How to configure ESP Forms Based to Forms Based Authentication (FBA) with Exchange
Forms Based to Forms Based Authentication is available on all LoadMaster versions 7.2.37 or greater, where ESP (Edge Security Pack) is available.
Scope
1. LDAP Endpoint
2. SSO DOMAIN
3. Deployment of Template
4. Logoff String
5. Adding of Password Reset Feature
6. Adding of Permitted Groups
1. LDAP Endpoint Setup:
You must create an LDAP Endpoint in Certificates & Security > LDAP Configuration to set up the communication to your LDAP server.
You must type the LDAP server IP address. If more than one address is entered, the second one is contacted if the first is offline, and so on.
If you have a large forest to authenticate, you can use the Global Catalog (GC). For further information, refer to the following article: Authenticating to a Large Forest.
For more detailed information on setting up an end point, refer to the LDAP Configuration section of the ESP Feature Description.
LDAP Protocol: Select the transport protocol to use when communicating with the LDAP server.
Validation Interval: Specify how often the user should be revalidated with the LDAP server.
Referral Count:
The LoadMaster offers beta functionality to support LDAP referral replies from Active Directory Domain Controllers. If this is set to 0, referral support is not enabled. Set this field to a value between 1 and 10 to enable referral chasing. The number specified limits the number of hops (referrals chased).
Multiple hops may increase authentication latency. There is a performance impact that depends on the number and depth of referrals required in your configuration.
You must have intimate knowledge of your Active Directory structure to set the referral limit appropriately. The same credentials are used for all lookups, and so on.
The use of Active Directory Global Catalog (GC) is the preferred configuration as the primary means of resolution instead of enabling LDAP referral chasing. A GC query can be used to query the GC cache instead of relying on LDAP and the referral process. Using Active Directory GC has little, or no performance drag on the LoadMaster. For steps on how to add/remove the GC, refer to the following TechNet article: https://technet.microsoft.com/en-us/library/cc755257(v=ws.11).aspx
Admin User: Enter the username of an administrator user. It is important that you provide the correct domain, that is domain\adminuser or adminuser@domain.
Admin User Password: Enter the password for the specified administrator user.
2. SSO Domain:
The SSO domain is needed to authenticate your clients (in this example we use the LDAP Authentication Protocol).
We have set the LDAP Endpoint to LDAP_FOXWORLD.LOC, which is the endpoint (server) we created earlier to authenticate the clients.
Domain/Realm: The domain you authenticate to. Our example is Foxworld.loc.
Logon Format: The method used to normalize the provided information to authenticate against the LDAP server. In our example, Username is selected as the Logon Format. This means the LoadMaster takes the entered information (for example testuser1) and the provided domain/realm and authenticates to the LDAP server with Foxworld\testuser1. The User Principal Name (UPN) would be normalized to testuser1@foxworld.loc.
Logon Transcode: Enabling this option changes the ISO-8859-1 to UTF-8. (Enable this if you need special characters in username and/or password. You should also enable this is you need Umlaut Characters (for example, Ö,Ä,Ü,°,^,?,/)
Failed Logon Attempts: the number of times a user is allowed to attempt to log on using incorrect details. If the limit is reached the user appears on the block list and the logon attempts are rejected.
Session timeout: Measured in seconds, this is the maximum length of time the authentication token lasts for.
3. Deployment of template
The official Kemp templates can be found on our loadmaster-documentation page.
Create a Virtual Service with a unique IP address.
Select one of the preinstalled templates from the Use Template drop-down list. When you create the Virtual Service, the settings from the template are applied automatically.
Your DNS record must point to the new Virtual Service (VS) for it to answer. In this example, the DNS is email.foxworld.loc and points to 10.1.155.105.
The content rules to match traffic based on the directories used in the URL are also created and set when you use the template. Therefore, traffic with host + Directory (/owa) is passed to the OWA SubVS. Traffic with /ecp goes to the ECP SubVS, and so on.
Auth Proxy, Used for ECP and OWA Authentication
Auth_proxy is the SubVS that initiates the Single Sign On (SSO) for your service. (We use this for ECP and OWA services.)
Allowed Virtual Hosts: You could use *.* (everything is accepted) or make it more secure by using the correct Hostname like email.foxworld.loc or a specific IP address you would like to allow. Multiple entries (separated by a space) are possible.
Allowed Virtual Directories: Is set by our template to /*, meaning all directories are allowed in to this SubVS.
Client and Server Authentication Mode: should have the same as ECP and OWA. You do not set a Real Server when using Forms Based Authentication (FBA) or Basic authentication.
ActiveSync (Used for Mobile Communication)
The Client Authentication Mode and Server Authentication Mode are both set to Basic Authentication in the ActiveSync Virtual Service.
The only things you need to do is add the Allowed Virtual Hosts (the same as authproxy, in our case email.foxworld.loc) and add the Real Server.
The ECP Virtual Service is used for admin management for OWA services. For non-admin users, it is needed to set out of office messages, for example.
You must set the Allowed Virtual Hosts and add the Real Server in the ECP SubVS.
Online Web Access (OWA) service
Similarly to the ECP service, for the base configuration you only need to add the Allowed Virtual Hosts and your Real Server.
All Other Services (Autodiscover, MAPI, RPC, OAB, EWS, PowerShell)
You only need to add the Allowed Virtual Hosts and Real Server to all other services. The LoadMaster does not interfere with authentication on those services - this is delegated to the server.
4. Logoff String for OWA Service
The logoff string has changed between the Cumulative Update (CU) provided by Microsoft. Current Cumulative Updates on Exchange 2013 and Exchange 2016 limited the logoff string to be presented only when the Server Authentication is set to FBA (Forms based).
For Exchange 2016, the Logoff String is /owa/logoff.owa. This is already set when you use the template for Exchange 2016 ESP.
However, for Exchange 2010 and 2013 it depends on the CU you have your environment on. Sometimes the Logoff String is /owa/logoff.owa and sometimes it is /owa/auth/signout.aspx (depending on the CU).
You only need to configure the Logoff String in the OWA SubVS. The reason for this is because the directory triggered is /owa and the only SubVS getting matched on this is the OWA SubVS.
5. Adding of Password Reset Feature
To enable the password reset feature, you must adjust the AUTH proxy and the OWA SubVS. This feature only works when the Server Authentication Mode is set to Basic Authentication or Form Based Authentication. LDAP is currently the only supported Authentication Protocol when using the Password Reset feature. This feature does not function when RADIUS is in use.
OWA Only Adaptions:
In the Pre-Authorization Excluded Directories you must add the following string in addition to the already pre-set information (separated by a space): /owa/auth/expiredpassword.aspx*
Note: This allows the password reset page to be handled and requested from the Real Server without the LoadMaster directing the request to the auth_proxy. If this has not been set, you are looped back to the auth_proxy all the time.
Kemp recommends setting it to /owa/auth/expiredpassword.aspx* to ensure you only allow this directory and file, rather than opening the full folder like it would with /owa/auth*.
OWA and auth_proxy Adaptions
You must type the following link in the User Password Change URL field:
https:// YourDomainOrHostname)/owa/auth/expiredpassword.aspx?url=/owa/auth.owa
Our example is https://mail.foxworld.loc/owa/auth/expiredpassword.aspx?url=/owa/auth.owa
Note: This allows the password reset page to be handled and requested from the Real Server without the LoadMaster directing the request to the auth_proxy. If this has not been set, you are looped back to the auth_proxy all the time.
Kemp recommends setting it to /owa/auth/expiredpassword.aspx* to ensure you only allow this directory and file, rather than opening the full folder like it would with /owa/auth*.
OWA and auth_proxy Adaptions
You must type the following link in the User Password Change URL field:
https:// YourDomainOrHostname)/owa/auth/expiredpassword.aspx?url=/owa/auth.owa
Our example is https://mail.foxworld.loc/owa/auth/expiredpassword.aspx?url=/owa/auth.owa
Note: It is important is that text is set in the User Password Change Dialog Message. If nothing is set the password reset link does not get triggered.
Within the Extended Log files (user logs) a message is logged indicating that the user that tried to logon must change their password.
6. Adding of Permitted Groups
To enable Permitted Groups, you must set the group (or groups) you want to allow access for in the ECP, OWA, and AUTH proxy Virtual Services.
Note: Permitted Group checks are only possible using LDAP. It is currently not possible to use RADIUS for Permitted Group checks.
The group (or groups) you use must be in your Active Directory for the SSO domain you are contacting.
The group is checked on the Virtual Service level and when the group membership is confirmed it is not considered anymore.
When you use the Global Catalog, only universal groups can be checked because the Global Catalog is only aware of the universal groups within the domains.
When you are using alternative domains, you must log in with domain\username, otherwise the LoadMaster cannot determine what SSO domain you want to authenticate with.
Multiple groups can be entered but the group names must be separated by a semi-colon. The limit is nine groups.
The following characters are not allowed in permitted group names: / : + *
Enable or disable the Include Nested Groups option. This field relates to the Permitted Groups setting. Enable this option to include nested groups in the authentication attempt.
Note: If this option is disabled, only users in the top-level group are granted access. If this option is enabled, users in both the top-level and first sub-level group are granted access.