Forum Discussion

Jonathan_Perroz's avatar
Jonathan_Perroz
Icon for Nimbostratus rankNimbostratus
Apr 02, 2016

BIG-IP APM/LTM with Exchange 2010 and NTLM Authentication

Guys

 

Ive tried to deploy the above solution using the iApp template for exchange. Slightly different deployment as im trying to do it with route domains. I understand there are issues with authentiation in route domains, i.e NTLM comes from the default route domain, and I dont have an issue with this.

 

When opening outlook, which has been configured for Outlook Anywhere access, I get a login prompt. When looking at the APM logs it tells me NTLM auth occured and that it was successful.

 

Does any one have any ideas? I can supply logs if needed :)

 

  • JamesSevedge_23's avatar
    JamesSevedge_23
    Historic F5 Account

    Hello Jonathan, could you please confirm you are using the latest iAPP template for Exchange 2010/2013? Deployment guide with instructions to downloading the latest iAPP: http://www.f5.com/pdf/deployment-guides/microsoft-exchange-iapp-dg.pdf.

     

    Once you have confirmed you are using the latest iAPP I would suggest reading through Appendix E. of the deployment guide linked above. There is some configuration required on Exchange and within the iAPP as well as on the big ip to get outlook anywhere (which is used by outlook clients) to work for NTLM auth to APM and Kerberos to the back end exchange servers.

     

    Let me know if you have any further questions.

     

    • Jonathan_Perroz's avatar
      Jonathan_Perroz
      Icon for Nimbostratus rankNimbostratus
      James Thanks for replying. Im using the latest iAPP .5.1 release. If i install the APM/LTM functions on the same route domain the iAPP works fine, and I can see the S4U Proxy infomation when the Outlook client is connecting. I also see the deligation happen, with the reverse look up on the CAS server too. However if I seperate out these roles, the logs show %h@REALM. Ive followed the guide and included the delegation for the URLs i.e Outlook and AutoDiscover :(
    • JamesSevedge_23's avatar
      JamesSevedge_23
      Historic F5 Account
      What do you mean by separate out the roles? Separate APM and LTM into different route domains? Could you include the snippet of APM log that contains one of the failed sessions compared to the successful? You may want to open a support case for tracking at this point if you have not figured it out yet.
    • JamesSevedge_23's avatar
      JamesSevedge_23
      Historic F5 Account
      Just a note: If you mean route domains I would suggest reading through the linked SOL. https://support.f5.com/kb/en-us/solutions/public/17000/100/sol17148.html