Exchange Hybrid Free/Busy - APM 401 error with original iApp

ndaems_145583 · ‎02-Apr-2019

Hi

We are trying to deploy Exchange iApp in a Hybrid deployement

Everything works well except the Free/Busy feature in O365.

After doing some research we found a workaround by adding 2 URL at in the hybrid_bypassed iRule

"/ews/exchange.asmx" "/autodiscover/autodiscover.xml"

If we don't bypass these 2 URL it's not working and we can see that Kerberos Ticket Failed

exch:Common:2e80dc30: User testo365@mydomain.com from RD0004FFD126D7 is authenticated
exch:Common:2e80dc30: Received User-Agent header: ExchangeServicesClient%2f15.20.1709.009.
exch:Common:2e80dc30: Following rule 'fallback' from item 'SSO Credential Mapping' to ending 'Allow'
exch:Common:2e80dc30: Access policy result: LTM+APM_Mode
exch:Common:2e80dc30: Received client info - Hostname:  Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0
exch:Common:2e80dc30:Kerberos: can't get S4U2Self ticket for user testo365@mydomain.com - Server not found in Kerberos database (-1765328377)
exch:Common:2e80dc30: Kerberos: Failed to get ticket for User: 'testo365@mydomain.com' accessing service: 'HTTP/exchange.MYDOM.ROOT@MYDOM.ROOT'
exch:Common:2e80dc30: failure occurred when processing the work item
exch:Common:2e80dc30: Session deleted due to admin initiated termination.
exch:Common:2e80dc30: Session statistics - bytes in: 3908, bytes out: 817

Few questions:

Does APM support Alternative UPN as SSO logon ?
Is there any risk to bypass additional URL

Thank you

Regards

Nicolas

Guillaume_B · ‎05-Mar-2020

Hello,

I have the same issue with iApp f5.microsoft_exchange_2016.v1.0.2 on hybrid o365/on-prem configuration. From o365, users can't see free/busy information of on-prem mailboxes. Does anyone have a validated solution?

is the workaround " by adding 2 URL at in the hybrid_bypassed iRule "/ews/exchange.asmx" "/autodiscover/autodiscover.xml" " will allow not only o365 but also other users to bypass APM policy ?

Thank you

Guillaume

Nath · ‎05-Feb-2022

BUMP!

May I know if you are able to resolve this issue? I am facing a similar issue with the free/busy information on our Exchange deployment.

zanoob1 · ‎26-Jan-2023

Hello Nicolas,

Where you able to find a solution for this. I tried that same by doing a bypass of APM for the following URI.

But it still fails and i still see authentication request for it coming into APM.

priority 1
when HTTP_REQUEST {
set is_disabled 0
switch -glob [string tolower [HTTP::path]] {
"/EWS/mrsproxy.svc*" -
"/EWS/mrsproxy.svc" -
"/EWS/exchange.asmx*" -
"/EWS/exchange.asmx" -
"/EWS/Services.wsdl" -
"/EWS/exchange.asmx/wssecurity*" -
"/EWS/exchange.asmx/wssecurity" {
set is_disabled 1
set path [HTTP::path]
ACCESS::disable
HTTP::path _disable-$path
pool /Common/hem_exchange_2016_dtag.app/hem_exchange_2016_dtag_ews_pool7
}
"/autodiscover/autodiscover.svc/wssecurity" -
"/autodiscover/autodiscover.xml" -
"/autodiscover/autodiscover.svc" {
set is_disabled 1
set path [HTTP::path]
ACCESS::disable
HTTP::path _disable-$path
pool /Common/hem_exchange_2016_dtag.app/hem_exchange_2016_dtag_ad_pool7
}
}
}
when HTTP_REQUEST_RELEASE {
if { [info exists is_disabled] && $is_disabled == 0 } { return }
if { [info exists path] } {
HTTP::path $path
unset is_disabled
unset path
}
}

still getting 401 error and APM logs sometimes show logs for

f5system debug tmm2[21344]: 0149ffff:7: /Common/exchange2016:Common:00000000: HTTP uri: /EWS/mrsproxy.svc%27.

Dont see any article out there with a solution of this. I think the irule is not working or may be not.

Regards,

Zanoob

DevCentral

Exchange Hybrid Free/Busy - APM 401 error with original iApp