Outlook Anywhere and NTLM authentication
Hello, I am trying to achieve Outlook Anywhere with basic-NTLM and Kerberos SSO. I followed the DG and am stucked at NTLM authentication. When I create the NTLM Machine Account the logs say that it joined the domain, then I create the NTLM Auth Configuration with my domain and DCs. After that I see this messages in the logs: nlad[11851]: 01620000:3: <0x2b3374f71700> nlclnt[12a02a8c0] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC 192.168. I added some Exchange groups to the machine account and enabled delegation for http with Exchange servers. I then try to renew machine account password but I have this error: adutil[16625]: 01490274:5: (null):Common:00000000: New master key received. adutil[16625]: 01490200:3: ERROR: Could not connect to domain domain controller of realm 'EXAMPLE.AD' adutil[16625]: 01490200:3: WARNING: machine account update for 'f5apm' failed: Preauthentication failed, principal name: f5apm@EXAMPLE.AD. Invalid user credentials. (-1765328360) Then I took a look at Kerberos trafic and could see that the bigip can't get a Kerberos ticket: At this step I am not even talking about Kerberos SSO which I think has nothing to do with NTLM. I have found K33692321 but it doesn't help. I also took a look at K08915521. It says that it may be a domain name or NetBIOS name issue but I know that my domain is EXAMPLE.AD and NetBIOS EXAMPLE. Does someone already managed to make this work ? It is a standard configuration so am I missing something Windows side ? Best regards454Views0likes0CommentsHow to bypass APM profile if uri is "/rpc/rpcproxy.dll" ?
I was trying to bypass APM part for Outlook Anywhere by adding an iRule. But "ACCESS::disable" is not helping. my intention is to disable APM authentication part and do only Loadbalancing or just forward the traffic to Pool if the uri is /rpc/rpcproxy.dll. I have used iAPP for exchange 2016 configuration. when HTTP_REQUEST { if { ([HTTP::path] eq "/rpc/rpcproxy.dll") and \ (([HTTP::method] equals "RPC_IN_DATA") or ([HTTP::method] equals "RPC_OUT_DATA"))}{ ACCESS::disable pool OA_pool log local0. "APM disabled." } else { ACCESS::enable log local0. "APM enabled." } }688Views0likes5CommentsOutlook Anywhere 2 Factor Authentication
Hello, since there is no native support for 2FA by Outlook Anywhere I'm wondering if it's possible to set up 2FA with SAML. For example, Outlook is connecting and authenticated by the NTLM Auth object. After this AD query finds users mobile number from AD, SAML is triggered and a iRule sends a SMS with a "magic link". The user has to open this link on his smartphone and the session is allowed. The link refers to the BigIP as SAML service provider. Something like Ping Identity does without external service provider and mobile app where you have to confirm your ID by sliding over. What do you think? Is this possible or have someone did a scenario like this already? Cheers559Views0likes4CommentsBIG-IP APM/LTM with Exchange 2010 and NTLM Authentication
Guys Ive tried to deploy the above solution using the iApp template for exchange. Slightly different deployment as im trying to do it with route domains. I understand there are issues with authentiation in route domains, i.e NTLM comes from the default route domain, and I dont have an issue with this. When opening outlook, which has been configured for Outlook Anywhere access, I get a login prompt. When looking at the APM logs it tells me NTLM auth occured and that it was successful. Does any one have any ideas? I can supply logs if needed :)386Views0likes4CommentsOpen port range on Exchange Cas array object to enable Outlook Anywhere
Hi Using Exchange 2010 SP3 and LTM 11.6.0 Outlook Anywhere is currently not working externally. The reason is it tries to proxy connections to the Excahnge CAS array object on port 6001-6004. The cas array is load balanced virtual server, part of an application service on LTM, and these ports are never configured and will be rejected. Changed some Exchange configuration, the EXPR Outlook provider, to use a internal server and it now works internally only. I wonder if something is configured wrong since i cant find many with the same issue. Found some but they never figured out what caused the issue and the solution was to not use HLB for RPC/MAPI. So, I want to: 1. either open the port range. 2. somehow make Outlook anywhere connections proxy directly to CAS servers Explanation; make this: mail.hostname.com/rpc/rpcproxy.dll?CASARRAY:6002 Into something like this: mail.hostname.com/rpc/rpcproxy.dll?Exchangesrv:6002 3. help with finding my miss-configuration :) Used fiddler to verify this is the issue.655Views0likes6Comments