Forum Discussion

amolari_4313's avatar
amolari_4313
Icon for Nimbostratus rankNimbostratus
Jun 01, 2016

exchange hybrid deployment (SAML ECP needed) and 12.1

hi

 

referring to that post from 2014.

 

I can't authenticate my users, because the autodiscover process in O365 is blocked at the SAML-ECP stage. I do see the authnrequest from O365 coming properly to my IdP (ECP URL) with an authorization http-header. However, the APM is not authenticating and do a 302-redirect, which the client can't follow.

 

Anyone tested that successfully on 12.1 (or 12.0)?

 

Thanks!

 

Alex

 

  • Hi Michael,

     

    Did you ever found the root cause?

     

    We are facing a similar issue at this moment.

     

  • Have you deployed this using the iApp? Do have the _sys iRule assigned to the virtual server? I just tested my setup and autodiscover worked just fine(setup my account on iOS device using autodiscover) on 12.1 - so I am fairly certain something is amiss in your setup.

     

    • Michael_Adams_-'s avatar
      Michael_Adams_-
      Icon for Nimbostratus rankNimbostratus

      I don't think it's the Autodiscover piece that's failing (per say)....I'm having the same issue and have a case open right now.

       

      Full Disclosure: We have a complex setup (APM front end w/o365 STS and Exchange Client Access iApp that forwards traffic (Exchange related) to another LTM with the Exchange Client Access iApp configured), so the problem may be something else - but this rings a bell to me...

       

      It's looking more like after the redirect that happens, O365 is trying to reauthenticate with the STS and either: 1) O365 gets a response it does not like or 2) the APM resets the connection. Were doing packet captures, log traces, etc. to try and narrow it down further...

       

      What we're finding is Autodiscover works fine for internal (on prem) mailboxes. But when O365 comes back to our STS to authenticate for a migrated mailbox (after a 302 redirect which does in fact succeed), the POST from O365 during the Autodiscover process contains authentication headers but the APM is resetting the connection for some reason.

       

  • Have you deployed this using the iApp? Do have the _sys iRule assigned to the virtual server? I just tested my setup and autodiscover worked just fine(setup my account on iOS device using autodiscover) on 12.1 - so I am fairly certain something is amiss in your setup.

     

    • Michael_Adams_-'s avatar
      Michael_Adams_-
      Icon for Nimbostratus rankNimbostratus

      I don't think it's the Autodiscover piece that's failing (per say)....I'm having the same issue and have a case open right now.

       

      Full Disclosure: We have a complex setup (APM front end w/o365 STS and Exchange Client Access iApp that forwards traffic (Exchange related) to another LTM with the Exchange Client Access iApp configured), so the problem may be something else - but this rings a bell to me...

       

      It's looking more like after the redirect that happens, O365 is trying to reauthenticate with the STS and either: 1) O365 gets a response it does not like or 2) the APM resets the connection. Were doing packet captures, log traces, etc. to try and narrow it down further...

       

      What we're finding is Autodiscover works fine for internal (on prem) mailboxes. But when O365 comes back to our STS to authenticate for a migrated mailbox (after a 302 redirect which does in fact succeed), the POST from O365 during the Autodiscover process contains authentication headers but the APM is resetting the connection for some reason.