Forum Discussion

JavierF5's avatar
Icon for Nimbostratus rankNimbostratus
Sep 11, 2019

Get users logged without domain authenticate in Exchange (APM)


Hello, i need some help with an Exchange deployment in APM


It has NTLM authentication and Kerberos SSO in a multidomain setup (5 different AD)


All works fine if the users specify the domain in the login, but if they use only the username, the auth fails.


We can force the domain in the user field using a variable


Branch rule: expr { [mcget {session.logon.last.domain} ] eq ""


and the variable assign: expr { [mcget {session.logon.last.domain} ] eq "domain"


This looks fine in the APM debug, but the exchange client fails, returnig an error in domain/user/pass


Sep 9 16:21:19 slot3/AXF5BLCWEBPUB2 info apmd[5236]: 01490007:6: /Common/ Session variable 'session.policy.result' set to 'allow'


The only difference we can see is in the uui log, as far as i know it shoudl not be a problem at all.



Sep 9 16:25:20 slot3/AXF5BLCWEBPUB2 info apmd[5236]: 01490007:6: /Common/ Session variable 'session.assigned.uuid' set to 'tmm.uuid.miguelllo.f391eedee46ff11ea7c6aeab1cd73fc7'



Sep 9 16:21:19 slot3/AXF5BLCWEBPUB2 info apmd[5236]: 01490007:6: /Common/ Session variable 'session.assigned.uuid' set to 'tmm.uuid.domain\miguelllo.8eb47aecda6bd16c1bc66f4f94d3bb52'


All other variables seem the same with both methods. We suspect an internal problem with the SSO, but for some reason we can't see any log activating the debug for the access policy.


Any idea to get users entered without domain working?





Thanks in advance


4 Replies

  • Hello, the SSO logs are a separate setting from Access Policy logs, so you will need to set the SSO logs on debug. So in the Admin GUI go into "Access Policy" > "Event Logs" > "Log Settings", Select the logging profile and then set the SSO logs to debug.

  • Hi Dave, thanks for your answer. We already have the debug configured there, but is not showing anything. We can get SSO debug if we activate it in the default log, unfortunately the device is used in a high traffic setup and most services are using the default.. so it's not an option. Probably a bug (we are running a 12.1.3 version)


    The main issue we have is the domain in the login. Its only relevant to mobile users, since the desktop client takes the domain data from the windows session.



  • Hi,


    it seem's that your session variable is wrong, try this please:


    Create your session variable and set the following value in

    Custom Variable:



    Custom Expression:

    return "mydomain"


    keep me in touch


  • Hi Youssef,


    Thanks for your answer,


    We tried that, also a bunch of other variables like lastlogonname, they work as in APM reached the allow at the end, but the client still fails to authenticate when logged without domain.


    We have captures when we see that after the APM does it's thing, the subsequent communication client/backend fails. We may have an idea right now of why it's happening.


    Will post results after a couple of tests.