Forum Discussion
Second authentication prompt when accessing Exchange 2013 Outlook Web app using BigIP LTM.
We are deploying Exchange 2013 loadbalanced behind BigIP (running 11.3). I have used the newest iApp (f5.microsoft_exchange_2010_2013_cas.v1.3.0) to make the configuration. We are only using LTM and not APM.
All services are installed on the same server, only 1 VIP on BigIP for all services (SNAT), and same FQDN for all services except for autodiscover. The services are OWA, Outlook Anywhere, ActiveSync and autodiscover.
After logging in to OWA using the forms based web page, there is a second "Windows Security" authentication prompt. This does not happen if we try logging in to the server directly. Everything else works with this LTM/Exchange 2013 installation.
Does anyone know what could be the cause of this second authentication prompt? I can't find any settings in the iApp that may cause this, and the Exchange administrator can't find the cause either.
Hi Pluppo, is it possible for you to use the IE Developer Tools' (F12) network facility or an application like Fiddler or HTTPWatch to identify the resource that responds with the 401 status after you have logged in? My guess is that it's ECP, since that's most closely related to OWA. On the Client Access servers, do you have OWA and ECP authentication types both set to forms-based for all servers?
thanks
Mike
- Cody_GreenEmployee
Pluppo,
My guess is that OWA is accessing a second service (like EWS) and is trying to use NTLM/Kerberos authentication. You may not have the F5 configured to handle client NTLM authentication correctly when using using OneConnect.
Try disabling OneConnect and see if you're still prompted. If so, you can re-enable your OneConnect and configured/adjust your NTLM profile.
Cody
- Pluppo_72680Nimbostratus
Hi Cody,
Thanks for your reply. I just tried disabling strict updated on the iApp, and then removing the OneConnect profile from the VIP, but unfortunately the symptoms are still the same. I am still getting a second "Window Security" authentication prompt after logging in to the OWA form.
- mikeshimkus_111Historic F5 Account
Hi Pluppo, is it possible for you to use the IE Developer Tools' (F12) network facility or an application like Fiddler or HTTPWatch to identify the resource that responds with the 401 status after you have logged in? My guess is that it's ECP, since that's most closely related to OWA. On the Client Access servers, do you have OWA and ECP authentication types both set to forms-based for all servers?
thanks
Mike
- Pluppo_72680Nimbostratus
Hi Mike,
The Exchange administrator checked the CAS servers and indeed one of the servers had ECP authentication set to basic. He also found another server that had basic authentication on OWA, we thought it was set to forms on all servers.
Thank you for pointing us in the right direction, everything is working great now!
- Saif_Khan_26546Nimbostratus
I am experiencing similar issue.
Client starts OWA, getting prompted for authentication.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com