Get users logged without domain authenticate in Exchange (APM)

Question

&nbsp;Hello, i need some help with an Exchange deployment in APM&nbsp;It has NTLM authentication and Kerberos SSO in a multidomain setup (5 different AD)&nbsp;All works fine if the users specify the domain in the login, but if they use only the username, the auth fails.&nbsp;We can force the domain in the user field using a variable&nbsp;Branch rule: expr { [mcget {session.logon.last.domain} ] eq "" &nbsp;and the variable assign: expr { [mcget {session.logon.last.domain} ] eq "domain" &nbsp;This looks fine in the APM debug, but the exchange client fails, returnig an error in domain/user/pass&nbsp;Sep&nbsp;9 16:21:19 slot3/AXF5BLCWEBPUB2 info apmd[5236]: 01490007:6: /Common/AP-EXCHANGE-PRE_2013.app/exch:Common:bed1a199: Session variable 'session.policy.result' set to 'allow'&nbsp;The only difference we can see is in the uui log, as far as i know it shoudl not be a problem at all.&nbsp;KO:Sep&nbsp;9 16:25:20 slot3/AXF5BLCWEBPUB2 info apmd[5236]: 01490007:6: /Common/AP-EXCHANGE-PRE_2013.app/exch:Common:1c242e8d: Session variable 'session.assigned.uuid' set to 'tmm.uuid.miguelllo.f391eedee46ff11ea7c6aeab1cd73fc7'&nbsp;OK:Sep&nbsp;9 16:21:19 slot3/AXF5BLCWEBPUB2 info apmd[5236]: 01490007:6: /Common/AP-EXCHANGE-PRE_2013.app/exch:Common:bed1a199: Session variable 'session.assigned.uuid' set to 'tmm.uuid.domain\miguelllo.8eb47aecda6bd16c1bc66f4f94d3bb52'&nbsp;All other variables seem the same with both methods. We suspect an internal problem with the SSO, but for some reason we can't see any log activating the debug for the access policy.&nbsp;Any idea to get users entered without domain working?&nbsp;&nbsp;&nbsp;&nbsp;Thanks in advance&nbsp;

dave_w · Answer

Hello, the SSO logs are a separate setting from Access Policy logs, so you will need to set the SSO logs on debug. So in the Admin GUI go into "Access Policy" &gt; "Event Logs" &gt; "Log Settings", Select the logging profile and then set the SSO logs to debug.

javierf5 · Answer

Hi Dave, thanks for your answer. We already have the debug configured there, but is not showing anything. We can get SSO debug if we activate it in the default log, unfortunately the device is used in a high traffic setup and most services are using the default.. so it's not an option. Probably a bug (we are running a 12.1.3 version)

The main issue we have is the domain in the login. Its only relevant to mobile users, since the desktop client takes the domain data from the windows session.

KR

youssef1 · Answer

Hi,&nbsp;it seem's that your session variable is wrong, try this please:&nbsp;Create your session variable and set the following value in Custom Variable:session.logon.last.domain&nbsp;Custom Expression:return "mydomain"&nbsp;keep me in touchregards

javierf5 · Answer

Hi Youssef, &nbsp;Thanks for your answer,&nbsp;We tried that, also a bunch of other variables like lastlogonname, they work as in APM reached the allow at the end, but the client still fails to authenticate when logged without domain.&nbsp;We have captures when we see that after the APM does it's thing, the subsequent communication client/backend fails. We may have an idea right now of why it's happening.&nbsp;Will post results after a couple of tests.&nbsp;KR

Forum Discussion

Get users logged without domain authenticate in Exchange (APM)

4 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

Distributed caching of authentication requests with NGINX Ingress Controller

Application Programming Interface (API) Authentication types simplified

iControl REST Authentication Token Management