This article describes how to troubleshoot the issue with Sharepoint 2010 can't edit/upload the document via Netscaler LB/CS VIP with AAA.

Symptoms or Error

User getting the error " Sorry, we couldn't openhttps://sahrepoint.xyz.com/abc/x/edit.doc or 401 auth prompt while uploading or editing the document. In this case SharePoint 2010 was used
User-added image


When?? user open the site then it will open in the browser but?? while?? editing the document?? session will be transferred from the browser to the Word application. During this time the cookies should be transferred from the browser to the Word application.
Basic check for cookie to be transferred:-
  1. The Sharepoint LB VIP and the AAA vip should be in the trusted site of the browser (preferred IE browser as IE and Word both are Microsoft application)
  2. The cookie type should not be HTTP only else the cookie wont’ be shared
  3. Cookie should be Persistent cookie (In latest NS firmware we have this option)
  4. Time/Timezone should be correct on NS and the Client and Sharepoint server so that cookie doesn’t get expired
Configuration on NS:-
1. LB vip/CS VIP pointing to the Sharepoint server ( sharepointcs.emea.in)
2. AAA vserver bound to the LB/CS vip
3. Below session policy bound to the AAA vserver
Configuration on the Netscaler Session Profile
User-added image
4. In the above you have to verify that HTTPOnly cookie is NO so that it can be shared between the applications and Enable Persistent Cookie is ON ( this will set a NSC_PERS cookie which can be shared between application)

Packet Flow:-

1. Client came to sharepointcs.emea.in?? VIP and was redirect to aaa.emea.in/cgi/tm/tm?SvBubase64work
User-added image
2. Client goes to the above url and is redirected to /vpn/tmindex.html this time NS sets the cookie NSC_TASS
User-added image
Client come to tmindex.html and then we see a POST happening with the credentials with TASS cookie after user entering the credentials
User-added image

For this AAA sends a 302 back to sharepointcs.emea.in/cgi/selfauth where it sets NSC_TMAA and NSC_TMAS cookie and will expire the NSC_TASS cookie after authenticating the user
User-added image
5. Now client comes to the sharepointcs.emea.in/cgi/selfauth without cookie and gets redirected to the sharepointcs.emea.in and again the same cookies were set
User-added image

6.?? Now Client will send a GET to sharepointcs.emea.in with NSC_TMAA and NSC_TMAS cookie . NS will pass this to the Sharepoint backend server and server will ask for 401, NS will do SSO

7.?? After sso is successful then Sharpoint will send a 302 redirect to /SigeePages/Home.aspx and will set cookie:- WSS_KeepSessionAuthenticated
User-added image

8.?? NS will pass the cookie to the client and will add one more NSC_PERS cookie and will send to the client
User-added image

9.?? NSC_PERS is the persistent cookie set by the Netscaler based on the configuration and is very important since this cookie will be shared between the Internet Explorer and the Microsoft Word application and will keep the session authenticated

10.?? Page will load up

11.?? Now client will hit on upload/edit document on the Sharepoint page. During this time the Client Internet explorer will pass the cookies to the Microsoft word and you will notice a OPTIONS coming to Netscaler with user-agent as Microsoft work and very important NSC_PERS cookie and WSS_KeepSessionAuthenticated cookie should be present
User-added image
12.?? Netscaler will pass this to the SharePoint server by striping the NSC_PERS cookie and keeping the WSS_KeepSessionAuthenticated cookie
User-added image
13.?? After this you will see a 401 from backed ?? and a SSO from Netscaler as above and it will work.

Basically you have to see if the NSC_PERS cookie came in the OPTIONS field ( else NS will expire the session) and if WSS_KeepSessionAuthenticated came (else backend Sharepoint will expire the session)

Problem Cause

There could be following reason for this issue.
  1. Single sign on domain is not correct for the backend sharepoint server in the session policy
  2. Cookie is not being shared between the browser to the Word application
  3. The cookie in the traffic policy is wrongly set as "Http ONly" to yes, due to which it was not being passed to word application

Applicable Products


Join the conversation

Citrix Discussions

Open a case

Citrix Support