Forum Discussion

Kaloyan's avatar
Kaloyan
Icon for Cirrus rankCirrus
Jun 12, 2020

APM VIP with exchange servers and NTLM authentication

I used the exchange 2016 iApp ( latest version) to setup one VIP with all services behind it.

The problem is that /mapi* should be with NTLM authentication, but rest of it like /owa is using basic authentication.

Right now the policy is setup with logon page -> LDAP Authentication -> SSO credential mapping - Allow

Pretty standard. The question is, could I insert upfront logon page NTLM check based on URI ?

Something like this :

 

 

and iRule , if needed :

when HTTP_REQUEST { 

  if { [HTTP::uri] starts_with "/mapi" } { 

    ECA::enable 

    ECA::select select_ntlm:/Common/ntlm-auth-exchange-2016 

  } else { 

    ECA::disable 

  } 

}

2 Replies

  • Hello Kaloyan,

     

    Did you use an Exchange profile?

    Because you can easly set frontend Authentification and SSO by URL/Service:

     

     

     

    Regards

     

     

    • Kaloyan's avatar
      Kaloyan
      Icon for Cirrus rankCirrus

      Hi youssef,

      yes, I have exchange profile.

      Can I borrow one of the predefined Service Settings and add /mapi* instead of /ews* for example ?

      And probably will need to add SSO Configuration with Kerberos for NTLM ?

      Should I change the policy as well with some NTLM checks ?

      Do I need this ECA enabled on the VIP ?

      So many questions :)