Problem with Kerberos in iApp for Exchange 2013
Hey, I have set up an iApp for Exchange 2013 (f5.microsoft_exchange_2010_2013_cas.v1.3.0) on BIGIP 11.4.1. Now, Autodiscover won't work and to me it looks like some kerberos problem. I have reviewed the config following https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos, but instead of fetched S4U2Self ticket for user: test.user@F5.DEMO I get the following: May 26 17:52:10 F5BIGIP03 info websso.1[13873]: 014d0011:6: 1c8813d7: Websso Kerberos authentication for user 'testuser' using config '/PTA_Gruppe/PTAexchange.app/exchange_ntlm_kerberos_sso' May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0046:7: 1c8813d7: adding item to WorkQueue May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0018:7: sid:1c8813d7 ctx:0x8f9e528 server address = ::ffff:172.17.27.192 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0021:7: sid:1c8813d7 ctx:0x8f9e528 SPN = HTTP/exmbx01.domain.com@DOMAIN.COM May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0023:7: S4U ======> ctx: 1c8813d7, sid: 0x8f9e528, user: testuser@DOMAIN.COM, SPN: HTTP/exmbx01.domain.com@DOMAIN.COM May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: Getting UCC:testuser@DOMAIN.COM@DOMAIN.COM, lifetime:36000 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: fetched new TGT, total active TGTs:1 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: TGT: client=host/bigip_ntlmuser@DOMAIN.COM server=krbtgt/DOMAIN.COM@DOMAIN.COM expiration=Tue May 27 03:52:10 2014 flags=40600000 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: TGT expires:1401155530 CC count:0 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: Initialized UCC:testuser@DOMAIN.COM@DOMAIN.COM, lifetime:36000 kcc:0x9054ae8 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: testuser@DOMAIN.COM server: HTTP/exmbx01.domain.com@DOMAIN.COM - trying to fetch May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: testuser@DOMAIN.COM - trying to fetch May 26 17:52:10 F5BIGIP03 err websso.1[13873]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user testuser@DOMAIN.COM - Server not found in Kerberos database (-1765328377) May 26 17:52:10 F5BIGIP03 err websso.1[13873]: 014d0024:3: 1c8813d7: Kerberos: Failed to get ticket for user testuser@DOMAIN.COM I suppose that I have committed some really simple error. Can anyone give me a hint where I have to look? Thank you! Regards, Alex404Views0likes9CommentsIE choking on exchange iRule
Hello community, Bit of a strange issue, and it's most probably an IE bug but I was wondering if anyone had tips on how to mitigate by tweaking the iRule in the Exchange 2013 iApp. We can't reproduce the problem on other browsers (tested FF, Chrome and Safari), the problem, ironicly is only with IE: We're protecting unauthorised access to /ECP. That part works. The problem arises when in the ECP and a user wants to at/change a messagebox rule. This opens up a popup. On IE, the pop up contains the error page, whereas it works with other browsers. Here the iRule code: when HTTP_REQUEST { if { [HTTP::uri] contains "/ecp" } { s et response " EAC Access Denied We are sorry, but access to the Exchange Administration Center is restricted to approved client IP addresses. Your IP address, [IP::client_addr], is not approved. " if { [HTTP::header exists "Referer"] } { if { [HTTP::header "Referer"] contains "rfr=owa" } { pool my_iapp_2013_owa_pool } } elseif { [class match [IP::client_addr] equals " trustedAddresses "]} { pool my_iapp_2013_owa_pool } else { HTTP::respond 200 content $response } unset response } }Solved326Views0likes3CommentsForward Compatibility with Irule BIG-IP APM with OWA 2016 and IE10 or Google Chrome
Morning All, Re: Which irule should be used to resolve the error "Access policy evaluation is already in progress" We are currently on BIG-IP 11.6.0 Build 6.0.442 Hotfix HF6 but I cannot guarantee that the device will not be patched to v11.6.1 HF1. Should we deploy the normal irule and will this be a issue in the device is upgraded to v11.6.1 HF1? Is there any issues deploying the irule for v11.6.1 HF1 instead? when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } } or Code when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie remove "IsClientAppCacheEnabled" HTTP::cookie insert name "IsClientAppCacheEnabled" value False } }525Views0likes4CommentsiRule to restrict activesync traffic to particular IPs but allow all other Exchange traffic
Hi All, I am currently working on an MDM project, in which we are moving to AirWatch to proxy all Active Sync traffic. In order to force all users to use Airwatch for all ActiveSync, we need to be able to drop all ActiveSync Traffic on our Exchange CAS Pool. As we are currently on Exchange 2013, virtually all traffic goes via https_443, hence we need to be able to drop only ActiveSync traffic that is not coming from our two AirWatch Servers but allow all other traffic (ie OWA, RPC, AutoDiscovery, etc..) Below is a sample of code I have created to hopefully achieve this, would this work? and any recommendations? when HTTP_REQUEST { log local0. "Client IP: [IP::client_addr]" log local0. "URI: [HTTP::uri]" if {string tolower [HTTP::uri] contains "/Microsoft-Server-ActiveSync*" and not ([class match [IP::client_addr] equals Airwatch_SEG_Servers]) } { log local0. "dropped connection" reject } else { pool EXCHANGE_2013_https_int_pool } } I have a Data Group called Airwatch_SEG_Servers containing the IPs of my two Airwatch Servers which will proxy the ActiveSync Traffic Thanks in Advance, Monty292Views0likes3CommentsUpgrade Exchange 2010 to 2016 iApp
I know an iApp can be upgraded to another version of the same iApp. But can I upgrade the Exchange 2010_2013 iApp to the Exchange 2016 iApp. Note: the customer says they are going to use the same features in 2016 that they did in 2010. The current OS is Exchange 2010 and they are migrating to 2016.461Views0likes3CommentsExchange 2013 load balancing per preferred architecture
I'm new-ish to Exchange and to the f5 LTM platform, and I'm trying to get a handle on the best way to implement a load balancing configuration that aligns with Microsoft's Exchange Preferred Architecture and their recommendations regarding load balancing. If I understand correctly, the preference is for layer 7, no session affinity, and per-protocol availability. They want to the availability of services on the load balancer to match closely the availability of services on the Exchange server itself, as the Exchange Managed Availability service monitors and responds to service issues. The f5 Exchange 2013 Deployment Guide appears to use a dedicated user account to perform actual connections to OWA in order to check availability, rather than leveraging the /healthcheck.htm URL as recommended by Microsoft. My questions: Is anyone in the community here has configured their LTM to monitor Exchange service availability using the healthcheck.htm URL? Do you encounter any problems with Kerberos when using SSL Offloading? Do you use Layer 4 instead? How do you do nPath routing with two sites and separate vLANs for each? (My two data centers are a few miles apart, with 20 Gb connection between them, so I'm planning to have both sites active.) My team and I aren't particularly enthusiastic about iApp and templates (and $$$) for a config that doesn't align with Microsoft's recommendations. Any suggestions and pointers to docs, sample configs would be most appreciated.915Views0likes8CommentsRestrict Outlook Anywhere
Hi Everyone Does anyone know how you can use the F5 to provide external access to Outlook Anywhere to a specific group op people based on and AD security group. I have been asked to allow external access to our Exchange 2013 servers which involves publishing Outlook Anywhere (RPC over HTTP) to the internet. I cannot see any way to restrict this in Exchange so it is an all or nothing setup which I am not comfortable with and would prefer it if I could restrict access to a select few. I tried a basic Access Policy with iRULES (This worked for OWA) but the rule never gets triggered. From what I can tell, although it is HTTP - it goes not have the same headers so the ap/irules do not work. Would really appreciate your help.. Regards David555Views0likes1CommentServer side NTLM SSO and user UPN
Hi all I've configured the F5 iApp for Exchange/CAS to allow our Microsoft Dynamics 365 tenancy to communicate to our on-prem exchange via EWS. https://devcentral.f5.com/questions?pid=55703 The F5 authenticates to Exchange using a NTLMv2 SSO configuration (exchange has basic auth disabled). I have been able to successfully test the connection using the testing tool provided in D365. However when I use a user with a UPN that is different to the domain, Exchange comes back with an error about enabling basic auth. Successful - svc_d365@org.local (org.local matches our domain) Failed - svc_d365@corp.local (user is in org.local domain, just with a different UPN) "The Exchange Server settings for authentication could have been set to something other than Basic Authentication. Basic Authentication is required for connecting Microsoft Dynamics 365 (online) with Exchange Server." Our F5 shows basic authentication between D365 and F5 as being successful. I have to get APM log level increased to debug to see the SSO logs to get more information. But can anyone suggest why a different UPN would cause an issue? I didn't think NTLM used the UPN? Cheers, Simon283Views0likes1CommentEnabling APM on Exchange iApp causes outlook clients to not authenticate
We are utilizing iApps to configure exchange 2013. The scenario we are using is "BIG-IP LTM will load balance and optimize Client Access Server traffic" which works great. We wanted to lock down our OWA, so we reconfigured the iapp for "Provide secure authentication to CAS HTTP-based services with BIG-IP Access Policy Manager?" to use APM. The SSO mappings works great for OWA and our access policy we put in place. But then we noticed regular outlook client could not authenticate. We utilize ntlm for this. People were continually being prompted. Even entering your password for some people did not resolve the issue. Appears to be similar to this thread: https://devcentral.f5.com/questions/microsoft-excange-2013-with-ltm-apm-outlook-client-not-able-to-connect However, I could not find my resolution.566Views0likes4CommentsExchange 2013 iApp Confguration for MobileIron
I've deployed the iApp for Exchange 2013 using the defaults except for using SSL Bridging instead of SSL Offloading. All internal and external mail flows just fine, but mobile devices configured with MobileIron get an error stating 'Cannot connect to server'. Are there specific settings that are required for MobileIron to work with this iApp? The MobileIron Sentry is a stand-alone VM in the DMZ and not load balanced by F5. A manually created F5 virtual server that was deployed prior to the iApp being utilized is configured for 'Performance (Layer 4)' for the Type, but the iApp-created virtual server for combined_https is using 'Standard' for the type. If I change this to 'Performance (Layer 4)' to match the old virtual server, I get an error stating: "01070394.3: TCP::idletime in rule (/Common/Exchange-2013.app/Exchange-2013_combined_pool_irule7) requires an associated TCP profile on the virtual server (/Common/Exchange-2013.app/Exchange-2013_combined_https).Solved591Views0likes6Comments