Solved

Exchange 2007 - using NTLM and Basic authentication across RPC/HTTP

Posted on 2013-06-01
5
791 Views
Last Modified: 2013-09-07
Hello -

Here's my environment:

Exchange 2007
Outlook 2007 and 2003
Outlook clients are offsite, and onsite.

Problem:  offsite computers who attempt to use NTLM as authentication method using outlook over HTTP are continually prompted for the password, and the server doesn't accept any attempts at entering the password, despite using different conventions (user@domain, domain\user) it just won't accept a password while ntlm is used as the auth method.  If basic is selected, all is well.

In the exchange 2007 system manager, under the outlook anyhere section, the authentication method selected is BASIC.  It appears it's an either/or selection, as I can't pick them both.  It is a radio box choice, rather than checkboxes for multi-select.

Question:  Can I run basic and ntlm on the same exchange 2007 server?  I am able to select NTLM on the PC's that are on the internal network.  That seems to work, but those who are offsite and need access over HTTPS are unsuccessful.  I can't really just switch it to NTLM if the folks using basic will experience issues because I have many users configured to use their outlook in basic auth mode, and they would all experience down time if I reconfigure for NTLM (assuming it's either / or, and would kill the basic auth method).

I would like NTLM to work over HTTPS if possible, because I have some folks using outlook 2003 with XP and they want to be able to save their password.  Outlook 2003 won't save passwords in basic mode, only NTLM - and if someone knows a way I can make it save passwords in basic auth mode, please let me know.  

Help is appreciated!  Thanks!
0
Comment
Question by:TimFarren
  • 3
  • 2
5 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39214168
You can enable both. You will need to use the Shell to enable it.
However you can only have one as the default, and that is what Outlook 2007 and higher will use.

Repeating prompts for NTLM is usually a sign that the authentication packets are being broken. If the machines are on the domain there is no need to save the password, as it should pass through. The firewall is the usual source of this problem. I know that NTLM will go over the internet as I have been doing so since RPC Over HTTPS on Exchange 2003.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39214675
Ok, I noticed that my IIS Authentication method was only basic, along with the default authentication method when I issued get-outlookanywhere, so I ran the following command:

set-outlookanywhere -IISauthentication basic,Ntlm -Identity:'ServerName\Rpc (Default Web Site)'

After that, I noticed it is set to basic by default, but shows it will accept either basic or NTLM.  Is that all I need to do? I haven't tested it as of yet.

 - Tim
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39214971
That is all that you need to do. Clients that support Autodiscover (so Outlook 2007 or higher) will use Basic Authentication. If you change it, then it will go back.
If the majority of the clients are
a. On the domain (even roaming)
b. Outlook 2007 or higher

Then I would look at setting it to NTLM to test. If that fails then you will have to use basic only.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39215021
My goal is to connect non-domain joined computers (xp pro, win 7 pro, or vista business) running outlook 2003, to exchange using NTLM because basic requires a password be entered each time outlook is launched. I'm assuming (again still haven't been able to test) that the reason outlook repeatedly requested credentials without acceptance is because IIS wasn't accepting NTLM as an authentication method.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39215026
There are actually two reasons why you can authentication prompts from Outlook 2003.
The first one is authentication mismatch - so having NTLM in the client and Basic on the server. It can also occur if NTLM authentication is broken by something en-route, such as a firewall.

The second reason is SSL certificate issues. If the client doesn't trust the SSL certificate being used, then it thows up the authentication prompt. It cannot cope with the SSL prompt.

Simon.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now