Forum Discussion
CirrocumulusMy Nightmare - Outlook Anywhere and SSO
Thank you for reading about my nightmare. I can already feel the love.
There has been some chatter centered around offering Outlook Anywhere up to users not on our domain. However, the chatter is more centered around the BIG-IP performing some SSO in the process so that Outlook Anywhere users can be prompted for their Smart Card credentials and then those credentials are passed back to the Exchange Server. Outlook Anywhere is configured to use NTLM.
Has anyone been successful or even a little insane to try this out? I am familiar with the on-demand cert auth and grabbing the certification info but the SSO piece, I have not had the pleasure of attempting.
Any advice is appreciated!
7 Replies
- Juergen_Mang
MVP
If the user does not provide the password in the frontend authentication you can only use kerberos as sso method. This provides a great user experience, look for kerberos constrainted delegation in the apm documentation.
JustCooLpOOLeThanks Juergen_Mang
We're reviewing the following document that describes what we're looking for but I'm not really following the "Machine Account" piece. Do you or anyone know what that is? Purpose?
- boneyard
NTLM auth terminates on the BIG-IP, for the BIG-IP to do Keberos authentication against the Exchange server it requires that Machine Account and to be joined to AD>
Im not sure this will help you very much though. As you seem to want to add smartcard (client certificate) authentication to NTLM authentication?
Where is the authentication done now? Directly to Exchange?
Im not quite sure how the Outlook fat client will handle a sudden certificate request. It seems possible on Exchange itself. But doing that on something in between is different.
For an idea look at this, but remember that is for a browser, not an Outlook client.
