Forum Discussion

Greg_130338's avatar
Greg_130338
Icon for Nimbostratus rankNimbostratus
Aug 10, 2015

Exchange 2013 iApp

Hey all, recently deployed this iApp. Question about SSO. It looks like the iapp configures 3 SSO profiles, forms based, kerberos, and NTLMv1. However, none of these are actually assigned to the access profile in the SSO configuration. Are we supposed to pick which one we need? What if OWA uses a different method (which it does) than the outlook client? (forms based or basic vs NTLM/Kerberos). Thanks for any assistance. I had it working for OWA at one point but now I get stuck at the OWA login page after I auth to APM so I'm stuck, though this may be one of the issues.

 

-GR

 

8 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account

    Hi Greg, SSO for non-OWA services is controlled by the APM Exchange profile, which is located under Access Policy ›› Application Access : Microsoft Exchange in the GUI.

     

    The OWA SSO is selected using the _select_sso_irule created by the iApp. When the rule encounters the OWA URI, it uses WEBSSO::select to pick the forms SSO.

     

    • Greg_130338's avatar
      Greg_130338
      Icon for Nimbostratus rankNimbostratus
      OK I think I figured it out. I created an iApp for internal connections using an internal IP for the VS. Once I did that I created an external iApp but I reused the same APM policy I had created using the previous iApp creation. Is this not recomended? I compared the irules associated with both and the external VS definitely does not have that SSO irule for OWA in it. I am still failing on the NTLM auth for full outlook clients which worked previously. Frustrating!
    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      I wouldn't reuse the APM configuration from the previous deployment. You should let the iApp create a new set of objects.
    • Greg_130338's avatar
      Greg_130338
      Icon for Nimbostratus rankNimbostratus
      Roger. I think that's where I am at at this point. I may just rebuild both iApps and start over. Thanks for the assistance. For the NTLM auth I am now getting auth failures logged on the F5, NO LOGON SERVERS AVAILABLE. this is through the kerberos SSO config. it gives an error, could not verify user (alot of characters). which is followed by a bunch of failed auth errors for my userID. My DC is definitely up and the delegated kerberos account is not locked. Ever seen that before? This was definitely working a few days ago.