We have a resource forest with Exchange linked mailbox accounts but we also have regular mailbox accounts. This means we have people that are domain joined to two production active directory domains. If focusing on outlook anywhere, the APM module is preauthentcating domain "x" and allows for SSO based on NTLM cached credentials but I would like to be able to use the same authentication method from domain "y" using the same BIG-IP virtual server. i.e. - I don't want people to use two different Outlook Anywhere URLs as we don't need to do that with the current Microsoft TMG reverse proxy solution.

Do you want to authenticate user on both AD servers, or depending on the username or domain you want to choose the AD to request ?

yes I presume you mean if I have multiple AAA Active Directory Servers in their own pools, one for each domain? Yes I would think this is how it would work. But then, based on the NTLM credentials it would forward the authentication request to the appropriate Active Directory authentication pool.

Don't know if it's what you want, but you can have this : -> NTLM to server 1 Authentication -> domain condition -> NTML to server 2 It's only based on VPE creation. Let me know if it's good for you and I'll tell more about it.

that sounds like it could certainly work.

Here are steps you have to do : Create Logon Page with Username, Password and DomainAdd a SSO Credential MappingAdd an empty box with 2 branches 1 fallback and the other with the condition : mcget {session.logon.last.domain} == your_domain_nameThen you can make your AD authenticationAnd finally make your Resource Assignment

BigIP LTM, APM and Exchange 2010 design question for multiple AD DS instances

13 Replies

Thomas_Gobet
Nimbostratus
Nov 29, 2013
Do you want to authenticate user on both AD servers, or depending on the username or domain you want to choose the AD to request ?
Rabbit23_116296
Nimbostratus
Nov 29, 2013
yes I presume you mean if I have multiple AAA Active Directory Servers in their own pools, one for each domain?

Yes I would think this is how it would work. But then, based on the NTLM credentials it would forward the authentication request to the appropriate Active Directory authentication pool.
Thomas_Gobet
Nimbostratus
Nov 29, 2013
Don't know if it's what you want, but you can have this :

-> NTLM to server 1 Authentication -> domain condition -> NTML to server 2

It's only based on VPE creation. Let me know if it's good for you and I'll tell more about it.
Rabbit23_116296
Nimbostratus
Nov 29, 2013
that sounds like it could certainly work.
Thomas_Gobet
Nimbostratus
Nov 29, 2013
Here are steps you have to do :

Create Logon Page with Username, Password and Domain
Add a SSO Credential Mapping
Add an empty box with 2 branches

1 fallback and the other with the condition : mcget {session.logon.last.domain} == your_domain_name
Then you can make your AD authentication
And finally make your Resource Assignment
Rabbit23_116296
Nimbostratus
Nov 29, 2013
Does this mean the user will be presented with a form he needs to authenticate against?
Thomas_Gobet_91
Cirrostratus
Nov 29, 2013
I may have a confusion, I've just read from the begining your request.

I thinked you it was Outlook Web Access question, but it's Outlook Anywhere...

You will find informations on this here

If you want to check the domain on ntlm informations, the condition is :

mcget {session.ntlm.last.username} == your_domain_name
- Rabbit23_116296
  Nimbostratus
  Dec 02, 2013
  have followed that link which does not mention multiple domain accounts used to access the same service - Outlook Anywhere is working but only for one domain. This is the error I get from the debug APM log - kerberos: can't get S4U2Self ticket for user @ - cannot resolve servers for KDC in realm "" (-1765328164) We do have a two way forest root trust and Kerberos constrained delegation works in the current environment (dns is also solid). I have tried playing with all the variations of settings in KRB5.CONF on the load balancer. I am trying to replicate the Microsoft TMG behavior which uses it's computer account for Kerberos Constrained Delegation. It appears as if the APM works a little different, do I need another SSO configuration with a user account in the other domain I want to get to work? Anyone that has actually worked with this have any idea I would appreciate it.
Thomas_Gobet
Nimbostratus
Nov 29, 2013
I may have a confusion, I've just read from the begining your request.

I thinked you it was Outlook Web Access question, but it's Outlook Anywhere...

You will find informations on this here

If you want to check the domain on ntlm informations, the condition is :

mcget {session.ntlm.last.username} == your_domain_name
- Rabbit23_116296
  Nimbostratus
  Dec 02, 2013
  have followed that link which does not mention multiple domain accounts used to access the same service - Outlook Anywhere is working but only for one domain. This is the error I get from the debug APM log - kerberos: can't get S4U2Self ticket for user @ - cannot resolve servers for KDC in realm "" (-1765328164) We do have a two way forest root trust and Kerberos constrained delegation works in the current environment (dns is also solid). I have tried playing with all the variations of settings in KRB5.CONF on the load balancer. I am trying to replicate the Microsoft TMG behavior which uses it's computer account for Kerberos Constrained Delegation. It appears as if the APM works a little different, do I need another SSO configuration with a user account in the other domain I want to get to work? Anyone that has actually worked with this have any idea I would appreciate it.
Rabbit23_116296
Nimbostratus
Dec 03, 2013
I have managed to get this to work for both domains. Manually editing the krb5.conf file to include a mapping for the domain name worked. LEGACYNAME = LEGACYNAME.ROOT.LOCAL

I can now pre-authenticate users from any domain.
- Thomas_Gobet
  Nimbostratus
  Dec 03, 2013
  Thanks for your feedback and for let us know it's good !
Rabbit23_116296
Nimbostratus
Dec 03, 2013
Sure - one thing down, now it's to figure out what to do with OWA with multiple domains :)

Forum Discussion

BigIP LTM, APM and Exchange 2010 design question for multiple AD DS instances

13 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Getting Started with BIG-IP Next: Upgrading Instances

Create F5 BIG-IP Next Instance on Proxmox Virtual Environment

Getting Started with BIG-IP Next: Configuring Instance High Availability

Choosing an Instance for F5 BIG-IP in AWS

Getting Started with BIG-IP Next: Adding Instances to Central Manager