Solved

Exchange 2007 - using NTLM and Basic authentication across RPC/HTTP

Posted on 2013-06-01
5
797 Views
Last Modified: 2013-09-07
Hello -

Here's my environment:

Exchange 2007
Outlook 2007 and 2003
Outlook clients are offsite, and onsite.

Problem:  offsite computers who attempt to use NTLM as authentication method using outlook over HTTP are continually prompted for the password, and the server doesn't accept any attempts at entering the password, despite using different conventions (user@domain, domain\user) it just won't accept a password while ntlm is used as the auth method.  If basic is selected, all is well.

In the exchange 2007 system manager, under the outlook anyhere section, the authentication method selected is BASIC.  It appears it's an either/or selection, as I can't pick them both.  It is a radio box choice, rather than checkboxes for multi-select.

Question:  Can I run basic and ntlm on the same exchange 2007 server?  I am able to select NTLM on the PC's that are on the internal network.  That seems to work, but those who are offsite and need access over HTTPS are unsuccessful.  I can't really just switch it to NTLM if the folks using basic will experience issues because I have many users configured to use their outlook in basic auth mode, and they would all experience down time if I reconfigure for NTLM (assuming it's either / or, and would kill the basic auth method).

I would like NTLM to work over HTTPS if possible, because I have some folks using outlook 2003 with XP and they want to be able to save their password.  Outlook 2003 won't save passwords in basic mode, only NTLM - and if someone knows a way I can make it save passwords in basic auth mode, please let me know.  

Help is appreciated!  Thanks!
0
Comment
Question by:TimFarren
  • 3
  • 2
5 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39214168
You can enable both. You will need to use the Shell to enable it.
However you can only have one as the default, and that is what Outlook 2007 and higher will use.

Repeating prompts for NTLM is usually a sign that the authentication packets are being broken. If the machines are on the domain there is no need to save the password, as it should pass through. The firewall is the usual source of this problem. I know that NTLM will go over the internet as I have been doing so since RPC Over HTTPS on Exchange 2003.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39214675
Ok, I noticed that my IIS Authentication method was only basic, along with the default authentication method when I issued get-outlookanywhere, so I ran the following command:

set-outlookanywhere -IISauthentication basic,Ntlm -Identity:'ServerName\Rpc (Default Web Site)'

After that, I noticed it is set to basic by default, but shows it will accept either basic or NTLM.  Is that all I need to do? I haven't tested it as of yet.

 - Tim
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39214971
That is all that you need to do. Clients that support Autodiscover (so Outlook 2007 or higher) will use Basic Authentication. If you change it, then it will go back.
If the majority of the clients are
a. On the domain (even roaming)
b. Outlook 2007 or higher

Then I would look at setting it to NTLM to test. If that fails then you will have to use basic only.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39215021
My goal is to connect non-domain joined computers (xp pro, win 7 pro, or vista business) running outlook 2003, to exchange using NTLM because basic requires a password be entered each time outlook is launched. I'm assuming (again still haven't been able to test) that the reason outlook repeatedly requested credentials without acceptance is because IIS wasn't accepting NTLM as an authentication method.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39215026
There are actually two reasons why you can authentication prompts from Outlook 2003.
The first one is authentication mismatch - so having NTLM in the client and Basic on the server. It can also occur if NTLM authentication is broken by something en-route, such as a firewall.

The second reason is SSL certificate issues. If the client doesn't trust the SSL certificate being used, then it thows up the authentication prompt. It cannot cope with the SSL prompt.

Simon.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
PHP contact form that lets the user to contact the company through email contact form. A button is fixed at the bottom of site, on clicking a new window will open where a user can send the email.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now