the files without issue. If this fails, ws-federation is the option.