Forum Discussion

Pluppo_72680's avatar
Pluppo_72680
Icon for Nimbostratus rankNimbostratus
Jun 03, 2014
Solved

Second authentication prompt when accessing Exchange 2013 Outlook Web app using BigIP LTM.

We are deploying Exchange 2013 loadbalanced behind BigIP (running 11.3). I have used the newest iApp (f5.microsoft_exchange_2010_2013_cas.v1.3.0) to make the configuration. We are only using LTM and not APM.

 

All services are installed on the same server, only 1 VIP on BigIP for all services (SNAT), and same FQDN for all services except for autodiscover. The services are OWA, Outlook Anywhere, ActiveSync and autodiscover.

 

After logging in to OWA using the forms based web page, there is a second "Windows Security" authentication prompt. This does not happen if we try logging in to the server directly. Everything else works with this LTM/Exchange 2013 installation.

 

Does anyone know what could be the cause of this second authentication prompt? I can't find any settings in the iApp that may cause this, and the Exchange administrator can't find the cause either.

 

application delivery
devops
iApps
LTM
microsoft
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Jun 03, 2014

    Hi Pluppo, is it possible for you to use the IE Developer Tools' (F12) network facility or an application like Fiddler or HTTPWatch to identify the resource that responds with the 401 status after you have logged in? My guess is that it's ECP, since that's most closely related to OWA. On the Client Access servers, do you have OWA and ECP authentication types both set to forms-based for all servers?

     

    thanks

     

    Mike

     

5 Replies

Sort By
  • Cody_Green's avatar
    Cody_Green
    Icon for Employee rankEmployee
    Jun 03, 2014

    Pluppo,

     

    My guess is that OWA is accessing a second service (like EWS) and is trying to use NTLM/Kerberos authentication. You may not have the F5 configured to handle client NTLM authentication correctly when using using OneConnect.

     

    Try disabling OneConnect and see if you're still prompted. If so, you can re-enable your OneConnect and configured/adjust your NTLM profile.

     

    Cody

     

  • Pluppo_72680's avatar
    Pluppo_72680
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2014

    Hi Cody,

     

    Thanks for your reply. I just tried disabling strict updated on the iApp, and then removing the OneConnect profile from the VIP, but unfortunately the symptoms are still the same. I am still getting a second "Window Security" authentication prompt after logging in to the OWA form.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jun 03, 2014

    Hi Pluppo, is it possible for you to use the IE Developer Tools' (F12) network facility or an application like Fiddler or HTTPWatch to identify the resource that responds with the 401 status after you have logged in? My guess is that it's ECP, since that's most closely related to OWA. On the Client Access servers, do you have OWA and ECP authentication types both set to forms-based for all servers?

     

    thanks

     

    Mike

     

  • Pluppo_72680's avatar
    Pluppo_72680
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2014

    Hi Mike,

     

    The Exchange administrator checked the CAS servers and indeed one of the servers had ECP authentication set to basic. He also found another server that had basic authentication on OWA, we thought it was set to forms on all servers.

     

    Thank you for pointing us in the right direction, everything is working great now!

     

  • Saif_Khan_26546's avatar
    Saif_Khan_26546
    Icon for Nimbostratus rankNimbostratus
    Oct 31, 2016

    I am experiencing similar issue.

     

    Client starts OWA, getting prompted for authentication.