For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mark_Cloutier's avatar
Mark_Cloutier
Icon for Nimbostratus rankNimbostratus
Jun 02, 2015

Problem with EWS using iapp template 1.40 for Exchange

I have an 11.5.1 LTM hosting Exchange with the 1.4.0 Exchange/CAS iapp template. If I go direct to I get a page that is correct, NTLM authentication works, ie no login dialog presented. but if I attempt to use the same uri with the VIP, I get varying behavior depending on the browser... Chrome gives me a ERR_INVALID_AUTH_CREDENTIALS response, Firefox gives me a login dialog where I can successfully login, IE gives me a login dialog where I can't login.... If I comment out the NTLM :: disable line in the irule, Chrome and Firefox behave the same way, in that I get a login dialog that I can successfully login thru. Anyone run into this scenario?

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iApps
LTM
microsoft
security

4 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jun 02, 2015

    Hi Mark, if possible can you post the output of "Get-WebServicesVirtualDirectory | fl" here? I'm interested in seeing the internal/external URLs and auth methods you have configured for EWS.

     

    I assume you are not use APM, correct?

     

    Also, which versions of those browsers are you testing with? I'm not running into this issue testing with IE11, Chrome 43, or FF 38.

     

  • Mark_Cloutier's avatar
    Mark_Cloutier
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2015

    I'll need to get that from the Exchange server guys, but basically all virtual directories are being sent to the same pool, and NTLM authentication is being used. This is on the internal side, using the template choice of "load balance and optimize CAS traffic" There's no APM involved here and the irule in question is the unmodified Exchange-internal_combined_pool_irule7. I did add log statements to verify what part of it I was hitting when I use the uri of /ews/exchange.asmx. I just noticed I have experimented with enabling and disabling cache in the /ews portion of the irule. That hasn't made any difference.

    extracts from irule that are involved below..... "/ews*" { Exchange Web Services. log local0. "using EWS" pool /Common/Exchange-internal.app/Exchange-internal_oa_pool7

            CACHE::disable
        return

    when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { log local0. "is ews going here" ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } }

    I do get the log message of "is ews going here", which matches what I see in the headers in the browser. Further testing yesterday leads me to believe I need to look at the ssl client profile to support extensions being used by IE that are recognized when going direct to the server that are not being recognized by the LTM. What's odd is that in my uat environment with an LTM and iapp template of the same version, it works....

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jun 03, 2015

    The NTLM profile is there to ensure correct auth when OneConnect is used. If a Negotiate auth header is seen in the response, OneConnect can't deal with it and causes multiple auth prompts, so we disable both that and the NTLM profile. You may want to try disabling Negotiate auth on the EWS virtual directory to see if that helps.

     

  • CANSTAYN569's avatar
    CANSTAYN569
    Icon for Nimbostratus rankNimbostratus
    Dec 08, 2016

    Hi Mark,

     

    Did you manage to resolve that problem. If so, how?

     

    Regards Sadik