For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mark_Smith_-_NC's avatar
Mark_Smith_-_NC
Icon for Altocumulus rankAltocumulus
Aug 16, 2017

exchange 2010 outlook anywhere only for specific users

Has anyone setup a policy using APM to allow "Outlook Anywhere" connections to Exchange 2010 but only for specific users that are a member of a specific AD group.

 

We've been trying to get this working but appear to be finding that the credentials passed to the AD Query stage using this: (UserPrincipalName=%{session.logon.last.logonname}) when it gets passed to the SSO Credential Mapping stage and ultimately to Exchange then it gets rejected as exchange is looking for DOMAIN\USERNAME type.

 

Any advice/pointers on how to resolve this would be appreciated.

 

application delivery
BIG-IP Access Policy Manager (APM)

2 Replies

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Aug 17, 2017

    Hi,

    You can use a variable assign block in the VPE to concat the domain and the username. Ex: 

    session.logon.last.username = expr { [concat "[mcget {session.ntlm.last.domain}]\\[mcget {session.ntlm.last.username}]" ] }

    You may have to change the variable names as it may differ depending on your deployment. You can find which variable are used by visiting the Access Report.

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 17, 2017

    Hi,

    If you requires 

    DOMAIN\USERNAME
    for some SSO profiles and 
    USERNAME
    for other SSO profiles, you can use this:

    session.sso.token.last.ntusername = expr { "DOMAIN\\[mcget {session.ad.last.attr.sAMAccountName}]" }

    then, in your SSO profile requiring 

    DOMAIN\USERNAME
    , use 
    session.sso.token.last.ntusername
    instead of 
    session.sso.token.last.username