Forum Discussion

Chris_Schaerli_'s avatar
Chris_Schaerli_
Icon for Nimbostratus rankNimbostratus
Jan 20, 2012

User authentication issues in Outlook

We currently have an exchange 2010 environment setup with an LTM running 10.2.X code in front. There is a single VIP for all user traffic into the the exchange services. What we are seeing is that when a user takes their laptop over from the wired network to the wireless they are getting a new IP on the network and it appears that they are geting prompted in the Outlook client to re-authenticate. The same behavior happens when users take their laptops home and come in though the corporate VPN.

 

What we are speculating is that the user persistence, which is set to user IP, is reselecting one of the other CAS servers when they go to wireless or remote. Has anyone come across an enviroment where users could potentially change IP addresses over the course of the day and if so did you see this Outlook authentication issue?
microsoft
partner
  • Chris_Schaerli_'s avatar
    Chris_Schaerli_
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2012
    I did see the posting from another user with the same issue. The recomendation was to look at the I-rules, but I don't see how the irules in the deployment guide resolve the client changing IP addresses.

     

    There are less than 2000 users at the site and we are using auto-map snat back to three CAS servers.

     

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Jan 21, 2012
    Are you using regular RPC communications there or RPC-over-HTTP? Are these domain-joined clients?
  • Chris_Schaerli_'s avatar
    Chris_Schaerli_
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2012
    Michael,

     

     

    We are using regular RPC communications and these clients are domain members.
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Jan 31, 2012
    Hm..when you say a single VIP, that's a single VIP for HTTP-based services, and then another VIP for RPC, correct? Are you doing SSL offload on the F5? I would recommend trying to remove advanced profiles from the HTTP-based virtual (everything but SSL profile) to see if it addresses the issue - if it does, we'll know better where to troubleshoot. If OneConnect is enabled, I recommend turning it off first and see what happens.
  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Jan 31, 2012
    A couple more questions:

     

    Which authentication are you using with RPC: (NTLM or Kerberos)?

     

    If Kerberos, are you using an ASA credential on the CAS servers? see this link: http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx