How to check the support id.
Hi Guys, I am new for F5. Dome times users can able to access our clients network from outside. User provides us a support id. Now my query is how to check this support id in LTM and allow that URL so that user's can able to access the URL.Kindly help me to fix issue. Please tell me the steps. Regards Tan_Sal
Kerberos Delegation and NTLM auth Exchange 2013
This is related to a previous post about the Exchange iApp. Everything is working for both internal and internal connections except from Outlook Anywhere clients attempting to connect to the external VS and auth via RPC over HTTP. I enabled all debug logs for APM and ECA since that seemed to be where the failure was occuring. I noticed the following and cannot make much sense of it. Any help would be appreciated. Below is the log file comparison between a successful auth though the internal iApp vs the failed auth through the external iApp. This is just a snippet of the full log. Everything before these lines in the log is the same for both internal and external connections. It seems to fail when the BigIP tries to make a call to itself to process the logon request, anyone ever see this before? Internal success: Aug 12 13:22:12 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 10.1.12.9:46380 (0x09a8b9c8) Server challenge: 24296533D8C59FB4 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[18] from 127.0.0.1:43935 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> client[5]: is ready Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> NLAD_TRACE: nlclnt[53403010a / 01] sending logon = 0xC00000E5 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> nlclnt[53403010a] logon: entering user GRicketts domain JHHC wksta JHHC04619LT Failed auth: Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 warning nlad[8603]: 01620000:4: <0x559058f0> clntsvc: no client for id 6 to service request from connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> nla_rq: response with status [0xc00000ab,NT_STATUS_INSTANCE_NOT_AVAILABLE] for type 'logon' client 6 context 0x5ab82b90 24 bytes to connection[38] from 127.0.0.1:44495: took 0 milli-seconds Aug 12 12:51:10 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 12.181.141.210:45214 (0x5bf14c28) nla_agent::logon, rc = STATUS_NO_LOGON_SERVERS (3221225566)
Horizon Client authentication failure
I am running Big IP version 12.1.0 with APM and Horizon View 7.0.1. Currently attempting setup with the f5.vmware_view.v1.5.1 iapp template. The feature we really want to implement is using smartcard authentication with SAML 2.0 through the horizon client. Both the View server and F5 have been configured according to the companion guide for the iapp. The horizon client will prompt for a pin and then after a second or two display "Authentication Failure." APM logs consistently show the access policy failing at the cert inspection step. No SAML traffic appears to take place. If I attempt the same exact connection through a regular web browser via HTML 5, I can authenticate to the webtop where the authentication fails to the back end (the documentation says that's what should happen and that manual login has to occur from the webtop). The main thing is the APM log looks great. SAML authentication is seen for the browser connection the cert inspection from the same smartcard passes where it fails on connections from the Horizon client. I could really use some guidance on this.
Issues with Exchange 2013 owa
I've got the Big IP F5 virtual load balancer set up in my exchange 2013 lab getting ready for our migration in a few months and am having an issue. I've got an exchange 2007 environment set up to mimic what we have in production with multiple cas servers behind a VIP. Everything works fine. I've also got our exchange 2013 lab environment set up to run in coexistence with multiple CAS servers behind another VIP. If I log in a test account into exchange 2013 owa (through the VIP) that is an exchange 2007 mailbox, it redirects to the legacy owa (not using APM but letting exchange handle the redirection)and they can log in and get to their legacy mailbox. If I move that same users mailbox to exchange 2013 and then have them log in to owa it does nothing. Just acts like its about to load something then takes you right back to logon screen. If I open the account in outlook its fine. If I bypass the F5 and go to owa directly off one of the CAS servers then its fine, logs them right into owa mail. I've got the latest Exch 2013 template and have re-done it multiple times with different settings but nothing seems to change. My cert is valid but even not using ssl still the same thing. I'm kind of stuck here and I dont have a solid background with F5 BigIP so any help in troubleshooting this is greatly appreciated. Thank you.Exchange Hybrid Free/Busy - APM 401 error with original iApp
Hi We are trying to deploy Exchange iApp in a Hybrid deployement Everything works well except the Free/Busy feature in O365. After doing some research we found a workaround by adding 2 URL at in the hybrid_bypassed iRule "/ews/exchange.asmx" "/autodiscover/autodiscover.xml" If we don't bypass these 2 URL it's not working and we can see that Kerberos Ticket Failed exch:Common:2e80dc30: User testo365@mydomain.com from RD0004FFD126D7 is authenticated exch:Common:2e80dc30: Received User-Agent header: ExchangeServicesClient%2f15.20.1709.009. exch:Common:2e80dc30: Following rule 'fallback' from item 'SSO Credential Mapping' to ending 'Allow' exch:Common:2e80dc30: Access policy result: LTM+APM_Mode exch:Common:2e80dc30: Received client info - Hostname: Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0 exch:Common:2e80dc30:Kerberos: can't get S4U2Self ticket for user testo365@mydomain.com - Server not found in Kerberos database (-1765328377) exch:Common:2e80dc30: Kerberos: Failed to get ticket for User: 'testo365@mydomain.com' accessing service: 'HTTP/exchange.MYDOM.ROOT@MYDOM.ROOT' exch:Common:2e80dc30: failure occurred when processing the work item exch:Common:2e80dc30: Session deleted due to admin initiated termination. exch:Common:2e80dc30: Session statistics - bytes in: 3908, bytes out: 817 Few questions: Does APM support Alternative UPN as SSO logon ? Is there any risk to bypass additional URL Thank you Regards Nicolas
Does anyone have an questions about F5 iWorkflow?
If you're looking to understand what all the noise is about, here are some links to help get you started: The iWorkflow Wiki home page This is where we will post all of the API documentation and example code to help you achieve new levels of programmable infrastructure driven automation and orchestration. https://devcentral.f5.com/wiki/iWorkflow.HomePage.ashx iWorkflow 101 Series The first episode titled "The Architecture Explained" has been posted. Read this to understand the various elements that will help you speed application deployments, simplify architecture, and reduce exposure to operational risk. https://devcentral.f5.com/articles/iworkflow-101-episode-1-the-architecture-explained-17866 Any other questions? Please don't hesitate to ask! We're here to help! Thanks, NathanMicrosoft Exchange 2013 iApp - Can't login to OWA or ECP if more than one server is active in pool
I just deployed the latest 2013 iApp for Exchange 2013. We have 5 servers, and the iApp deployment went good and quick. However, we can not log into OWA or the ECP when more than one pool member is active. You get to the login page, you type your username and password and it looks like it's logging you in for a brief moment, then kicks you back to the logon page. If I go into the OWA pool, and disabled all but one of the members, you can log in and access your mailbox or ECP just fine. Anything you can think of to look at? I have a support case with F5, but sometimes people on here have ran into this before.
