Hi there, running the latest 12.1.2 release and the latest iApp and are having a few problems:
The exchange is 2013 with 1 parent and 1 child e.g. domainname.com and sub.domainname.com.
The child domain holds all the user level accounts and the parent domain holds some the admin accounts (which still need email) and infrastructure components like servers etc. There is full trust between these two domains as they are a single forest.
Authentication configured within Exchange 2013:
ECP - forms based
Autodiscover - integrated and basic
Owa - Forms Based
EWS - Integrated
We initially had issues with the iApp and Kerberos authentication on the front end. When the user was logging in we could see and error for WRONG-REALM (68) coming back from the AD servers. We assume this is related to the fact that the account being tested with is in the parent domain but the realm referred to in the error is actually the child domain.
We found K12252 indicating that LDAP can be used to work around this issue so we disabled strict updates on the iApp and reconfigured in the VPE to use LDAP instead of AD Auth (we also tried enabling multi-domain support in the AD Auth which didn't make any difference either)
The front end authentication works now with LDAP however the OWA SSO doesn't.
Questions in relation to the kerberos configuration i couldn't get working:
Should the default iApp work with front end auth via Kerberos in the parent child domain configuration described above?
Should the child or the parent domain be specified in the iApp in the APM section ?
What permissions does the bind account require on the domain ?
Should the bind account be in the master or the child domain ?
Any other idea why this might not be working when using kerberos ?
Questions in relation to the LDAP configuration i cannot get working:
Where to start troubleshooting the Exchange OWA SSO not working ? It is currently default configuration from the iApp so i can't see why it shouldn't work. As best as i can tell its not recognizing the OWA logon page as nothing is being submitted after its displayed. If we log in manually to the OWA page with the same account it works fine so its not an account issue.
The iApp was configured for 'Yes display the OWA logon options' as the customer asked for this configuration however the OWA portal isn't displaying these options. Is it possible the the APM SSO is expecting these configurations to be displayed on the OWA logon page but isn't so the SSO fails ?
Given the EWS and autodiscover both are enabled for integrated authentication does this mean i'll have to configure the iApp with 'Outlook Clients use NTLM authentication' under
'Tell us about which services you are deploying' ?
For the Kerberos key distribution center ip or FQDN value:
Why is only 1 FQDN or IP address value allowed ?
Doesn't this mean there is no redundancy for this capability ?
Should these be configured in the child or the parent domain ?
For the name of the kerberos realm and delegation account should these be configured for\in the child or the parent domain ?