Forum Discussion

Nimbostratus

Aug 12, 2015

Kerberos Delegation and NTLM auth Exchange 2013

This is related to a previous post about the Exchange iApp. Everything is working for both internal and internal connections except from Outlook Anywhere clients attempting to connect to the external VS and auth via RPC over HTTP. I enabled all debug logs for APM and ECA since that seemed to be where the failure was occuring. I noticed the following and cannot make much sense of it. Any help would be appreciated. Below is the log file comparison between a successful auth though the internal iApp vs the failed auth through the external iApp. This is just a snippet of the full log. Everything before these lines in the log is the same for both internal and external connections. It seems to fail when the BigIP tries to make a call to itself to process the logon request, anyone ever see this before?

Internal success: Aug 12 13:22:12 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 10.1.12.9:46380 (0x09a8b9c8) Server challenge: 24296533D8C59FB4 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[18] from 127.0.0.1:43935 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> client[5]: is ready Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> NLAD_TRACE: nlclnt[53403010a / 01] sending logon = 0xC00000E5 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> nlclnt[53403010a] logon: entering user GRicketts domain JHHC wksta JHHC04619LT

Failed auth: Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 warning nlad[8603]: 01620000:4: <0x559058f0> clntsvc: no client for id 6 to service request from connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> nla_rq: response with status [0xc00000ab,NT_STATUS_INSTANCE_NOT_AVAILABLE] for type 'logon' client 6 context 0x5ab82b90 24 bytes to connection[38] from 127.0.0.1:44495: took 0 milli-seconds Aug 12 12:51:10 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 12.181.141.210:45214 (0x5bf14c28) nla_agent::logon, rc = STATUS_NO_LOGON_SERVERS (3221225566)

BIG-IP Access Policy Manager (APM)

Stanislas_Piro2
Cumulonimbus
Aug 14, 2015
Hi,

You say everything is working... did you configure kerberos SSO for OA? in a previous response, you answered "If exchange did not support kerberos auth?"

NTLM auth support only kerberos SSO.

if Kerberos SSO is not configured (in AD, Exchange and F5), the server will request a second authentication and the user will be prompted twice.
kunjan_118660
Cumulonimbus
Aug 19, 2015
It seems, for OA only Kerberos is supported for the backend SSO.

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/10.print.htmlunique_869512587

For other Exchange services like ActiveSync, EWS or OAB, when front end is Basic, NTLM SSO can used for backend.
- mikeshimkus_111
  Historic F5 Account
  Aug 19, 2015
  Basic authentication for Outlook Anywhere is also supported with NTLM SSO, this is the default setting on CAS.
- kunjan_118660
  Cumulonimbus
  Aug 20, 2015
  Following is the error we get on 11.6HF5, when we switch to NTLM SSO with front end Basic Auth. I miss something? MCP Error01070734:3: Configuration error: Error in Exchange Profile (/Common/myExchg.app/exch_ntlm_exchange_edge) for service (Outlook Anywhere): SSO configuration (/Common/myExchg.app/exch_ntlm_sso) is of NTLM SSO type; NTLM SSO Type is not allowed for service Outlook Anywhere
kunjan
Nimbostratus
Aug 19, 2015
It seems, for OA only Kerberos is supported for the backend SSO.

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/10.print.htmlunique_869512587

For other Exchange services like ActiveSync, EWS or OAB, when front end is Basic, NTLM SSO can used for backend.
- mikeshimkus_111
  Historic F5 Account
  Aug 19, 2015
  Basic authentication for Outlook Anywhere is also supported with NTLM SSO, this is the default setting on CAS.
- kunjan
  Nimbostratus
  Aug 20, 2015
  Following is the error we get on 11.6HF5, when we switch to NTLM SSO with front end Basic Auth. I miss something? MCP Error01070734:3: Configuration error: Error in Exchange Profile (/Common/myExchg.app/exch_ntlm_exchange_edge) for service (Outlook Anywhere): SSO configuration (/Common/myExchg.app/exch_ntlm_sso) is of NTLM SSO type; NTLM SSO Type is not allowed for service Outlook Anywhere
Stanislas_Piro2
Cumulonimbus
Aug 19, 2015
Hi,

most of SSO methods need password variable (Basic, ntlm, form based, ...)

If authentication does not provide this information, APM cannot reuse it. that's true for NTLM, OTP or SAML auth.

For every Exchange 2013, kerberos is recommended for 2 services:

OA (to allow NTLM auth)
OWA (Client based form based sso does not work every time)
ECP (share the same authentication as OWA)

when kerberos SSO is deployed for these services, the better configuration is to enable it on all services to simplify VPE tree.

If you configure NTLM for some services and Kerberos for others, variable session.logon.last domain may have 2 possible values:

windows NT domain for NTLM
REALM for Kerberos