Applies To:
Show VersionsBIG-IP APM
- 13.1.5, 13.1.4
Overview: Configuring APM for Exchange clients that use NTLM authentication
Access Policy Manager® (APM®) supports Microsoft Exchange clients that are configured to use NTLM, by checking NTLM outside of the APM session as needed. APM requires a machine account and an NTLM Auth configuration to perform these checks. APM requires an Exchange profile to support Microsoft Exchange clients, regardless of the authentication they are configured to use.
Task summary
About using NTLM authentication
Microsoft software systems use NTLM as an integrated single sign-on (SSO) mechanism. However, in an Active Directory-based SSO scheme, Kerberos replaces NTLM as the default authentication protocol. NTLM is still used when a domain controller is not available or is unreachable, such as when the client is not Kerberos-capable, the server is not joined to a domain, or the user authenticates remotely over the web.
About configuration requirements for NTLM authentication
In Access Policy Manager®, you need to configure these elements:
- Machine account
- NTLM authentication configuration
- Kerberos SSO configuration
- Exchange profile that specifies the NTLM authentication configuration and specifies Kerberos SSO configurations for the specific Microsoft Exchange services supported
- Access profile that specifies the Exchange profile
- Access policy
- Pool of servers for the Exchange service to support Outlook Anywhere, supply a pool of Outlook Anywhere servers
- Virtual server that specifies the access profile and the pool
You also need to configure a special account in Active Directory for Kerberos constrained delegation (KDC).
About reusing a machine account for different BIG-IP systems
You can use the same machine account for two BIG-IP® systems when they are in an active-standby configuration. Otherwise, F5® recommends that you create a new NTLM machine account using the Access Policy Manager® user interface on each BIG-IP system.
Creating a new NTLM machine account on each BIG-IP system is helpful, for example, when two systems independently update their configurations without propagating them, or when you replicate the configuration into different BIG-IP systems using any configuration replication method. If you export a configuration and import it on another system, the machine account is included; however, after the import completes, you still need a new machine account and an NTLM authentication configuration that uses the new machine account on the target system.
About Outlook Anywhere and NTLM authentication
Access Policy Manager® (APM®)supports Outlook Anywhere clients that are configured to use NTLM and HTTP Basic protocols independently. Typically, mobile devices use HTTP Basic authentication, while Outlook Anywhere clients can use both NTLM and HTTP Basic authentication. APM determines whether a client uses NTLM or HTTP Basic authentication and enforces the use of one or the other. After a client authenticates with NTLM or HTTP Basic, APM supports single sign-on with the back-end application or server using Kerberos constrained delegation (KCD).
Configuring a machine account
Creating an NTLM Auth configuration
Setting up a delegation account to support Kerberos SSO
Creating a Kerberos SSO configuration in APM
Configuring an Exchange profile
-
A machine account
-
An NTLM Auth configuration
-
At least one Kerberos SSO configuration
Creating an access profile for Exchange clients
Verifying log settings for the access profile
Configuring an access policy for NTLM authentication
Example access policy with actions based on whether NTLM authentication occurred