Forum Discussion

moabdallah's avatar
moabdallah
Icon for Nimbostratus rankNimbostratus
Dec 29, 2022

Outlook NTL Authentication

Hello Everyone

I'm tring to Use F5 APM in the middle of communications between user and Microsoft Exchange server 2013 and I use Exchange IApp templte to configure login Page and access policy and everything work as expected (OWA,Mobile App)

as it use Basic Http web authentication but outlook client can't connect as it use NTLM authentication and I could find the following Logs in Access log:

-------------------------------------------------

Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490010:5: /Common/Private.app/exch:Common:a73c9739: Username 'company.com/User_52'
Nov 26 23:58:15 f5-waf err apmd[12748]: 01490107:3: /Common/Private.app/exch:Common:a73c9739: AD module: authentication with 'Mycompany.com/User_52' failed: Client 'Mycompany.com/User_52@Mycompany.COM' not found in Kerberos database, principal name: Mycompany.com/User_52@Mycompany.COM. Please verify Active Directory and DNS configuration. (-1765328378)
Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490005:5: /Common/Private.app/exch:Common:a73c9739: Following rule 'fallback' from item 'AD Auth' to ending 'Deny'
Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490102:5: /Common/Private.app/exch:Common:a73c9739: Access policy result: Logon_Deny
Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490248:5: /Common/Private.app/exch:Common:a73c9739: Received client info - Hostname: Type: activesync Version: 0 Platform: PocketPC CPU: unknown UI Mode: Active Sync Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0

--------------------------------------------------------------------------

  • Scot_JC's avatar
    Scot_JC
    Dec 31, 2022

    Hi,

    Maybe do we have some discrepancy with the configurartion.

    If OutLook is actually configured with using NTLM, BigIP should be using nlad daemon (and not apmd!) to perform the authentication; and it's not expected at all to see some Access Policy logs about "AD Auth"; which, most of the time, will be used when the client is configured with Basic Authentication.

    I'd suggest we double check the Exchange profile is configured with NTLM as Front-end authentication for OutLook Anywhere. And the Access Policy should branch to any "NTLM Auth Result" agent. If any difficulty with NTLM authentication, we'd need to raise the log levels for eca/nlad.

    Hope this help ...

    • Scot_JC's avatar
      Scot_JC
      Icon for Employee rankEmployee

      Hi,

      Maybe do we have some discrepancy with the configurartion.

      If OutLook is actually configured with using NTLM, BigIP should be using nlad daemon (and not apmd!) to perform the authentication; and it's not expected at all to see some Access Policy logs about "AD Auth"; which, most of the time, will be used when the client is configured with Basic Authentication.

      I'd suggest we double check the Exchange profile is configured with NTLM as Front-end authentication for OutLook Anywhere. And the Access Policy should branch to any "NTLM Auth Result" agent. If any difficulty with NTLM authentication, we'd need to raise the log levels for eca/nlad.

      Hope this help ...