Forum Discussion
CirrocumulusExchange 2010 Deployment Guide and ActiveSync
CirrocumulusOK... So looking at this some more. And I can't follow the iRule _sys_APM_ExchangeSupport_OA_BasicAuth and what it's trying to do with regards to /ews (Exchange Web Services) and authentication.
The Exchange has basic auth disabled. So I believe it's expecting NTLM authentication headers coming through (In the Authorization header). But from running through the code, it looks like the authorization header is then REMOVED in the ACCESS_ACL_ALLOWED event... when EWS_BKEND_BASIC_AUTH is NOT defined (This is the default BTW)...
Which removes the NTLM authentication... e.g.
when ACCESS_ACL_ALLOWED {
log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX [HTTP::method] [HTTP::uri] [HTTP::header Content-Length]"
MSFT Exchange's EWS request handler always requesting NTLM even the connection has been
already authenticated if there is a HTTP Basic Auth in the request.
if { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 } {
if { $static::EWS_BKEND_BASIC_AUTH == 0 } {
log -noname accesscontrol.local1.debug "$static::ACCESS_LOG_PREFIX Removing HTTP Basic Authorization header"
HTTP::header remove Authorization
}
}
}So the backend won't be getting ANY authentication presented (Which coincides with some traffic dumps taken by analytics showing no authorization headers and the subsequent 401 Unauthorized being returned). Shouldn't the code here be testing for BASIC auth and ONLY removing the header if it's BASIC auth being specified? or am I missing something?
The strange thing is, activesync works fine...
** Note I've looked at the iApps, and they don't appear to work on the Lab/VE... Which is my test environment... For some reason I can't see any of the _sys_APM*** iRules
