Forum Discussion

raydakis10's avatar
Nov 19, 2019

F5 mapi over http Preauthentication failed via APM



I am deploying Exchange2016 using Iapp Exchange 2016 v1.02.

APM should authenticate users againt AD and then forward the traffic to the F5 LAN to load balance traffic to Exchange2016 CAS servers.

we are migrating from exchange2010/o365 to exchange2016/0365.

below is the diagram for reaching on premise mailbox from internet :

external users -->Internet --> F5 DMZ(LTM+APM V12.1.2))--> F5 LAN(LTM 12.1.2) --> (AD srv, Exch2016 srv)


In the Iapp i choose basic authentication for external outlook clients in F5 DMZ config.

the mapi over http authentication fail via APM !


My question : Is the F5 exchange Iapp v1.02 config suitable for external mapi over http APM authentification ?

3 Replies

  • Hello, yes you should be to support MAPI with the iApp, per the deployment guide:



    "You can configure the BIG-IP system to support any combination of the following services supported by Mailbox servers: Outlook Web App (which includes the HTTP resources for Exchange Control Panel), Exchange Web Services, Outlook Anywhere (RPC over HTTP, including the Offline Address Book), ActiveSync, Autodiscover, POP3, IMAP4, and MAPI over HTTP. "

  • Hello dave,


    Thanks for your answer.

    I've done the configuration using Iapp 1.02 (we use basic authentication + ntlmv2).

    but mapi authentication on F5 DMZ still failed via APM.

    for testing i've used

    error message is : "Testing the address book "Check Name" operation for user xxx against server xxx. An error occurred while attempting to resolve the name".

    see attached the diagram of the VPE.





  • What does your APM log say when you attempt to authenticate? If you do not have a lot of APM for other applications it should be manageable by following the log in cli bash

    tail -f /var/log/apm


    Bear in mind that your exchange servers might not have been configured for basic auth.


    I have seen external MAPI work well with APM, this was configured with NTLM for validating the klient and then kerberos to the backend server.