Forum Discussion

Greg_130338's avatar
Greg_130338
Icon for Nimbostratus rankNimbostratus
Aug 12, 2015

Kerberos Delegation and NTLM auth Exchange 2013

This is related to a previous post about the Exchange iApp. Everything is working for both internal and internal connections except from Outlook Anywhere clients attempting to connect to the external VS and auth via RPC over HTTP. I enabled all debug logs for APM and ECA since that seemed to be where the failure was occuring. I noticed the following and cannot make much sense of it. Any help would be appreciated. Below is the log file comparison between a successful auth though the internal iApp vs the failed auth through the external iApp. This is just a snippet of the full log. Everything before these lines in the log is the same for both internal and external connections. It seems to fail when the BigIP tries to make a call to itself to process the logon request, anyone ever see this before?

 

Internal success: Aug 12 13:22:12 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 10.1.12.9:46380 (0x09a8b9c8) Server challenge: 24296533D8C59FB4 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[18] from 127.0.0.1:43935 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> client[5]: is ready Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> NLAD_TRACE: nlclnt[53403010a / 01] sending logon = 0xC00000E5 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> nlclnt[53403010a] logon: entering user GRicketts domain JHHC wksta JHHC04619LT

 

Failed auth: Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 warning nlad[8603]: 01620000:4: <0x559058f0> clntsvc: no client for id 6 to service request from connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> nla_rq: response with status [0xc00000ab,NT_STATUS_INSTANCE_NOT_AVAILABLE] for type 'logon' client 6 context 0x5ab82b90 24 bytes to connection[38] from 127.0.0.1:44495: took 0 milli-seconds Aug 12 12:51:10 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 12.181.141.210:45214 (0x5bf14c28) nla_agent::logon, rc = STATUS_NO_LOGON_SERVERS (3221225566)

 

BIG-IP Access Policy Manager (APM)
devops
exchange 2013
iApps
kerberos delegation
ntlm
security

38 Replies

Sort By
Show More
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 14, 2015

    Hi,

     

    You say everything is working... did you configure kerberos SSO for OA? in a previous response, you answered "If exchange did not support kerberos auth?"

     

    NTLM auth support only kerberos SSO.

     

    if Kerberos SSO is not configured (in AD, Exchange and F5), the server will request a second authentication and the user will be prompted twice.

     

    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      Aug 19, 2015
      Basic authentication for Outlook Anywhere is also supported with NTLM SSO, this is the default setting on CAS.
    • kunjan_118660's avatar
      kunjan_118660
      Icon for Cumulonimbus rankCumulonimbus
      Aug 20, 2015
      Following is the error we get on 11.6HF5, when we switch to NTLM SSO with front end Basic Auth. I miss something? MCP Error01070734:3: Configuration error: Error in Exchange Profile (/Common/myExchg.app/exch_ntlm_exchange_edge) for service (Outlook Anywhere): SSO configuration (/Common/myExchg.app/exch_ntlm_sso) is of NTLM SSO type; NTLM SSO Type is not allowed for service Outlook Anywhere
    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      Aug 19, 2015
      Basic authentication for Outlook Anywhere is also supported with NTLM SSO, this is the default setting on CAS.
    • kunjan's avatar
      kunjan
      Icon for Nimbostratus rankNimbostratus
      Aug 20, 2015
      Following is the error we get on 11.6HF5, when we switch to NTLM SSO with front end Basic Auth. I miss something? MCP Error01070734:3: Configuration error: Error in Exchange Profile (/Common/myExchg.app/exch_ntlm_exchange_edge) for service (Outlook Anywhere): SSO configuration (/Common/myExchg.app/exch_ntlm_sso) is of NTLM SSO type; NTLM SSO Type is not allowed for service Outlook Anywhere
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 19, 2015

    Hi,

     

    most of SSO methods need password variable (Basic, ntlm, form based, ...)

     

    If authentication does not provide this information, APM cannot reuse it. that's true for NTLM, OTP or SAML auth.

     

    For every Exchange 2013, kerberos is recommended for 2 services:

     

    • OA (to allow NTLM auth)
    • OWA (Client based form based sso does not work every time)
    • ECP (share the same authentication as OWA)

    when kerberos SSO is deployed for these services, the better configuration is to enable it on all services to simplify VPE tree.

     

    If you configure NTLM for some services and Kerberos for others, variable session.logon.last domain may have 2 possible values:

     

    • windows NT domain for NTLM
    • REALM for Kerberos