Forum Discussion

Nfordhk_66801's avatar
Nfordhk_66801
Icon for Nimbostratus rankNimbostratus
Jan 12, 2016

Enabling APM on Exchange iApp causes outlook clients to not authenticate

We are utilizing iApps to configure exchange 2013. The scenario we are using is "BIG-IP LTM will load balance and optimize Client Access Server traffic" which works great.

 

We wanted to lock down our OWA, so we reconfigured the iapp for "Provide secure authentication to CAS HTTP-based services with BIG-IP Access Policy Manager?" to use APM.

 

The SSO mappings works great for OWA and our access policy we put in place. But then we noticed regular outlook client could not authenticate. We utilize ntlm for this. People were continually being prompted. Even entering your password for some people did not resolve the issue.

 

Appears to be similar to this thread: https://devcentral.f5.com/questions/microsoft-excange-2013-with-ltm-apm-outlook-client-not-able-to-connect

 

However, I could not find my resolution.

 

    • TSP_94471's avatar
      TSP_94471
      Icon for Nimbostratus rankNimbostratus

      Hello,

       

      Could you please let me know how did you resolve the issue? I am also facing an issue in Outlook Anywhere authentication wherein we are able to do SSO for OWA but it breaks Outlook & user is not able to authenticate on Outlook, we are using Exchange2013 with LTM+APM in 1.6 iApp

       

    • Nelgin_Nepolean's avatar
      Nelgin_Nepolean
      Icon for Nimbostratus rankNimbostratus

      Hello,

       

      Could you please let me know how did you resolve the issue? I am also facing an issue in Outlook Anywhere authentication. This is Exchange 2016 and using NTLM auth for Outlook client. I have used iAPP for Exchange 2016. Appreciate your advice.

       

      Regards Nelgin

       

  • JamesSevedge_23's avatar
    JamesSevedge_23
    Historic F5 Account

    Based on your summary of the issue here I would suggest looking at Appendix E in the Exchange 2013 iAPP DG. The way this works in general for APM securing Exchange Web services is APM authenticates the client using NTLM/Forms by default for Exchange on the front end and then performs SSO auth on the backend. The outlook client uses NTLM for authentication as opposed to OWA, which is forms based. The Exchange iAPP builds out an SSO Form for OWA that maps the required parameters for APM SSO forms authentication on the backend. However, since Outlook clients use NTLM that means APM on the back end SSO side has to authenticate using Kerberos.

     

    This requires some configuration within AD, Big-IP and potentially your exchange servers depending on if reverse DNS lookup will work for the Exchange CAS servers. Appendix E. in the Exchange 2013 iAPP DG covers this configuration.