Forum Discussion

Bryan_Vance_171's avatar
Bryan_Vance_171
Icon for Nimbostratus rankNimbostratus
Apr 30, 2015

Error after setting NTLM authentication in iAPP

I am using the f5.microsoft_exchange_2010_2013_cas.v1.5.0 iAPP template, primarily for Outlook anywhere with auto discover, and after setting up the option for NTLM I get the following error after cl...
application delivery
BIG-IP Access Policy Manager (APM)
devops
iApps
LTM
security
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Apr 30, 2015

    Specifically, what is the name of the NTLM machine account object you are selecting in the iApp?

     

mikeshimkus_111's avatar
mikeshimkus_111
Historic F5 Account
Apr 30, 2015

Specifically, what is the name of the NTLM machine account object you are selecting in the iApp?

 

  • Bryan_Vance_171's avatar
    Bryan_Vance_171
    Icon for Nimbostratus rankNimbostratus
    Apr 30, 2015
    The object name is f5 machine account and the account name is f5pair
  • Bryan_Vance_171's avatar
    Bryan_Vance_171
    Icon for Nimbostratus rankNimbostratus
    Apr 30, 2015
    The F5 version is 11.6.0
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Apr 30, 2015
    Aha! Generally, BIG-IP won't let you create objects with spaces or special characters in the name, however the NTLM machine account seems to not have any name validation. I just tested and was able to create accounts with all kinds of forbidden characters in the name. Some of them work with the iApp, but most don't. For now, you should be able to work around this by using a machine account name with only alphanumeric characters and underscores. We will get the deployment guide updated with this information and file a bug against the behavior. Thanks for bringing it to our attention!
  • Bryan_Vance_171's avatar
    Bryan_Vance_171
    Icon for Nimbostratus rankNimbostratus
    May 01, 2015
    I set up a new machine account following your advice and I no longer get this error, but I now get the following error: 01070734:3: Configuration error: apm ntlm ntlm-auth: For ntlm_auth (/Common/Exchange-2013_.app/exch_ntlm_combined_https) domain controller windc must be a fully qualified domain name (FQDN) I set the KDC to the FQDN but still get this new error. Thanks for all of your help,
    • MarG's avatar
      MarG
      Icon for Altostratus rankAltostratus
      Dec 03, 2024

      I have the same problem on f5-iappslx-access-exchange-2.4.0-0.0.1629. 

      transaction failed:01070734:3: Configuration error: apm ntlm ntlm-auth: For ntlm_auth (/Common/APM-Test-Exchange-2016-Inside.app/APM-Test-Exchange-2016-Inside_ntlm_edge) domain controller dc1 must be a fully qualified domain name (FQDN)

       

      In configuration is corrrectly set and is used in quided configuration.

      apm ntlm machine-account F5 {
    domain-controller-fqdn dc1.domain.com

...

apm ntlm ntlm-auth NTLM-F5-DC {

dc-fqdn-list {dc1.domain.com dc2.domain.com }

      I don't know where is APM quided configuration store for configuration and how to refresh. I have created new one config but the error still persist.

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    May 01, 2015
    Did you use an FQDN in response to the "Which Active Directory servers in your domain can this BIG-IP system contact?" question in the APM section? I believe this is where the iApp pulls the DC names to populate the NTLM auth config object.
  • Bryan_Vance_171's avatar
    Bryan_Vance_171
    Icon for Nimbostratus rankNimbostratus
    May 01, 2015
    That did it! I appreciate your help.
  • Rosieodonell_16's avatar
    Rosieodonell_16
    Icon for Cirrus rankCirrus
    Nov 07, 2018

    I am getting the same error and I can't find the "Which Active Directory servers in your domain can this BIG-IP system contact?" question in the APM section?" Is this information in the iapp or is it located in "Access"?

     

    Its the last part that is holding me up in this template.