Create an NTLM machine account for BIG-IP within a route-domain

Question

Hi&nbsp;
I have tried all day to join my Big IP system to one of my customers domains.
The customer has ActiveSync today and wants OutlookAnywhere with NTLM authentication as well.&nbsp;
My cluster runs on 11.6 HF6 and I have used this iApp for creating the Exhcange service: f5.microsoft_exchange_2010_2013_cas.v1.5.1&nbsp;
But as I was googling around after a breakthrough I stumbled upon this article: https://support.f5.com/kb/en-us/solutions/public/17000/100/sol17148.html
We use route-domains and my customer is not in route-domain 0. And this article states that Kerberos authentication will not function unless the KDC servers resides in route-domain 0.&nbsp;
So my question is; Is there a way to get this to work anyway?&nbsp;
Regards
Geir Sandbu&nbsp;

youssef1 · Answer

Hello,

I already had a similar problem and unfortunately in my case I have set up a workaround.

So for me the best way is to create a new Virtual Server for KD in the RouteDomain 0 (it will be used only for internal process).
In fact you have to create 2 VS (689 and 88) and these VS have to point on the KDC with good RD (ex: 172.2.2.9%4).
For it to work you have to uncheck "Strict Isolation" on th route domains 0 (Network --&gt; Route Domains --&gt; 0 --&gt; uncheck "Strict Isolation").

Let me know if it work for you otherwise I can offer you another solution...

Regards

geir_sandbu_342 · Answer

Thanks for the swift reply youssef. 
The workaround looks straightforward enough. Create 2 VS (port 689 and 88) in Route Domain 0. The pool used for these VS'es is pointed to the KDC in the customers route-domain. 
But where to go next? When adding the Big IP system to the domain, do I point to the Big IP VS address instead of the FQDN of the DC server?

geir_sandbu_342 · Answer

Hi again youssef

You mentioned that you had another solution. Im very curious here.
Can you please describe it to me?
Regards

joshbecigneul · Answer

We ran into this and for the Kerberos AAA feature at least, we just specify the IP of the KDC in the Kerberos AAA agent, and let the traffic flow out of a RD0 VLAN that has access to the customer environment. We don't break the strict isolation feature in this case.&nbsp;
We enhance this by using a wildcard VIP whose pool members are multiple KDCs in the customer environment. You point the Domain Controller FQDN field to this IP. I haven't tested the NTLM portion, you may need a hosts file entry to represent the internal IP for the VIP.&nbsp;

Forum Discussion

Create an NTLM machine account for BIG-IP within a route-domain

4 Replies

Recent Discussions

About custome Response Blocking Page

Office Online Server with SharePoint 2016

health monitor source IP address

How to target only webview rendering with CSS?

ltm policy asm_auto_l7_policy

Related Content

Create a DevCentral account

FQDN nodes in non-default route domains

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

Change admin account

DevCentral to Require Multi-Factor Authentication for Account Login from September 26