Forum Discussion

Cirrocumulus

Jan 19, 2023

My Nightmare - Outlook Anywhere and SSO

Thank you for reading about my nightmare. I can already feel the love. There has been some chatter centered around offering Outlook Anywhere up to users not on our domain. However, the chatter is ...

application delivery

JustCooLpOOLe

Cirrocumulus

Jan 20, 2023

Thanks Juergen_Mang

We're reviewing the following document that describes what we're looking for but I'm not really following the "Machine Account" piece. Do you or anyone know what that is? Purpose?

https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-authentication-methods/ntlm-authentication-for-microsoft-exchange-clients.html

boneyard

MVP

Jan 22, 2023

NTLM auth terminates on the BIG-IP, for the BIG-IP to do Keberos authentication against the Exchange server it requires that Machine Account and to be joined to AD>

Im not sure this will help you very much though. As you seem to want to add smartcard (client certificate) authentication to NTLM authentication?

Where is the authentication done now? Directly to Exchange?

Im not quite sure how the Outlook fat client will handle a sudden certificate request. It seems possible on Exchange itself. But doing that on something in between is different.

For an idea look at this, but remember that is for a browser, not an Outlook client.

https://community.f5.com/t5/technical-articles/configuring-smart-card-authentication-and-kerberos-constrained/ta-p/286436

JustCooLpOOLe
Cirrocumulus
Jan 30, 2023
It doesn't currently exist in the environment. I just keep getting screenshot of iApp question and answer and no where does it just allow me to user Kerberos. It always says "NTLM" and only talks about the machine account in addtion to Kerberos.
The current environment is just using the BIG-IP to proxy traffic to the exchange servers. I guess my confusion is around the NTLM Machine account. Is that something created in AD? And then put on the BIG-IP?
- boneyard
  MVP
  Jan 30, 2023
  Which documentation are you now working from?
  
  In the one you posted earlier it shows you were you create the account. You do this from the BIG-IP and afterwards it exists in AD.
  
  Configure a machine account You configure a machine account so that Access Policy Manager (APM) can establish a secure channel to a domain controller. On the Main tab, click Access Authentication > NTLM > Machine Account A new Machine Account screen opens.
  
  Do you perhaps have an F5 partner or such who can help, getting this worked out through a forum is tricky.
  - JustCooLpOOLe
    Cirrocumulus
    Jan 30, 2023
    We'll reach out to support on any hangups. I'm mainly just trying to understand how this works. It's not everyday you try to configure NTLM authentication through the BIG-IP, you know.
    We're working through this: https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-authentication-methods/ntlm-authentication-for-microsoft-exchange-clients.html

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

My Nightmare - Outlook Anywhere and SSO

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

ASM allow specific url from outside country of geolocation ON

Bot Defense causing a lot of false positives

F5 DNS Logs in JSON Format

APM - Portal access - Issue

How to configure ssh access by key on F5OS

Related Content

Outlook Anywhere Persistence with Cookie Backup

Making EKS Anywhere Highly Available and Secure

Delivering Secure Application Services Anywhere with Nutanix Flow and F5 Distributed Cloud

How to Automate Load Balancing ECS Anywhere

Outlook NTL Authentication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS