Forum Discussion

ndaems_145583's avatar
Icon for Nimbostratus rankNimbostratus
Apr 02, 2019

Exchange Hybrid Free/Busy - APM 401 error with original iApp


We are trying to deploy Exchange iApp in a Hybrid deployement

Everything works well except the Free/Busy feature in O365.

After doing some research we found a workaround by adding 2 URL at in the hybrid_bypassed iRule

"/ews/exchange.asmx" "/autodiscover/autodiscover.xml"

If we don't bypass these 2 URL it's not working and we can see that Kerberos Ticket Failed

exch:Common:2e80dc30: User from RD0004FFD126D7 is authenticated
exch:Common:2e80dc30: Received User-Agent header: ExchangeServicesClient%2f15.20.1709.009.
exch:Common:2e80dc30: Following rule 'fallback' from item 'SSO Credential Mapping' to ending 'Allow'
exch:Common:2e80dc30: Access policy result: LTM+APM_Mode
exch:Common:2e80dc30: Received client info - Hostname:  Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0
exch:Common:2e80dc30:Kerberos: can't get S4U2Self ticket for user - Server not found in Kerberos database (-1765328377)
exch:Common:2e80dc30: Kerberos: Failed to get ticket for User: '' accessing service: 'HTTP/exchange.MYDOM.ROOT@MYDOM.ROOT'
exch:Common:2e80dc30: failure occurred when processing the work item
exch:Common:2e80dc30: Session deleted due to admin initiated termination.
exch:Common:2e80dc30: Session statistics - bytes in: 3908, bytes out: 817

Few questions:

  • Does APM support Alternative UPN as SSO logon ?
  • Is there any risk to bypass additional URL

Thank you



3 Replies

  • Hello,


    I have the same issue with iApp f5.microsoft_exchange_2016.v1.0.2 on hybrid o365/on-prem configuration. From o365, users can't see free/busy information of on-prem mailboxes. Does anyone have a validated solution?


    is the workaround " by adding 2 URL at in the hybrid_bypassed iRule "/ews/exchange.asmx" "/autodiscover/autodiscover.xml" " will allow not only o365 but also other users to bypass APM policy ?


    Thank you




  • Nath's avatar
    Icon for Cirrostratus rankCirrostratus


    May I know if you are able to resolve this issue? I am facing a similar issue with the free/busy information on our Exchange deployment.

  • Hello Nicolas,

    Where you able to find a solution for this.  I tried that same by doing a bypass of APM for the following URI.

    But it still fails and i still see authentication request for it coming into APM.

    priority 1
    when HTTP_REQUEST {
    set is_disabled 0
    switch -glob [string tolower [HTTP::path]] {
    "/EWS/mrsproxy.svc*" -
    "/EWS/mrsproxy.svc" -
    "/EWS/exchange.asmx*" -
    "/EWS/exchange.asmx" -
    "/EWS/Services.wsdl" -
    "/EWS/exchange.asmx/wssecurity*" -
    "/EWS/exchange.asmx/wssecurity" {
    set is_disabled 1
    set path [HTTP::path]
    HTTP::path _disable-$path
    pool /Common/
    "/autodiscover/autodiscover.svc/wssecurity" -
    "/autodiscover/autodiscover.xml" -
    "/autodiscover/autodiscover.svc" {
    set is_disabled 1
    set path [HTTP::path]
    HTTP::path _disable-$path
    pool /Common/
    if { [info exists is_disabled] && $is_disabled == 0 } { return }
    if { [info exists path] } {
    HTTP::path $path
    unset is_disabled
    unset path

    still getting 401 error and APM logs sometimes show logs for

    f5system debug tmm2[21344]: 0149ffff:7: /Common/exchange2016:Common:00000000: HTTP uri: /EWS/mrsproxy.svc%27.


    Dont see any article out there with a solution of this. I think the irule is not working or may be not.