Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Outlook NTL Authentication

moabdallah
Nimbostratus
Nimbostratus

Hello Everyone

I'm tring to Use F5 APM in the middle of communications between user and Microsoft Exchange server 2013 and I use Exchange IApp templte to configure login Page and access policy and everything work as expected (OWA,Mobile App)

as it use Basic Http web authentication but outlook client can't connect as it use NTLM authentication and I could find the following Logs in Access log:

-------------------------------------------------

Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490010:5: /Common/Private.app/exch:Common:a73c9739: Username 'company.com/User_52'
Nov 26 23:58:15 f5-waf err apmd[12748]: 01490107:3: /Common/Private.app/exch:Common:a73c9739: AD module: authentication with 'Mycompany.com/User_52' failed: Client 'Mycompany.com/User_52@Mycompany.COM' not found in Kerberos database, principal name: Mycompany.com/User_52@Mycompany.COM. Please verify Active Directory and DNS configuration. (-1765328378)
Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490005:5: /Common/Private.app/exch:Common:a73c9739: Following rule 'fallback' from item 'AD Auth' to ending 'Deny'
Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490102:5: /Common/Private.app/exch:Common:a73c9739: Access policy result: Logon_Deny
Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490248:5: /Common/Private.app/exch:Common:a73c9739: Received client info - Hostname: Type: activesync Version: 0 Platform: PocketPC CPU: unknown UI Mode: Active Sync Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0

--------------------------------------------------------------------------

1 ACCEPTED SOLUTION

Hi,

Maybe do we have some discrepancy with the configurartion.

If OutLook is actually configured with using NTLM, BigIP should be using nlad daemon (and not apmd!) to perform the authentication; and it's not expected at all to see some Access Policy logs about "AD Auth"; which, most of the time, will be used when the client is configured with Basic Authentication.

I'd suggest we double check the Exchange profile is configured with NTLM as Front-end authentication for OutLook Anywhere. And the Access Policy should branch to any "NTLM Auth Result" agent. If any difficulty with NTLM authentication, we'd need to raise the log levels for eca/nlad.

Hope this help ...

View solution in original post

3 REPLIES 3

moabdallah
Nimbostratus
Nimbostratus

any advise please ?

Hi,

Maybe do we have some discrepancy with the configurartion.

If OutLook is actually configured with using NTLM, BigIP should be using nlad daemon (and not apmd!) to perform the authentication; and it's not expected at all to see some Access Policy logs about "AD Auth"; which, most of the time, will be used when the client is configured with Basic Authentication.

I'd suggest we double check the Exchange profile is configured with NTLM as Front-end authentication for OutLook Anywhere. And the Access Policy should branch to any "NTLM Auth Result" agent. If any difficulty with NTLM authentication, we'd need to raise the log levels for eca/nlad.

Hope this help ...

moabdallah
Nimbostratus
Nimbostratus

Thanks Scot

so you will suggest to not use any templete and create Access policy manualy like this:

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-...