Forum Discussion

Wompi_203183's avatar
Wompi_203183
Icon for Nimbostratus rankNimbostratus
Apr 20, 2016

Exchange ActiveSync published via APM, client certificates and kerberos sso mixes up kerberos tickets

Hi,

 

we have published Exchange ActiveSync via F5 APM for mobile clients (Iphone) with client certificates. The clients are managed with air watch mdm and have installed a certificate for authentication. Basically configuration works fine and the users can sync their emails without problem. But sometimes, especially when more users have the same external IP (e.g. at work) and try to sync at the same time it seems that F5 mixes up the kerberos tickets. User A then gets emails from user B.

 

In the APM logs you can see that even if the request comes from another client, F5 uses a cached ticket from user B and sends this to exchange. But in the http url for active sync you can see the request for user A.

 

Could this be a configuration issue or is it maybe a known bug in F5?

 

Setup: We have used this guide for the basic configuration: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-4-0/4.html

 

Our Access Policy looks like:

 

 

For the extraction of the upn from the certificate we use:

 

 

For the client ssl profile we have set the trusted certificates, SSL certificate and client certificate = require

 

We attached the activesync irule (_sys_APM_activesync) from F5 to the vs but modified it a bit otherwise the client would always pop up a password window for basic authentication. We commented the clientless mode out like it is stated here: https://devcentral.f5.com/questions/issue-with-apm-activesync-cert-auth

 

Anyone experiencing similar issues?

 

Thank you very much

 

Mark

 

BIG-IP Access Policy Manager (APM)
LTM
security
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Apr 23, 2016

    Hello,

     

    It's an issue viewed since latest version of BIG-IP. It's now safer to deploy Active Sync using the available iApp for Exchange.

     

    You should not use the following irule anymore : _sys_APM_activesync

     

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Apr 23, 2016

    Hello,

     

    It's an issue viewed since latest version of BIG-IP. It's now safer to deploy Active Sync using the available iApp for Exchange.

     

    You should not use the following irule anymore : _sys_APM_activesync

     

    • Wompi_203183's avatar
      Wompi_203183
      Icon for Nimbostratus rankNimbostratus
      Apr 25, 2016
      Hi, thank you for your reply. I added the irule because otherwise IPhone requests threw errors in apm. I will give it a try with the iapp and report back. Best regards Mark
    • Wompi_203183's avatar
      Wompi_203183
      Icon for Nimbostratus rankNimbostratus
      May 06, 2016
      Hi, I tried the iapp but this didn't work either. APM threw the following error because of the iphone option header: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 2525 2016-04-25 10:05:16 But I replaced the old irule with _sys_APM_ExchangeSupport_OA_BasicAuth and now it seems to work. The only drawback is that the first time the users get a basic auth window and have to enter anything. Afterwards the kerberos SSO auth with certificate takes place. Subsequent requests work fine. I haven't found the time yet to look into the irule to see if I can comment out the 401 basic auth. Thank you Best regards Mark
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      May 06, 2016
      Hi, We regularly deploy the iApp without any issues. The use of an Exchange profile and customize the VPE to fit our needs and that works. We don't attach any irules to the VS.
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Apr 23, 2016

    Hello,

     

    It's an issue viewed since latest version of BIG-IP. It's now safer to deploy Active Sync using the available iApp for Exchange.

     

    You should not use the following irule anymore : _sys_APM_activesync

     

    • Wompi_203183's avatar
      Wompi_203183
      Icon for Nimbostratus rankNimbostratus
      Apr 25, 2016
      Hi, thank you for your reply. I added the irule because otherwise IPhone requests threw errors in apm. I will give it a try with the iapp and report back. Best regards Mark
    • Wompi_203183's avatar
      Wompi_203183
      Icon for Nimbostratus rankNimbostratus
      May 06, 2016
      Hi, I tried the iapp but this didn't work either. APM threw the following error because of the iphone option header: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 2525 2016-04-25 10:05:16 But I replaced the old irule with _sys_APM_ExchangeSupport_OA_BasicAuth and now it seems to work. The only drawback is that the first time the users get a basic auth window and have to enter anything. Afterwards the kerberos SSO auth with certificate takes place. Subsequent requests work fine. I haven't found the time yet to look into the irule to see if I can comment out the 401 basic auth. Thank you Best regards Mark
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      May 06, 2016
      Hi, We regularly deploy the iApp without any issues. The use of an Exchange profile and customize the VPE to fit our needs and that works. We don't attach any irules to the VS.