Exchange ActiveSync published via APM, client certificates and kerberos sso mixes up kerberos tickets
Hi,
we have published Exchange ActiveSync via F5 APM for mobile clients (Iphone) with client certificates. The clients are managed with air watch mdm and have installed a certificate for authentication. Basically configuration works fine and the users can sync their emails without problem. But sometimes, especially when more users have the same external IP (e.g. at work) and try to sync at the same time it seems that F5 mixes up the kerberos tickets. User A then gets emails from user B.
In the APM logs you can see that even if the request comes from another client, F5 uses a cached ticket from user B and sends this to exchange. But in the http url for active sync you can see the request for user A.
Could this be a configuration issue or is it maybe a known bug in F5?
Setup: We have used this guide for the basic configuration: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-4-0/4.html
Our Access Policy looks like:
For the extraction of the upn from the certificate we use:
For the client ssl profile we have set the trusted certificates, SSL certificate and client certificate = require
We attached the activesync irule (_sys_APM_activesync) from F5 to the vs but modified it a bit otherwise the client would always pop up a password window for basic authentication. We commented the clientless mode out like it is stated here: https://devcentral.f5.com/questions/issue-with-apm-activesync-cert-auth
Anyone experiencing similar issues?
Thank you very much
Mark
Hello,
It's an issue viewed since latest version of BIG-IP. It's now safer to deploy Active Sync using the available iApp for Exchange.
You should not use the following irule anymore : _sys_APM_activesync