Forum Discussion
If the user does not provide the password in the frontend authentication you can only use kerberos as sso method. This provides a great user experience, look for kerberos constrainted delegation in the apm documentation.
Thanks Juergen_Mang
We're reviewing the following document that describes what we're looking for but I'm not really following the "Machine Account" piece. Do you or anyone know what that is? Purpose?
- boneyardJan 22, 2023MVP
NTLM auth terminates on the BIG-IP, for the BIG-IP to do Keberos authentication against the Exchange server it requires that Machine Account and to be joined to AD>
Im not sure this will help you very much though. As you seem to want to add smartcard (client certificate) authentication to NTLM authentication?
Where is the authentication done now? Directly to Exchange?
Im not quite sure how the Outlook fat client will handle a sudden certificate request. It seems possible on Exchange itself. But doing that on something in between is different.
For an idea look at this, but remember that is for a browser, not an Outlook client.
- JustCooLpOOLeJan 30, 2023Cirrocumulus
It doesn't currently exist in the environment. I just keep getting screenshot of iApp question and answer and no where does it just allow me to user Kerberos. It always says "NTLM" and only talks about the machine account in addtion to Kerberos.
The current environment is just using the BIG-IP to proxy traffic to the exchange servers. I guess my confusion is around the NTLM Machine account. Is that something created in AD? And then put on the BIG-IP?
- boneyardJan 30, 2023MVP
Which documentation are you now working from?
In the one you posted earlier it shows you were you create the account. You do this from the BIG-IP and afterwards it exists in AD.
Configure a machine account You configure a machine account so that Access Policy Manager (APM) can establish a secure channel to a domain controller. On the Main tab, click Access Authentication > NTLM > Machine Account A new Machine Account screen opens.
Do you perhaps have an F5 partner or such who can help, getting this worked out through a forum is tricky.