Forum Discussion
Exchange 2010 SP3, iApp template 2012_04_06 and Big IP 11.4.1 Build 608.0 - EWS issue
As per subject, is this combination supported? When using APM and Outlook anywhere I am having the following problem:
Dec 12 10:06:31 lhr4-lb-01 debug tmm3[9610]: 01490000:7: Enable ECA: select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010 -application_combined_https
Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid argument (/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010-applicat ion_combined_https)
Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid metadata (select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2 010-application_combined_https)
Dec 12 10:06:31 lhr4-lb-01 debug tmm2[9610]: 01490000:7: Matches RPC
Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid argument (/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010-applicat ion_combined_https)
Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid metadata (select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2 010-application_combined_https)
Looking at this script block, is the object_name correctly formatted in the iApp template?
Ntlm-auth requires a specially-named prefix to match a system irule.
if { $key == "ntlm,ntlm-auth,combined_https" ||
$key == "ntlm,ntlm-auth,oa_https" ||
$key == "ntlm,ntlm-auth,edge" } {
regsub ".app/exchange" $object_name \
".app/exch_ntlm_${app}" object_name
}
- Rabbit23_116296Nimbostratus
Still no feedback from F5 support on the issue raised last week.
- mikeshimkus_111Historic F5 Account
I checked the case and they have a request for an engineer in the UK to contact you ASAP.
The only differences between the 11.3 and 11.4 configuration for OA w/NTLM auth are:
- 11.3 requires that you attach an APM system iRule to the virtual server. 11.4 uses the APM Exchange profile, which obscures the system iRule.
- 11.3 requires that the NTLM auth config be named "exch_ntlm_" where virtual server name is the name of the VIP the APM iRule is attached to. We still use this format in 11.4, but I don't believe it's required.
Support should ask you to upload your configuration to iHealth. Once you do that we can take a closer look at it.
- Rabbit23_116296Nimbostratus
Mike if only I understood where to find what you suggested earlier...
Access Policy/Application Access/Exchange/exchange_ntlm_exch still defaulted to an invalid NTLM configuration with the stock iApp template.
- mikeshimkus_111Historic F5 Account
I checked your support case and it was closed:
"This issue has been resolved, I found the setting which defaulted to a non existent SSO profile."
In all of our testing, the NTLM configuration specified by the iApp works. Not sure why it would be failing, other than a possible issue with the upgrade? What was the SSO profile that didn't exist?
- Rabbit23_116296Nimbostratus
exch_ntlm_exchange-2010-application_combined_https, as in the first post. Odd as I found it after installing a 11.4.1 image afresh on one appliance and importing the iApp
- mikeshimkus_111Historic F5 Account
That's the NTLM auth config name, not an SSO profile.
What did the iApp create for the NTLM auth config instead of exch_ntlm_exchange-2010-application_combined_https?
- Rabbit23_116296Nimbostratus
the NTLM auth configuration? access policy/access profiles/NTLM/NTLM Auth configuration?
- mikeshimkus_111Historic F5 Account
Correct. If your virtual server is named exchange-2010-application_combined_https, then the iApp should have created one named exch_ntlm_exchange-2010-application_combined_https.
When you run the iApp on your 11.4.1 box, what is the output of /var/tmp/scriptd.out? That file should log all the tmsh commands that iApp templates run.
- Rabbit23_116296Nimbostratus
create apm ntlm ntlm-auth /exchange/exchange.app/exch_ntlm_exchange_oa_https { dc-fqdn-list replace-all-with { lhr4-dccorp-01.corpad.adbkng.com lhr4-dccorp-02.corpad.adbkng.com lhr4-dccorp-03.corpad.adbkng.com } machine-account-name /exchange/lhr4-ltm-01.corpad.adbkng.com
create apm profile exchange /exchange/exchange.app/exchange_ntlm_exchange { auto-discover-sso-config /exchange/exchange.app/exchange_ntlm_kerberos_sso offline-address-book-sso-config /exchange/exchange.app/exchange_ntlm_kerberos_sso web-service-sso-config /exchange/exchange.app/exchange_ntlm_kerberos_sso ntlm-auth-name /exchange/exchange.app/exch_ntlm_exchange_combined_https rpc-over-http-auth-type ntlm rpc-over-http-sso-config /exchange/exchange.app/exchange_ntlm_kerberos_sso }
that's what I could find that matched 'exch_ntlm' pattern
- mikeshimkus_111Historic F5 Account
I see. It looks like the iApp created an NTLM auth config named exch_ntlm_exchange_oa_https, which is correct for a deployment using separate virtual servers for each service.
However the APM Exchange profile is referencing the non-existent exchange-2010-application_combined_https NTLM auth config. You should be able to modify the NTLM auth name in the Exchange profile to use the correct object.
We'll get this updated in the next version of the template.
Thanks
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com