Kerberos SSO for APM - Exchange 2016
Hello, i'm trying to configure Kerberos SSO for Outlook anywhere(Exchange 2016) but I keep getting these errors. debug websso.3[4647]: 014d0021:7: /Common/NTLM-EX2016:Common:8d962818: ctx:0x8e61f40 SPN = HTTP/mail.domain1.fr@subdomain.domaine2.FR info websso.3[4647]: 014d0022:6: /Common/NTLM-EX2016:Common:8d962818: Kerberos: realm for user USERX is not set, using server's realm subdomain.domaine2.FR debug websso.3[4647]: 014d0023:7: S4U ======> /Common/NTLM-EX2016:Common:8d962818: ctx: 0x8e61f40, user: USERX@subdomain.domaine2.FR, SPN: HTTP/mail.domain1.fr@subdomain.domain2.FR err websso.3[4647]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/mail.domain1.fr@subdomain.domain2.FR - Requesting ticket can't get forwardable tickets (-1765328163) Delegation account: host/d5delegation @subdomain.domain2.fr Kerberos SSO Auth: SPN is HTTP/mail.domain1.fr (the public hostname where clients came) And Also on Delegation > I choose trust this user for delegation to specified services only > USe any authentification protocol > and i choose the SPN AD servers are on pre-production, on subdomain.domain2.fr. This command (nslookup -type=SRV _kerberos._tcp.dc._msdcs.subdomain.domain2.fr) doesnt found KDC because the f5 dns is only resolving on domain1.fr. BUT since F5 is resolving the domain controllers of the preprod zone (the dc server I specified in kerberos sso auth), is it ok ? This doesnt work too: kinit -f HTTP/mail.domain1.fr@subdomain.domain2.FR kinit: Cannot resolve servers for KDC in realm ....... Thanks for help689Views0likes1Comment2016 OWA Clients accessing 2010 Exchange Server - OWA iApp
Hello F5 DevCentral People! I just educated 2 month ago as a IT-Professional. Now I am working in the Networking Department. And one of my big topics is F5, but I still need to learn alot. So please dont take it too firmly with me. Also english isn't my native language. This is my first question here on DevCentral: The last weeks I published several Outlook Web Access iApps for many Public Services. Most of them are using Exchange 2010/2013, which is pretty simple to deploy because of those nice F5 Templates. But now I have an pretty special case. Im gonna try to describe the case as clean as possible so.. I deployed an 2010 iApp Template. There are 2010 Clients from the Town Hall who access to OWA and also 2016 Clients from the Fire Deparment which needs to access also to this Exchange-Server. The User verify themselves with SAM-Account Names from the AD. For 2010 users no problem, for 2016 users it shows frequently prompts where Outlook wants to enter the users Username (E-Mail) and Password. Seems like the mailboxed are not connected with the Exchange Server from the Town Hall. What I am gonna try is to implement an APM where Users can access with their SAM Account Name AND with UPN (Mail-Address). A Co-Worker said that would reduce the username and passwords prompts, which is annoying for the customers. Right now its the case, that the users have to enter their Usernames with "intern\username". Additional, my organization exports the intern Autodiscover-Configuration to the AD of the Municipal Utilities. Which means the automatic search for the right exchange server for intern clients will not longer be done over the internet. Unfortunately, in the Outlook 2016 Profiles, the intern Exchange-Servername is not configurable anymore, because Microsoft abolished it. I received a test user from the City, so I can test the access by myself. Intern does OWA work with both methods of authentication. But the external access above F5 does not work with SSO-Login via their E-Mail Addresses. My Co-Worker tried to access the login via the .xml Site, which shows information of the AutoDiscover Service. I want to use ActiveSync on mobile devices, and Outlook-Anywhere Access (RPC/https) with Username and E-Mail credentials. Thanks in advance and sorry if its kinda elongated, but I tried to describe it as best as I can.. I hope that somebody can understand my case right now. TL;DR Need help to create an APM which allows Exchange 2016 users to access OWA 2010 iApp with E-Mail AND Username. Screenhots: Actual Policy (Basic OWA iApp) 1 2 Access XML Page example 1 Best wishes Hank Moody333Views0likes1Comment