Logon using UPN without server side Kerberos on F5

Question

While implementing Exchange Autodiscover, Ews, Outlook Anywhere, and OWA through the exchange iApp (logon using an AD AAA object), I noticed that I cannot authenticate using the UPN of the user accounts. Using the SamAccountName attribute authentication works fine.
In my environment the UPN suffix is different from the FQDN.
So when logging in an account named tpriv with the UPN: tpriv@UPNsuffix.com,
the APM log shows the error: AD module: authentication with 'tpriv' failed: Client 'tpriv@FQDN.com' not found in Kerberos database, principal name: tpriv@FQDN.com&nbsp;
F5 support indicated that it is possible to disable server side kerberos through an irule. What would it be?
Or perhaps I can get this authentication traffic to skip the APM, and go through LTM only, so that authentication is handled by the Domain Controllers/Exchange servers.&nbsp;
Thanks for any help!&nbsp;

boneyard · Answer

if you used the iApp you can run it without APM and then do the authentication right on the exchange servers.&nbsp;
of course APM does give you some extra security. what you can do is perform an AD or LDAP lookup based on the SamAccountName and then get the UPN and use that as authentication username value.&nbsp;
here is something similar discussed:
https://devcentral.f5.com/questions/using-apm-to-authenticate-to-windows-ad-with-a-upn-that-is-different-then-our-domain-name&nbsp;

Forum Discussion

Logon using UPN without server side Kerberos on F5

Recent Discussions

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

VLAN Failsafe Functionality

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1

APM Cookbook: Single Sign On (SSO) using Kerberos

Transparent Kerberos Authentication and APM fallback authentication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS