For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jhanington_1353's avatar
jhanington_1353
Icon for Nimbostratus rankNimbostratus
Dec 17, 2014

Microsoft Exchange 2010 - Autodiscover not working through F5 but works when going to real server's IP

I am trying to get autodiscover up an running on our 2010 boxes but I cannot get it to work over the f5 VIP. I have two BIG-IP 1600 LTMs (BIG-IP 10.2.4 Build 591.0 Hotfix HF2) in an active/standby config.

 

https:///Autodiscover/Autodiscover.xml prompts me for a username and password (domain.local\username:password) and I get a 600 error code with invalid request (that looks bad but a 600 error means everything is working properly and that I gave a valid username).

 

https:///Autodiscover/Autodiscover.xml prompts me for a username and password (domain.local\username:password) but it prompts me again for a username and password instead of bringing me to the page with the 600 error.

 

I set up everything using the exchange 2010 template on the LTM. Here is everything it created...

 

and here is the https virtual server config

 

Any ideas? I can provide more information if requested.

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
exchange 2010
iRules
LTM
microsoft
security

2 Replies

  • jhanington_1353's avatar
    jhanington_1353
    Icon for Nimbostratus rankNimbostratus
    Dec 17, 2014
    Here is the working and non-working examples of what I am talking about WORKING LOCALLY USING REAL IP OF SERVER ----------------------------------------------------------- AUTH ------------------------------------------------------------------------------ GET https:///Autodiscover/Autodiscover.xml HTTP/1.1 Host: Connection: keep-alive Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 DNT: 1 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 HTTP/1.1 401 Unauthorized Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: Negotiate xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx WWW-Authenticate: NTLM WWW-Authenticate: Basic realm="" X-Powered-By: ASP.NET Date: Wed, 17 Dec 2014 18:45:21 GMT Content-Length: 58 Proxy-Support: Session-Based-Authentication You do not have permission to view this directory or page. --------------------------------------------- Viewing the page with the 600 error ----------------------------------------------- GET https:///Autodiscover/Autodiscover.xml HTTP/1.1 Host: Connection: keep-alive Authorization: Negotiate xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 DNT: 1 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 HTTP/1.1 200 OK Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-SOAP-Enabled: True X-WSSecurity-Enabled: True X-WSSecurity-For: None X-AspNet-Version: 2.0.50727 Persistent-Auth: true X-Powered-By: ASP.NET Date: Wed, 17 Dec 2014 18:45:21 GMT Content-Length: 343 600 Invalid Request NOT WORKING ON F5 ------------------------------------------------- ONLY ASKS FOR PASSWORD -------------------------------------------------- GET https://autodiscover.domain.com/Autodiscover/Autodiscover.xml HTTP/1.1 Host: autodiscover.domain.com Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Authorization: Negotiate xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 DNT: 1 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 Cookie: BIGipServerOWA_pool=; BIGipServerCluster_Exchange_2010__single_owa_pool=; OutlookSession=; BIGipServerCluster_Exchange_2010__single_ad_pool=; HTTP/1.1 401 Unauthorized Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM WWW-Authenticate: Basic realm="" X-Powered-By: ASP.NET Date: Wed, 17 Dec 2014 18:43:45 GMT Content-Length: 58 Proxy-Support: Session-Based-Authentication You do not have permission to view this directory or page.
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Dec 18, 2014

    Grab a tcpdump on the external and internal side - see whether the requests go to the same backend server, what the server requests, check persistence etc and work up from there.