• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2976
  • Last Modified:

Publishing Outlook Anywhere Using NTLM Authentication with Forefront TMG

Hi there,

We are using Exchange Server 2007 Standard SP3. OWA and ActiveSync already have been setup and working without any problems through TMG 2010 firewall. The domain where TMG and Exchange have been installed is operating in Windows 2003 mode.

We would like to setup and use Outlook Anywhere with NTLM rather than Basic authentication. NTLM authentication offer one key advantage from an end user perspective, when using a computer that is a member of our domain and logging on with cached credentials the user does not need to re-enter their credentials. I was following white paper -“Publishing Outlook Anywhere Using NTLM Authentication with Forefront TMG or Forefront UAG” http://www.microsoft.com/downloads/en/details.aspx?FamilyID=040b31a0-9a69-4278-9808-e52f08ffaee3

Everything has been setup according to the instruction from the white papers. Our UCC certificate has list of the required subject alternative names (SAN) and has been installed on TMG and Exchange server. As I had mentioned before, clients already are using OWA and ActiveSync with this certificate without any problems.

Outlook Connection Status for the internal users shows successful HTTPS connection but externally outlook is still in the “disconnected” mode.
 
When I run “Outlook Anywhere (RPC over HTTP)” test on www.testexchangeconnectivity.com I have this error message:

“Testing HTTP Authentication Methods for URL https://mail.company.com/rpc/rpcproxy.dll.
The HTTP authentication test failed.
Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL”.

Clicking on the “Test Rule” button for my Outlook Anywhere rule in TMG shows all happy green ticks.

From the TMG logs I can see denied connection with the status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
Request: RPC_IN_DATA http://mail.mycompany.com/rpc/rpcproxy.dll?server1.mycompany.com:6001
Protocol: https User: anonymous

Looking at URL above I don’t understand why is http is there but not https. Plus, why user is anonymous?!

I have spent hours trying to find out what I have missed. Please advise me on what needs to be done to make this Outlook Anywhere to work.

Thank you very much in advance.
0
Olevo
Asked:
Olevo
  • 6
  • 3
  • 2
  • +2
1 Solution
 
SaakarCommented:
What about Basic Authentication using Outlook Anywhere does that works??
0
 
OlevoAuthor Commented:
Tried Basic Auth, windows popup asking to type user name. Typing domain\username or just username works fine inside. Outside, outlook is asking for the user name and doesn't connect.
0
 
e_aravindCommented:
Just a parallel query:
> did you enabled the SSL Offloading on the "Outlook Anywhere" settings on "Exchange 2007" ?

> Want to remove\un-select the same if we are not really using the "SSL offloading" @ any other hardware box
 
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
0x6Commented:
You might not get a login prompt with the following settings when using Outlook Anywhere as I don't get prompted with these settings. Please try it with one Outlook client with:
Basic Authentication in TMG (Basic in the publishing rule, HTML Form Authentication in the Listener)
Basic Authentication in Outlook at the following:

Tools--Account Settings--Change--More Settings--Connection--Exchange Proxy Settings--Select both:
On Fast .....
On Slow .....

You can test this with both Basic and NTLM

 OA Basic
0
 
OlevoAuthor Commented:
To e_aravind:
A bit confuse here... Currently SSL offloading is not ticked in my Exchange server. TMG is sitting in front of the Exchange server and I’m guessing that it does handle SSL encryption and decryption. Is that mean that SSL offloading needs to be on?!
0
 
e_aravindCommented:
NOPEE
we dont need any "SSL Offloading" selected until we are sure if the hardware box is doing the ssl-offloading?

>> http://technet.microsoft.com/en-us/library/bb885060(EXCHG.80).aspx
By any chance do we have the SSLOffloaded key ON @ the CAS server?
0
 
OlevoAuthor Commented:
SSL offloading is not ticked on in our Exchange server. As soon as I change Outlook Anywhere authentication to Basic in Exchange, Outlook users start complaining that now new windows popping up on their screens asking to type their passwords.
0
 
SaakarCommented:
What is the authentication settings on RPC VDir on CAS servers?
If its basic change it to NTLM
0
 
OlevoAuthor Commented:
saakar_rao:
Authentication method for Rpc virtual directory is set as “Integrated Windows authentication”. Basic authentication is not ticked.

Is I have mentioned before (post ID: 35175112) As soon as I change Outlook Anywhere authentication to Basic in Exchange in Exchange, Internal Outlook users start complaining that now new windows popping up on their screens asking to type their passwords.  Is there any way (while I’m testing) I can “play” with authentication changes for OA in Exchange and not effecting end users?!

Hundreds and thousands of companies around the globe are using Microsoft Exchange server. Some of them mgiht hae setup Outlook Anywhere with NTLM rather than Basic authentication. What I don’t understand is that Microsoft or someone else don’t develop simple tools or step by step guides for troubleshooting Outlook Anywhere setup with ISA/TMG firewall. Something like: “make sure that you have this or that before you’ll jump to the next step” Why is setting OWA or ActiveSync with ISA/TMG is simple and easy and Outlook Anywhere is so complex and hard?! Maybe I’m not following the right deployments guides?! Please show me a good one. Everywhere on the internet they talks about setting up OA with basic authentication… Does anyone anywhere is using Outlook Anywhere with NTLM rather than Basic authentication? Could you please share some info on how you did that please.
0
 
SaakarCommented:
Would it be possible for you to configure TMG rule to use "No delegation, but client may authenticate directly" and let your CAS server do the authentication
Also check on RPC VDIR in IIS the Require SSL should be checked.
0
 
OlevoAuthor Commented:
http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html

Here is what Jason Jones told me when I asked him about my problem.

“The web listener used for Outlook Anywhere authentication needs to be enabled for Windows Integrated authentication, consequently it needs to be a dedicated listener as TMG cannot do both Windows and FBA at the same time on the same listener. This means it needs a dedicated IP address (bound to just that listener) and is unlikely to be used by other rules...
If you cannot dedicate an IP address, you can use a single IP but you will then need to use basic authentication for Outlook Anywhere and NTLM is not an option...”
0
 
OlevoAuthor Commented:
Sorry, I was very busy and didn’t have time to go through points assignments. Will do it shortly.
0
 
Glen KnightCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

  • 6
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now