Alternate realm for a real domain in BIG-IP

Question

We have an interesting problem after we implemented BIG-IP in our organization. &nbsp;
Situation: we have an AD forest with one top level domain (mycompany.local) and 10 child sub-domains (one is com.mycompany.local). We have an integration of our Exchange server with Microsoft Office 365 using the users UPN in the form firstname.lastname@anothername.com. The "anothername.com" is defined in AD as an UPN Suffix, but, in the same time, we have the AD domain anothername.com as a real AD domain and it have "Forest-Transitive-Two way" trust with mycompany.local domain. &nbsp;
The problem rise for our external users that have Microsoft Outlook on their laptops. When they are outside of our network and Outlook try to connect to our internal Exchange through BIG-IP appliance the request come with anothername.com realm. So, the kerberos authentication fails because the BIG-IP send the authentication request to the PDC of anothername.com AD domain (the error is "wrong realm" in Wireshark).&nbsp;
If we try a testing kerberos authentication session using mycompany.local realm, the request is redirected to the anothername.com (maybe because of the AD trust?) and then arrive again on the same PDC as above.&nbsp;
If instead, we try the authentication using the sub-domain com.mycompany.local as realm, the request finish with success (even if the AD user account is not from the com.mycompany.local domain, the request is redirected to the correct sub-domain and after that is accepted). &nbsp;
Because we can't change the way Outlook send the request (the "anothername.com" realm is needed by Office 365 integration), it is possible to "tell" to BIG-IP to send the received request using this realm to the com.mycompany.local alternate realm? Or what other solution do we have?&nbsp;

jad_tabbara__j1 · Answer

Hi Adrian, &nbsp;
If on your F5 you have the APM and a VPE with "Kerberos Auth" you can choose which Kerberos Server should manage the authentication. &nbsp;
So I think it is possbile (never tested), you only need to create two AAA Kerberos objects one with the Auth Realm  "com.mycompany.local" and another one for "anothername.com". &nbsp;
Then from the VPE you can select which AAA server will handle requests. &nbsp;
Hope it helps&nbsp;
Regards&nbsp;

stanislas_piro2 · Answer

Hi,
I don't understand the issue... 
when working with kerberos, 2 informations are used:
sAMAccountNameREALM
these information are sent with a format like UPN but not UPN:
sAMAccountName@REALM

when working with Kerberos Auth:
the client requests the web sitethe server requests a kerberos auththe client requests to the KDC to get kerberos ticket.the client requests the web site including the tokenthe server (here the F5) decrypt the token. if decryption successful, user is authenticated. there is no communication to the KDC from the server.

adrian_ilias_33 · Answer

Thanks to both.&nbsp;
Actually we just discovered a page from documentation that looks to address exactly to our needs.&nbsp;
Overview: Configuring APM for Exchange clients that use NTLM authentication:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/10.html &nbsp;
I will come back to tell you if this worked.&nbsp;

Forum Discussion

Alternate realm for a real domain in BIG-IP

3 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

What is BIG-IP Next?

Getting Started with BIG-IP Next: Fundamentals

BIG-IP Report

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Automate Let's Encrypt Certificates on BIG-IP