Forum Discussion
NimbostratusCreate an NTLM machine account for BIG-IP within a route-domain
Hi
I have tried all day to join my Big IP system to one of my customers domains. The customer has ActiveSync today and wants OutlookAnywhere with NTLM authentication as well.
My cluster runs on 11.6 HF6 and I have used this iApp for creating the Exhcange service: f5.microsoft_exchange_2010_2013_cas.v1.5.1
But as I was googling around after a breakthrough I stumbled upon this article: https://support.f5.com/kb/en-us/solutions/public/17000/100/sol17148.html We use route-domains and my customer is not in route-domain 0. And this article states that Kerberos authentication will not function unless the KDC servers resides in route-domain 0.
So my question is; Is there a way to get this to work anyway?
Regards Geir Sandbu
4 Replies
youssef1Cumulonimbus
Hello, I already had a similar problem and unfortunately in my case I have set up a workaround. So for me the best way is to create a new Virtual Server for KD in the RouteDomain 0 (it will be used only for internal process). In fact you have to create 2 VS (689 and 88) and these VS have to point on the KDC with good RD (ex: 172.2.2.9%4). For it to work you have to uncheck "Strict Isolation" on th route domains 0 (Network --> Route Domains --> 0 --> uncheck "Strict Isolation"). Let me know if it work for you otherwise I can offer you another solution... Regards
Geir_Sandbu_342Thanks for the swift reply youssef. The workaround looks straightforward enough. Create 2 VS (port 689 and 88) in Route Domain 0. The pool used for these VS'es is pointed to the KDC in the customers route-domain. But where to go next? When adding the Big IP system to the domain, do I point to the Big IP VS address instead of the FQDN of the DC server?- Geir_Sandbu_342Hi again youssef You mentioned that you had another solution. Im very curious here. Can you please describe it to me? Regards
We ran into this and for the Kerberos AAA feature at least, we just specify the IP of the KDC in the Kerberos AAA agent, and let the traffic flow out of a RD0 VLAN that has access to the customer environment. We don't break the strict isolation feature in this case.
We enhance this by using a wildcard VIP whose pool members are multiple KDCs in the customer environment. You point the Domain Controller FQDN field to this IP. I haven't tested the NTLM portion, you may need a hosts file entry to represent the internal IP for the VIP.
