I'm tring to Use F5 APM in the middle of communications between user and Microsoft Exchange server 2013 and I use Exchange IApp templte to configure login Page and access policy and everything work as expected (OWA,Mobile App)
as it use Basic Http web authentication but outlook client can't connect as it use NTLM authentication and I could find the following Logs in Access log:
-------------------------------------------------
Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490010:5: /Common/Private.app/exch:Common:a73c9739: Username 'company.com/User_52' Nov 26 23:58:15 f5-waf err apmd[12748]: 01490107:3: /Common/Private.app/exch:Common:a73c9739: AD module: authentication with 'Mycompany.com/User_52' failed: Client 'Mycompany.com/User_52@Mycompany.COM' not found in Kerberos database, principal name: Mycompany.com/User_52@Mycompany.COM. Please verify Active Directory and DNS configuration. (-1765328378) Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490005:5: /Common/Private.app/exch:Common:a73c9739: Following rule 'fallback' from item 'AD Auth' to ending 'Deny' Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490102:5: /Common/Private.app/exch:Common:a73c9739: Access policy result: Logon_Deny Nov 26 23:58:15 f5-waf notice apmd[12748]: 01490248:5: /Common/Private.app/exch:Common:a73c9739: Received client info - Hostname: Type: activesync Version: 0 Platform: PocketPC CPU: unknown UI Mode: Active Sync Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0
Maybe do we have some discrepancy with the configurartion.
If OutLook is actually configured with using NTLM, BigIP should be using nlad daemon (and not apmd!) to perform the authentication; and it's not expected at all to see some Access Policy logs about "AD Auth"; which, most of the time, will be used when the client is configured with Basic Authentication.
I'd suggest we double check the Exchange profile is configured with NTLM as Front-end authentication for OutLook Anywhere. And the Access Policy should branch to any "NTLM Auth Result" agent. If any difficulty with NTLM authentication, we'd need to raise the log levels for eca/nlad.
Maybe do we have some discrepancy with the configurartion.
If OutLook is actually configured with using NTLM, BigIP should be using nlad daemon (and not apmd!) to perform the authentication; and it's not expected at all to see some Access Policy logs about "AD Auth"; which, most of the time, will be used when the client is configured with Basic Authentication.
I'd suggest we double check the Exchange profile is configured with NTLM as Front-end authentication for OutLook Anywhere. And the Access Policy should branch to any "NTLM Auth Result" agent. If any difficulty with NTLM authentication, we'd need to raise the log levels for eca/nlad.
