Forum Discussion
NimbostratusKerberos Delegation and NTLM auth Exchange 2013
This is related to a previous post about the Exchange iApp. Everything is working for both internal and internal connections except from Outlook Anywhere clients attempting to connect to the external VS and auth via RPC over HTTP. I enabled all debug logs for APM and ECA since that seemed to be where the failure was occuring. I noticed the following and cannot make much sense of it. Any help would be appreciated. Below is the log file comparison between a successful auth though the internal iApp vs the failed auth through the external iApp. This is just a snippet of the full log. Everything before these lines in the log is the same for both internal and external connections. It seems to fail when the BigIP tries to make a call to itself to process the logon request, anyone ever see this before?
Internal success: Aug 12 13:22:12 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 10.1.12.9:46380 (0x09a8b9c8) Server challenge: 24296533D8C59FB4 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[18] from 127.0.0.1:43935 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> client[5]: is ready Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> NLAD_TRACE: nlclnt[53403010a / 01] sending logon = 0xC00000E5 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> nlclnt[53403010a] logon: entering user GRicketts domain JHHC wksta JHHC04619LT
Failed auth: Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 warning nlad[8603]: 01620000:4: <0x559058f0> clntsvc: no client for id 6 to service request from connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> nla_rq: response with status [0xc00000ab,NT_STATUS_INSTANCE_NOT_AVAILABLE] for type 'logon' client 6 context 0x5ab82b90 24 bytes to connection[38] from 127.0.0.1:44495: took 0 milli-seconds Aug 12 12:51:10 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 12.181.141.210:45214 (0x5bf14c28) nla_agent::logon, rc = STATUS_NO_LOGON_SERVERS (3221225566)
38 Replies
Stanislas_Piro2Cumulonimbus
Hi,
most of SSO methods need password variable (Basic, ntlm, form based, ...)
If authentication does not provide this information, APM cannot reuse it. that's true for NTLM, OTP or SAML auth.
For every Exchange 2013, kerberos is recommended for 2 services:
- OA (to allow NTLM auth)
- OWA (Client based form based sso does not work every time)
- ECP (share the same authentication as OWA)
when kerberos SSO is deployed for these services, the better configuration is to enable it on all services to simplify VPE tree.
If you configure NTLM for some services and Kerberos for others, variable session.logon.last domain may have 2 possible values:
- windows NT domain for NTLM
- REALM for Kerberos
kunjanIt seems, for OA only Kerberos is supported for the backend SSO.
For other Exchange services like ActiveSync, EWS or OAB, when front end is Basic, NTLM SSO can used for backend.
- kunjanFollowing is the error we get on 11.6HF5, when we switch to NTLM SSO with front end Basic Auth. I miss something? MCP Error01070734:3: Configuration error: Error in Exchange Profile (/Common/myExchg.app/exch_ntlm_exchange_edge) for service (Outlook Anywhere): SSO configuration (/Common/myExchg.app/exch_ntlm_sso) is of NTLM SSO type; NTLM SSO Type is not allowed for service Outlook Anywhere
- Basic authentication for Outlook Anywhere is also supported with NTLM SSO, this is the default setting on CAS.
kunjan_118660It seems, for OA only Kerberos is supported for the backend SSO.
For other Exchange services like ActiveSync, EWS or OAB, when front end is Basic, NTLM SSO can used for backend.
- kunjan_118660Following is the error we get on 11.6HF5, when we switch to NTLM SSO with front end Basic Auth. I miss something? MCP Error01070734:3: Configuration error: Error in Exchange Profile (/Common/myExchg.app/exch_ntlm_exchange_edge) for service (Outlook Anywhere): SSO configuration (/Common/myExchg.app/exch_ntlm_sso) is of NTLM SSO type; NTLM SSO Type is not allowed for service Outlook Anywhere
- Basic authentication for Outlook Anywhere is also supported with NTLM SSO, this is the default setting on CAS.
- Stanislas_Piro2
Hi,
You say everything is working... did you configure kerberos SSO for OA? in a previous response, you answered "If exchange did not support kerberos auth?"
NTLM auth support only kerberos SSO.
if Kerberos SSO is not configured (in AD, Exchange and F5), the server will request a second authentication and the user will be prompted twice.
Greg_130338So everything is working as expected. An awful long thread to chalk up to intermittent connectivity issues or something that just broke in the NTLM machine account and ntlm-auth config but that appears to have been the issue since I cannot pinpoint any specific problem that caused all the errors and failures. And I still haven;t heard from support! so thank you all for your help and attention. We are back up and running!
- Greg_130338OK well we're back to the drawing board. All of a sudden EVERYTHING has stopped working. The APM login page will not even display for OWA. I have a case open with support, but I am tempted to completely delete and rebuild. I did this before, sometimes it works, other times it does not.
- kunjan
Sounds like some intermittent connectivity issue. Once ntlm configured, when do netstat -an, should see 2 established connection between APM and DC on port 445.
- kunjan
The error is when domain controller configured (JHHCDC01.JHHC.COM) cannot be resolved or contacted. You can try to do packet capture on port 53 to see what's happening. Also, can try if APM can discover KDC without specifying the Domain controller.
adtest command might be helpful to do the isolation.
to list the configtmsh list apm ntlm ntlm-auth- Greg_130338Got it, I noticed it was created but never actually selected as an SSO profile used in the exchange policy. When would it be used? If exchange did not support kerberos auth?
- kunjanGreat! NTLMv2 mentioned is for SSO, not for NTLM Auth. Not relevant for OA here, as Kerberos is used for SSO.
- Greg_130338OK. With the machine account recreated and NTLM auth config redone, I am able to successfully authenticate to both internal and external iApps. I guess I can only chalk this up to something was busted with the initial machine account perhaps? I am not sure. I did notice in the ECA debug logs, I am actually sending NTLMv2 auth requests. In the appendix for the echange 2013 iApp there is a manual process for replacing the NTLM profile with an NTLMv2 profile. How is this working if NTLMv2 is being sent but the iApp is configured to accept NTLM? Is it necessary for me to follow the NTLMv2 config procedure at this time?
- kunjan_118660
The error is when domain controller configured (JHHCDC01.JHHC.COM) cannot be resolved or contacted. You can try to do packet capture on port 53 to see what's happening. Also, can try if APM can discover KDC without specifying the Domain controller.
adtest command might be helpful to do the isolation.
to list the configtmsh list apm ntlm ntlm-auth- Greg_130338Got it, I noticed it was created but never actually selected as an SSO profile used in the exchange policy. When would it be used? If exchange did not support kerberos auth?
- kunjan_118660Great! NTLMv2 mentioned is for SSO, not for NTLM Auth. Not relevant for OA here, as Kerberos is used for SSO.
- Greg_130338OK. With the machine account recreated and NTLM auth config redone, I am able to successfully authenticate to both internal and external iApps. I guess I can only chalk this up to something was busted with the initial machine account perhaps? I am not sure. I did notice in the ECA debug logs, I am actually sending NTLMv2 auth requests. In the appendix for the echange 2013 iApp there is a manual process for replacing the NTLM profile with an NTLMv2 profile. How is this working if NTLMv2 is being sent but the iApp is configured to accept NTLM? Is it necessary for me to follow the NTLMv2 config procedure at this time?
