For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Geir_Sandbu_342's avatar
Geir_Sandbu_342
Icon for Nimbostratus rankNimbostratus
Feb 10, 2016

ActiveSync access without domain name in Logon

Hi   We have a small problem with Active Sync for one of our customers. We have deployed Exchange ActiveSync using the iApp template f5.microsoft_exchange_2010_2013_cas.v1.5.1. Our system is runni...
application delivery
BIG-IP Access Policy Manager (APM)
Geir_Sandbu_342's avatar
Geir_Sandbu_342
Icon for Nimbostratus rankNimbostratus
Feb 11, 2016

I came a bit further with my troubleshooting. This is the Policy I am using right now:

The Logon Page action contains this Branch Rule:

expr { ([string tolower [mcget {session.logon.last.domain}]] contains "domain") }

That trail works for users authentication with either domain\username or Username - Password - Domain.

If the logon credentials doesn't include the Domainname then the fallback trail from the Logon Page action is chosen.

Access sessions following the fallback trail is being authenticated successfully towards AD, but still Active Sync is not working. The exchange servers presents HTTP 401 (Not authorized).

The Variable Assign action inlcudes this expression (domain is the name of the customers domain):

session.logon.last.domain = return {domain}

The SSO Credential Mapping action contains default values.

I have tried to move the Variable Assign action in front of the AD Auth Action. But still no luck.