having trouble accessing OWA2010 with Basic authentication

Question

Hi,
I cannot get SSO working with Basic authentication on BIG-IP 11.5.1 (LTM+APM).
Official iApp supports only HTML Form.
I have a Virtual Server with associated Access Profile.
Access policy is quite simple - I've got a Logon Page, AD Auth and Credential Mapping.
I've created an SSO HTTP Basic configuration and attached it to Access Profile.
After logging in to Logon Page it offers me to enter my credentials again (HTTP Basic Auth window appears).
I've tested similar configuration (but with simple Apache web server, not one of MS webapps) in my LAB and everything worked fine.
When I access OWA through the APM I get the following headers in response:
HTTP/1.1 401 Unauthorized
Content-Type: text/html
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm=""
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Mon, 30 Jun 2014 18:36:23 GMT
Connection: keep-alive
Vary: Accept-Encoding
Transfer-Encoding: chunked
Proxy-Support: Session-Based-Authentication

Dear community, could you please share some working recipes for similar configuration with me?
PS
Same issue with SharePoint webapp...

mikeshimkus_111 · Answer

Hi zup, did you start from the iApp configuration and then manually add the Basic SSO, or did you do it all manually?&nbsp;
If you set the APM SSO log level to Debug from the System  ››  Logs : Configuration : Options menu, then tail /var/log/apm which reproducing the issue, it could provide some clue as to what's happening.&nbsp;
Mike&nbsp;

vsevolod_petrov · Answer

Hi mikeshimkus,&nbsp;
I've tried in both ways. I'm running BIG-IP 11.5.1 HF2.&nbsp;
At this moment I've got a manually created VS with associated Access Profile.&nbsp;
After enabling websso log level to debug I can see that APM attempts to provide initially entered credentials to OWA. The log file is very verbose.&nbsp;
Here is the text file.&nbsp;
I can understand APM makes two attempts to provide credentials but I don't get the reason why it doesn't work?&nbsp;

vsevolod_petrov · Answer

I guess the reason is in [WWW-Authenticate][NTLM] header. That really means that application uses two types of authentication: basic and windows integrated.&nbsp;
How can I combine them both?&nbsp;

vsevolod_petrov · Answer

I've tried simply add NTMLv1 SSO method instead of HTTP Basic and it worked for this particular application.&nbsp;
Next step is to add all apps to webtop with rewrite profile.&nbsp;
Thanks))&nbsp;

mikeshimkus_111 · Answer

Great, glad you were able to figure it out.

Forum Discussion

having trouble accessing OWA2010 with Basic authentication

6 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

OWASP Tactical Access Defense Series: Broken Authentication and BIG-IP APM

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Doing mTLS Authentication per URL

Trouble applying GoDaddy certificate to a virtual server