Forum Discussion

Rabbit23_116296's avatar
Rabbit23_116296
Icon for Nimbostratus rankNimbostratus
Dec 12, 2013

Exchange 2010 SP3, iApp template 2012_04_06 and Big IP 11.4.1 Build 608.0 - EWS issue

As per subject, is this combination supported? When using APM and Outlook anywhere I am having the following problem:

Dec 12 10:06:31 lhr4-lb-01 debug tmm3[9610]: 01490000:7: Enable ECA: select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010 -application_combined_https
Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid argument (/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010-applicat ion_combined_https)
Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid metadata (select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2 010-application_combined_https)
Dec 12 10:06:31 lhr4-lb-01 debug tmm2[9610]: 01490000:7: Matches RPC
Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid argument (/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010-applicat ion_combined_https)
Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid metadata (select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2 010-application_combined_https)

Looking at this script block, is the object_name correctly formatted in the iApp template?

   Ntlm-auth requires a specially-named prefix to match a system irule.
    if { $key == "ntlm,ntlm-auth,combined_https" ||
         $key == "ntlm,ntlm-auth,oa_https" ||
         $key == "ntlm,ntlm-auth,edge" } {
        regsub ".app/exchange" $object_name \
               ".app/exch_ntlm_${app}" object_name
    }
devops
iApps
ibm
management

20 Replies

Sort By
Show More
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Dec 17, 2013

    I checked the case and they have a request for an engineer in the UK to contact you ASAP.

     

    The only differences between the 11.3 and 11.4 configuration for OA w/NTLM auth are:

     

    • 11.3 requires that you attach an APM system iRule to the virtual server. 11.4 uses the APM Exchange profile, which obscures the system iRule.
    • 11.3 requires that the NTLM auth config be named "exch_ntlm_" where virtual server name is the name of the VIP the APM iRule is attached to. We still use this format in 11.4, but I don't believe it's required.

    Support should ask you to upload your configuration to iHealth. Once you do that we can take a closer look at it.

     

  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Jan 07, 2014

    Mike if only I understood where to find what you suggested earlier...

     

    Access Policy/Application Access/Exchange/exchange_ntlm_exch still defaulted to an invalid NTLM configuration with the stock iApp template.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jan 07, 2014

    I checked your support case and it was closed:

     

    "This issue has been resolved, I found the setting which defaulted to a non existent SSO profile."

     

    In all of our testing, the NTLM configuration specified by the iApp works. Not sure why it would be failing, other than a possible issue with the upgrade? What was the SSO profile that didn't exist?

     

  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Jan 07, 2014

    exch_ntlm_exchange-2010-application_combined_https, as in the first post. Odd as I found it after installing a 11.4.1 image afresh on one appliance and importing the iApp

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jan 07, 2014

    That's the NTLM auth config name, not an SSO profile.

     

    What did the iApp create for the NTLM auth config instead of exch_ntlm_exchange-2010-application_combined_https?

     

  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Jan 07, 2014

    the NTLM auth configuration? access policy/access profiles/NTLM/NTLM Auth configuration?

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jan 07, 2014

    Correct. If your virtual server is named exchange-2010-application_combined_https, then the iApp should have created one named exch_ntlm_exchange-2010-application_combined_https.

     

    When you run the iApp on your 11.4.1 box, what is the output of /var/tmp/scriptd.out? That file should log all the tmsh commands that iApp templates run.

     

  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Jan 07, 2014

    create apm ntlm ntlm-auth /exchange/exchange.app/exch_ntlm_exchange_oa_https { dc-fqdn-list replace-all-with { lhr4-dccorp-01.corpad.adbkng.com lhr4-dccorp-02.corpad.adbkng.com lhr4-dccorp-03.corpad.adbkng.com } machine-account-name /exchange/lhr4-ltm-01.corpad.adbkng.com

    create apm profile exchange /exchange/exchange.app/exchange_ntlm_exchange { auto-discover-sso-config /exchange/exchange.app/exchange_ntlm_kerberos_sso offline-address-book-sso-config /exchange/exchange.app/exchange_ntlm_kerberos_sso web-service-sso-config /exchange/exchange.app/exchange_ntlm_kerberos_sso ntlm-auth-name /exchange/exchange.app/exch_ntlm_exchange_combined_https rpc-over-http-auth-type ntlm rpc-over-http-sso-config /exchange/exchange.app/exchange_ntlm_kerberos_sso }

     that's what I could find that matched 'exch_ntlm' pattern
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jan 07, 2014

    I see. It looks like the iApp created an NTLM auth config named exch_ntlm_exchange_oa_https, which is correct for a deployment using separate virtual servers for each service.

     

    However the APM Exchange profile is referencing the non-existent exchange-2010-application_combined_https NTLM auth config. You should be able to modify the NTLM auth name in the Exchange profile to use the correct object.

     

    We'll get this updated in the next version of the template.

     

    Thanks