Forum Discussion

Rabbit23_116296's avatar
Rabbit23_116296
Icon for Nimbostratus rankNimbostratus
Nov 29, 2013

BigIP LTM, APM and Exchange 2010 design question for multiple AD DS instances

We have a resource forest with Exchange linked mailbox accounts but we also have regular mailbox accounts. This means we have people that are domain joined to two production active directory domains....
design
microsoft
Thomas_Gobet's avatar
Thomas_Gobet
Icon for Nimbostratus rankNimbostratus

I may have a confusion, I've just read from the begining your request.

 

I thinked you it was Outlook Web Access question, but it's Outlook Anywhere...

 

You will find informations on this here

 

If you want to check the domain on ntlm informations, the condition is :

 

mcget {session.ntlm.last.username} == your_domain_name

 

Rabbit23_116296's avatar
Rabbit23_116296
Icon for Nimbostratus rankNimbostratus
Dec 02, 2013
have followed that link which does not mention multiple domain accounts used to access the same service - Outlook Anywhere is working but only for one domain. This is the error I get from the debug APM log - kerberos: can't get S4U2Self ticket for user @ - cannot resolve servers for KDC in realm "" (-1765328164) We do have a two way forest root trust and Kerberos constrained delegation works in the current environment (dns is also solid). I have tried playing with all the variations of settings in KRB5.CONF on the load balancer. I am trying to replicate the Microsoft TMG behavior which uses it's computer account for Kerberos Constrained Delegation. It appears as if the APM works a little different, do I need another SSO configuration with a user account in the other domain I want to get to work? Anyone that has actually worked with this have any idea I would appreciate it.