Solved

Publishing Outlook Anywhere Using NTLM Authentication with Forefront TMG

Posted on 2011-03-13
14
2,614 Views
Last Modified: 2012-06-27
Hi there,

We are using Exchange Server 2007 Standard SP3. OWA and ActiveSync already have been setup and working without any problems through TMG 2010 firewall. The domain where TMG and Exchange have been installed is operating in Windows 2003 mode.

We would like to setup and use Outlook Anywhere with NTLM rather than Basic authentication. NTLM authentication offer one key advantage from an end user perspective, when using a computer that is a member of our domain and logging on with cached credentials the user does not need to re-enter their credentials. I was following white paper -“Publishing Outlook Anywhere Using NTLM Authentication with Forefront TMG or Forefront UAG” http://www.microsoft.com/downloads/en/details.aspx?FamilyID=040b31a0-9a69-4278-9808-e52f08ffaee3

Everything has been setup according to the instruction from the white papers. Our UCC certificate has list of the required subject alternative names (SAN) and has been installed on TMG and Exchange server. As I had mentioned before, clients already are using OWA and ActiveSync with this certificate without any problems.

Outlook Connection Status for the internal users shows successful HTTPS connection but externally outlook is still in the “disconnected” mode.
 
When I run “Outlook Anywhere (RPC over HTTP)” test on www.testexchangeconnectivity.com I have this error message:

“Testing HTTP Authentication Methods for URL https://mail.company.com/rpc/rpcproxy.dll.
The HTTP authentication test failed.
Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL”.

Clicking on the “Test Rule” button for my Outlook Anywhere rule in TMG shows all happy green ticks.

From the TMG logs I can see denied connection with the status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
Request: RPC_IN_DATA http://mail.mycompany.com/rpc/rpcproxy.dll?server1.mycompany.com:6001
Protocol: https User: anonymous

Looking at URL above I don’t understand why is http is there but not https. Plus, why user is anonymous?!

I have spent hours trying to find out what I have missed. Please advise me on what needs to be done to make this Outlook Anywhere to work.

Thank you very much in advance.
0
Comment
Question by:Olevo
  • 6
  • 3
  • 2
  • +2
14 Comments
 
LVL 12

Expert Comment

by:Saakar
ID: 35125355
What about Basic Authentication using Outlook Anywhere does that works??
0
 
LVL 1

Author Comment

by:Olevo
ID: 35125687
Tried Basic Auth, windows popup asking to type user name. Typing domain\username or just username works fine inside. Outside, outlook is asking for the user name and doesn't connect.
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 35128520
Just a parallel query:
> did you enabled the SSL Offloading on the "Outlook Anywhere" settings on "Exchange 2007" ?

> Want to remove\un-select the same if we are not really using the "SSL offloading" @ any other hardware box
 
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 4

Expert Comment

by:0x6
ID: 35129792
You might not get a login prompt with the following settings when using Outlook Anywhere as I don't get prompted with these settings. Please try it with one Outlook client with:
Basic Authentication in TMG (Basic in the publishing rule, HTML Form Authentication in the Listener)
Basic Authentication in Outlook at the following:

Tools--Account Settings--Change--More Settings--Connection--Exchange Proxy Settings--Select both:
On Fast .....
On Slow .....

You can test this with both Basic and NTLM

 OA Basic
0
 
LVL 1

Author Comment

by:Olevo
ID: 35134022
To e_aravind:
A bit confuse here... Currently SSL offloading is not ticked in my Exchange server. TMG is sitting in front of the Exchange server and I’m guessing that it does handle SSL encryption and decryption. Is that mean that SSL offloading needs to be on?!
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 35137996
NOPEE
we dont need any "SSL Offloading" selected until we are sure if the hardware box is doing the ssl-offloading?

>> http://technet.microsoft.com/en-us/library/bb885060(EXCHG.80).aspx
By any chance do we have the SSLOffloaded key ON @ the CAS server?
0
 
LVL 1

Author Comment

by:Olevo
ID: 35175112
SSL offloading is not ticked on in our Exchange server. As soon as I change Outlook Anywhere authentication to Basic in Exchange, Outlook users start complaining that now new windows popping up on their screens asking to type their passwords.
0
 
LVL 12

Expert Comment

by:Saakar
ID: 35179149
What is the authentication settings on RPC VDir on CAS servers?
If its basic change it to NTLM
0
 
LVL 1

Author Comment

by:Olevo
ID: 35195097
saakar_rao:
Authentication method for Rpc virtual directory is set as “Integrated Windows authentication”. Basic authentication is not ticked.

Is I have mentioned before (post ID: 35175112) As soon as I change Outlook Anywhere authentication to Basic in Exchange in Exchange, Internal Outlook users start complaining that now new windows popping up on their screens asking to type their passwords.  Is there any way (while I’m testing) I can “play” with authentication changes for OA in Exchange and not effecting end users?!

Hundreds and thousands of companies around the globe are using Microsoft Exchange server. Some of them mgiht hae setup Outlook Anywhere with NTLM rather than Basic authentication. What I don’t understand is that Microsoft or someone else don’t develop simple tools or step by step guides for troubleshooting Outlook Anywhere setup with ISA/TMG firewall. Something like: “make sure that you have this or that before you’ll jump to the next step” Why is setting OWA or ActiveSync with ISA/TMG is simple and easy and Outlook Anywhere is so complex and hard?! Maybe I’m not following the right deployments guides?! Please show me a good one. Everywhere on the internet they talks about setting up OA with basic authentication… Does anyone anywhere is using Outlook Anywhere with NTLM rather than Basic authentication? Could you please share some info on how you did that please.
0
 
LVL 12

Expert Comment

by:Saakar
ID: 35217263
Would it be possible for you to configure TMG rule to use "No delegation, but client may authenticate directly" and let your CAS server do the authentication
Also check on RPC VDIR in IIS the Require SSL should be checked.
0
 
LVL 1

Accepted Solution

by:
Olevo earned 0 total points
ID: 35364178
http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html

Here is what Jason Jones told me when I asked him about my problem.

“The web listener used for Outlook Anywhere authentication needs to be enabled for Windows Integrated authentication, consequently it needs to be a dedicated listener as TMG cannot do both Windows and FBA at the same time on the same listener. This means it needs a dedicated IP address (bound to just that listener) and is unlikely to be used by other rules...
If you cannot dedicate an IP address, you can use a single IP but you will then need to use basic authentication for Outlook Anywhere and NTLM is not an option...”
0
 
LVL 1

Author Comment

by:Olevo
ID: 35480218
Sorry, I was very busy and didn’t have time to go through points assignments. Will do it shortly.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 37436219
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

775 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question