[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3937
  • Last Modified:

RCP over HTTP using NTLM

Hi Experts

I recently have set up exchange 2010, with a forefront TMG server infront of it in the DMZ
Everything seems to be working fine bar one feature. Outlook anywhere. That is if using NTLM

I have been testing the feature with the following site that microsoft provide
https://www.testexchangeconnectivity.com

It presently errors with the following when testing Outlook Anywhere

Not all the required authentication methods were found.
Methods Found: Basic
Methods Required: NTLM

Now i ve checked the exchange servers with get-outlookanywhere

They list as below that indeed the method of connecting is set to NTLM

ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Ntlm}

Forefront is also set to NTLM

Curiously, if i change outlook anywhere to basic, and also forefront, it works, so the problem is completely down to something some where not being NTLM

Any ideas experts?
0
FSIFM
Asked:
FSIFM
  • 10
  • 8
3 Solutions
 
Simon Butler (Sembee)ConsultantCommented:
Before we go any further, you have seen the MS Document on this?
http://www.microsoft.com/en-gb/download/details.aspx?id=22723

Simon.
0
 
FSIFMAuthor Commented:
Hi Simon,

Cheers for the document. I hadn't previously read it.

The problem i am now faced with though is that TMG is not AD joined as it sits in the DMZ

All the other services validate with LDAP

Also the matter of the listener. If a different listener is required how do i separate it from the other when they use the same ports?
0
 
FSIFMAuthor Commented:
Ok, i found some information here which expands upon the idea of one listener, and still authenticating via NTLM

http://forums.isaserver.org/m_2002041377/mpage_1/key_/tm.htm#2002046443

" found that the only way to get Outlook Anywere to work with NTLM while using an FBA listener is like uz described. Here are some more details as requested;

Use a separate web publishing rule for /rpc path.
Allow it for "All users" (not "All authenticated users") and make sure to uncheck the "require all users to authenticate". These together will effectively prevent ISA from doing any authentication, so also not the Fallback Basic auth challenge of the FBA listener.
Finally set authentication delegation to "no delegation but client can directly authenticate" and enable integrated auth on the rpc directory on the exchange server.

Note: Using this method the RPC users are NOT authenticated by ISA, but only and directly on Exchange server, as they pass anonymously through the FBA listener and this rpc rule. "

Upon making these changes i now receive a different error in when testing

"Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server ****.
       The attempt to ping the endpoint failed.
       
      Additional Details
       An RPC error was thrown by the RPC Runtime process. Error 1818 CallCancelled"
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
Simon Butler (Sembee)ConsultantCommented:
Have you test Outlook Anywhere internally to verify that everything is working as it should?
You can use the test-outlookconnectivity command with the protocol of http to see if that is the case or not.

Simon.
0
 
FSIFMAuthor Commented:
Hi Simon,

I get the following error on both exchange servers

Failed to find the mailbox. Mailbox = 'extest_8063dd50bd144@****.co.uk'.
    + CategoryInfo          : OperationStopped: (Microsoft.Excha...onnectivityTask:TestOutlookConnectivityTask) [Test-
   OutlookConnectivity], MailboxNotFoundException
    + FullyQualifiedErrorId : 63245476,Microsoft.Exchange.Monitoring.TestOutlookConnectivityTask
0
 
Simon Butler (Sembee)ConsultantCommented:
You haven't got the test account on your system.
Therefore you either need to use the -identity parameter to specify a test account, or create one using the New-TestCasConnectivityUser.ps1 script in the Scripts directory of the Exchange installation point.

Simon.
0
 
FSIFMAuthor Commented:
Hi Simon,

Do you know the full string for the -mailboxcredential that i ll need for the mailbox -identity command?
0
 
Simon Butler (Sembee)ConsultantCommented:
test-outlookconnectivity -identity test.user -mailboxcredential:(get-credential) -protocol HTTP

That will popup a box to enter a username and password.

Simon.
0
 
FSIFMAuthor Commented:
Cheers Simon,

Below is the error i get

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential

ClientAccessServer   ServiceEndpoint                               Scenario                            Result  Latency
                                                                                                                  (MS)
------------------   ---------------                               --------                            ------  -------
Server.domain                                               Autodiscover: Web service request.  Failure   -1.00
The cmdlet fails to find all the server information through pinging service providers or other topology discovery insid
e the domain. The cmdlet cannot continue. TopologyDiscoverMode = 'UseAutodiscover, UseAddressbook'.
    + CategoryInfo          : OperationStopped: (Microsoft.Excha...onnectivityTask:TestOutlookConnectivityTask) [Test-
   OutlookConnectivity], TopologyDiscoverException
    + FullyQualifiedErrorId : 211FA65F,Microsoft.Exchange.Monitoring.TestOutlookConnectivityTask
0
 
Simon Butler (Sembee)ConsultantCommented:
Just to confirm the account is ok - repeat the test but with TCP as the protocol instead.

Simon.
0
 
FSIFMAuthor Commented:
That fails in the same way. However i can log in with the account via owa? and also using the Microsoft external test, can confirm active sync works too?

It looks like it might be a problem with auto discovery?

Bit of further information for you. I don't know if its reliant but the CAS is also set up as a array in exchange, with both servers as members
As such all of the internal URLs point to this array as a posed to themselves?

Im not sure if its entirely correct, or if it could be a factor but i found it here

http://mshiyas.wordpress.com/2010/07/06/how-to-configure-and-verify-autodiscover-for-exchange-2007-and-2010/
0
 
Simon Butler (Sembee)ConsultantCommented:
You shouldn't use the CAS Array for the internal URLs.
The CAS Array should be exclusively for RPC TCP traffic.
If you want to use a single name across multiple CAS role servers then this should be a unique name that appears on the SSL certificate.

Thus:

outlook.domain.local - example RPC CAS Array
autodiscover.example.com - example autodiscover URL that works both internally and externally.
mail.example.com - example URL for all other services (ActiveSync, Outlook Anywhere, EWS, POP, IMAP, MX record) that is also the common name on the SSL certificate.

With multiple CAS role holders a single URL is usually used in the same AD site so that everything is consistent and it reduces the names required on the SSL certificate. If you leave it as the default then the internal Autodiscover URL will keep changing and you will need to have every server with the CAS role in the SSL certificate to avoid warnings.

Simon.
0
 
FSIFMAuthor Commented:
Hi Simon,

Cheers for that. Just to clarify, with the auto discover url that works both internally and externally, should that be the same for both servers?

Ie could they both be set to autodiscover.example.com?

And the RPC CAS needs to be different from the url used by the other services, ie OWA etc?
0
 
Simon Butler (Sembee)ConsultantCommented:
Correct.
You can use autodiscover.example.com both internally and externally if you wish, as long as autodiscover.example.com resolves internally to the internal IP address of one of the client access role servers. Then by setting all of the client access role servers to the same value, they all publish the same information to the domain.

get-clientaccessserver | set-clientaccessserver -AutodiscoverServiceInternalURI https://autodiscover.example.com/Autodiscover/Autodiscover.xml

The RPC CAS Array host name should be unique to that service.

Simon.
0
 
FSIFMAuthor Commented:
Right, thats all fixed now. Cheers for your help with that

But im still getting the same error when testing the outlook connectivity via TCP and HTTP :(
0
 
Simon Butler (Sembee)ConsultantCommented:
Test-OutlookConnectivity is failing internally?
What version of clients are you using? Does autodiscover work for them, or do you have to configure the clients manually?
Do you have multiple CAS role holders? If so, have they all been updated with the correct information for autodiscover?

Simon.
0
 
FSIFMAuthor Commented:
Hi Simon,

We fixed the issue. One the internal and external URL for autodisover was not set. Two though it gave that error when testing, if you used an actual client, both internally or externally it worked fine

Cheers for all of your assistance
0
 
FSIFMAuthor Commented:
I was able to resolve the final part of the issue
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now