For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rabbit23_116296's avatar
Rabbit23_116296
Icon for Nimbostratus rankNimbostratus
Nov 19, 2013

F5 APM with OWA and Exchange 2010

With the Big IP 2000 ADC appliance running 11.3 version of the software and using the RC4 2010/2013 Exchange template: The APM module was purchased as we use NTLM authentication for Outlook Anywhere and need to use kerberos connstrained delegation. We also use integrated authentication (non-forms) for Outlook Web App.

 

So I start with the cookie based persistent services like OWA - The problem is that the access policy '/Common/exchange.app/exchange_access' presents the F5 login form which I do not want. If the user has authenticated to windows already then credentials should be passed through.

 

The documentation for when not using forms is not clear.

 

microsoft

6 Replies

  • kj07208_118528's avatar
    kj07208_118528
    Icon for Cirrus rankCirrus
    Nov 19, 2013

    There's two things that you might need to look at, multi-domain authentication and your APM. First if you want to have the user automatically authentication if they are in the network because of cached credential you'll need to have a fork in the APM VPE and send those user to the 401 event. There's another post here they explain it in detail. The other option is multi-domain this allows you to have different SSO configurations but using one APM.

     

  • blwavg_10621's avatar
    blwavg_10621
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2013

    You can also separate how internal and external users access that virtual servers by using an irule or the IP Subnet Match under the APM Endpoint Security (server-side) options. This question I asked was pretty similar and provides some great detail. https://devcentral.f5.com/questions/apm-sso-login-using-creds-from-windows-login

     

    This is also helpful. http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-1-0/4.html

     

  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2013

    Thanks blwavg - the exchange 2010/2013 deployment guide has said that I must use forms based authentication when using APM. Hopefully your links will show me another way.

     

    • blwavg_10621's avatar
      blwavg_10621
      Icon for Nimbostratus rankNimbostratus
      Nov 19, 2013
      You do not have to use Forms based authentication. I have participated in a deployment that uses basic auth (although I would not recommend). It takes some trickery to make it work, but it is possible. It is just not recommended by F5. Kerberos does not actually pass user credentials though. So if the application requires a user name and password, the Kerberos method may not work, unless it is possible to allow the exchange environment to accept kerberos tickets. The F5 can also be designated to sign those tickets (but I think you have to buy a license for that).
    • Wolf46_144992's avatar
      Wolf46_144992
      Icon for Nimbostratus rankNimbostratus
      May 28, 2014
      Hi blwavg, Do you know how "Basic Authentication" can be made to work in this case please? We are currently testing some deployments using our new F5's and would like to use Basic Authentication.
  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2013

    Basic is not something I want to use. I just want internal users to have the same experience they have at the moment in that when connected internally they do not need to authenticate again unnecessarily to another form. For this reason we have both integrated and basic authentication enabled on the OWA virtual directory so that when internal at least they are not challenged.