we are having one issue with the EV integration, we have already deployed the LTM_APM for our exchange server Kerberos authentication, everything is working fine with the Exchange and Kerberos with the APM.
we are also having enterprise vault which published with a separate URL like ev.example.com, in all other deployments we have seen that all the users are using the same VIP for OWA and EV, in our case we have two VIP one for EV and one for OWA, we would like to know how do we achieve sso for the EV as well. EV will be opened from the OWA page.
could someone help with the configuration how do I achieve the above requirement?
I believe, OWA and EV would be under same domain e.g. https://owa.example.com and EV on https://ev.example.com? You can use, single domain cookie SSO feature to have single sign on login to EV from OWA page.
yes, your right, both EV and OWA under the same domain. OWA we have deployed using iapp template with NTLM authentication on the client-side and Kerberos on the server-side, OWA is working fine as I said earlier. now I have also configured the EV VIP only mapped with client ssl profile and default server ssl profile along with EV POOL. EV is not working at the moment, it's asking for the credentials, already tried mapping the access profile to EV VIP still not working.
I would like to know that are you suggesting me to configure one more access profile for the EV VIP and map it to the EV VIP, what are the options i have to configure under the VPE?
What is the backend server auth for EV? What's the expectation of standalone EV VIP, if accessed directly?
Depending on auth need of EV VIP, you can configure new Access policy for it. (e.g. Kerberos SSO on clienside and Kerberos SSO on serverside.)
Then, for SSO between OWA and EV you can use single domain cookie (example.com) on both access policies. SSO should work if user access EV link from OWA session.
please go through the link provided.
The backend server for the EV VIP is the actual EV server ( Enterprise vault Server ), for the OWA we have configured Kerberos authentication, EV will be working as a plugin within the owa page, when the user wants to open any archived email he will click on the enterprise vault plugin from owa it will open a connection to EV server IE ev.example.com, this session should work without asking for any credentials and should use previously authenticated owa session, actually this is what my goal is
I understand, what I meant was whatever EV server is using for authentication either windows integrated or forms based, you can bring it behind F5 APM (new access policy) and use single domain SSO cookie (example.com) on both policies (OWA and EV) and it should work.
Now, this is the one way I know to have SSO working between F5 APM sessions for 2 applications. If someone else has any other thoughts we will wait for their feedback.