Access Policy Manager supports Microsoft Exchange clients that are configured to use NTLM and HTTP Basic protocols independently. Typically, mobile devices use HTTP Basic authentication, while Outlook Anywhere clients can use both NTLM and HTTP Basic authentication. To determine whether a client uses NTLM or HTTP Basic authentication, APM supplies an iRule that makes the determination and enforces the use of one or the other. After a client authenticates with NTLM or HTTP Basic, APM supports single sign-on with the back-end application or server using Kerberos constrained delegation (KCD).
Microsoft software systems use NTLM as an integrated single sign-on (SSO) mechanism. However, in an Active Directory-based SSO scheme, Kerberos replaces NTLM as the default authentication protocol. NTLM is still used when a domain controller is not available or is unreachable, such as when the client is not Kerberos-capable, the server is not joined to a domain, or the user authenticates remotely over the web.
To support Kerberos SSO with Access Policy Manager, you need a special account in Active Directory for Kerberos constrained delegation (KDC).
In APM, you need to configure these elements:
APM provides these elements:
You must configure an NTLM authentication configuration and a virtual server in the same partition (or, if you have configured subfolders, the same partition and subfolder).
The NTLM authentication configuration name must include exch_ntlm_ appended with the name of the virtual server. For example, if you create a virtual server, such as /Common/prod/virtualserv1, you must create the NTLM authentication configuration in the /Common/prod partition and you must name it exch_ntlm_virtualserv1.
You can configure multiple NTLM authentication configuration and virtual server pairs in one or more partitions and subfolders.
You can use the same machine account for two BIG-IP systems when they are in an active-standby configuration. Otherwise, F5 recommends that you create a new NTLM machine account using the APM user interface on each BIG-IP system.
For example, creating a new NTLM machine account using the APM user interface on each BIG-IP system is helpful when two systems independently update their configurations without propagating them, or when you replicate the configuration into different BIG-IP systems using any configuration replication method. If you export a configuration and import it on another system, the machine account is included; however, after the import completes, you still need a new machine account and an NTLM authentication configuration that uses the new machine account on the target system.