Forum Discussion

Jason_Grimme's avatar
Jason_Grimme
Icon for Nimbostratus rankNimbostratus
May 31, 2018

can't connect OutlookAnywhere w/ Exchange 2016 v1.0.2 or v1.0.3rc2 iApp

Bip-IP Version: BIG-IP 13.0.0 Build 2.0.1671 Hotfix HF2 iApp: (have tried v1.0.2 final as well).

I'm setting up the Exchange 2016 iApp on my APM/LTM, to forward to my internal LTM. Internal works fine, I have 2 instances of the iApp identically configured, one for internal clients and 1 for the external APM/LTM, but I've tested Outlook and OWA through both, 100% success.

OWA works perfectly fine, but when I try to connect to Outlook, I'm not able to authenticate. I've setup the KCD per the deployment guide, don't see any missing pieces, yet still no love.

I find this in the part of the log file interesting...

May 31 10:18:29 DC1-N-DMZ-LTM2 debug websso.0[19554]: 014d0023:7: S4U ======> /Common/mail.ourcompany.com.app/exch:Common:2670b742: ctx: 0xa3bf120, User: 'jjones@OURCOMPANY', SPN: 'HTTP/mail.ourcompany.com@OURCOMPANY.COM'
May 31 10:18:29 DC1-N-DMZ-LTM2 debug websso.0[19554]: 014d0052:7: /Common/mail.ourcompany.com.app/exch:Common:2670b742:Getting UCC:jjones@OURCOMPANY@OURCOMPANY.COM, lifetime:36000
May 31 10:18:29 DC1-N-DMZ-LTM2 debug websso.0[19554]: 014d0052:7: /Common/mail.ourcompany.com.app/exch:Common:2670b742:Found UCC:jjones@OURCOMPANY@OURCOMPANY.COM, lifetime:36000 left:24131
May 31 10:18:29 DC1-N-DMZ-LTM2 debug websso.0[19554]: 014d0052:7: /Common/mail.ourcompany.com.app/exch:Common:2670b742:UCCmap.size = 3
May 31 10:18:29 DC1-N-DMZ-LTM2 debug websso.0[19554]: 014d0052:7: /Common/mail.ourcompany.com.app/exch:Common:2670b742:S4U ======> - NO cached S4U2Proxy ticket for user: jjones@OURCOMPANY server: HTTP/mail.ourcompany.com@OURCOMPANY.COM - trying to fetch
May 31 10:18:29 DC1-N-DMZ-LTM2 debug websso.0[19554]: 014d0052:7: (null):(null):(null):S4U ======> - NO cached S4U2Self ticket for user: jjones@OURCOMPANY - trying to fetch
May 31 10:18:29 DC1-N-DMZ-LTM2 err websso.0[19554]: 014d0056:3: /Common/mail.ourcompany.com.app/exch:Common:2670b742:Kerberos: can't get S4U2Self ticket for user jjones@OURCOMPANY - Matching credential not found (-1765328243)
May 31 10:18:29 DC1-N-DMZ-LTM2 err websso.0[19554]: 014d0024:3: /Common/mail.ourcompany.com.app/exch:Common:2670b742: Kerberos: Failed to get ticket for User: 'jjones@OURCOMPANY' accessing service: 'HTTP/mail.ourcompany.com@OURCOMPANY.COM'

so, my user ID is jjones, my AD domain is OURCOMPANY, and my UPN suffix (and realm) are ourcompany.com.

jjones@OURCOMPANY and jjones@OURCOMPANY@OURCOMPANY.COM are not going to be understood by my domain, is that the issue? I'd expect to see OURCOMPANY\jjones or jjones@ourcompany.com. Do I have something amiss in the auth profile?

I remember for some other app, some time ago, having to split the domain from the logon and doing an LDAP query for samaccountname, maybe for ADFS, but that was long ago. I was hoping the iApp would work as is, but not against removing strict updates if needed.

Any help, thoughts appreciated in advanced.

No RepliesBe the first to reply