Solved

Exchange 2007 - using NTLM and Basic authentication across RPC/HTTP

Posted on 2013-06-01
5
830 Views
Last Modified: 2013-09-07
Hello -

Here's my environment:

Exchange 2007
Outlook 2007 and 2003
Outlook clients are offsite, and onsite.

Problem:  offsite computers who attempt to use NTLM as authentication method using outlook over HTTP are continually prompted for the password, and the server doesn't accept any attempts at entering the password, despite using different conventions (user@domain, domain\user) it just won't accept a password while ntlm is used as the auth method.  If basic is selected, all is well.

In the exchange 2007 system manager, under the outlook anyhere section, the authentication method selected is BASIC.  It appears it's an either/or selection, as I can't pick them both.  It is a radio box choice, rather than checkboxes for multi-select.

Question:  Can I run basic and ntlm on the same exchange 2007 server?  I am able to select NTLM on the PC's that are on the internal network.  That seems to work, but those who are offsite and need access over HTTPS are unsuccessful.  I can't really just switch it to NTLM if the folks using basic will experience issues because I have many users configured to use their outlook in basic auth mode, and they would all experience down time if I reconfigure for NTLM (assuming it's either / or, and would kill the basic auth method).

I would like NTLM to work over HTTPS if possible, because I have some folks using outlook 2003 with XP and they want to be able to save their password.  Outlook 2003 won't save passwords in basic mode, only NTLM - and if someone knows a way I can make it save passwords in basic auth mode, please let me know.  

Help is appreciated!  Thanks!
0
Comment
Question by:TimFarren
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39214168
You can enable both. You will need to use the Shell to enable it.
However you can only have one as the default, and that is what Outlook 2007 and higher will use.

Repeating prompts for NTLM is usually a sign that the authentication packets are being broken. If the machines are on the domain there is no need to save the password, as it should pass through. The firewall is the usual source of this problem. I know that NTLM will go over the internet as I have been doing so since RPC Over HTTPS on Exchange 2003.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39214675
Ok, I noticed that my IIS Authentication method was only basic, along with the default authentication method when I issued get-outlookanywhere, so I ran the following command:

set-outlookanywhere -IISauthentication basic,Ntlm -Identity:'ServerName\Rpc (Default Web Site)'

After that, I noticed it is set to basic by default, but shows it will accept either basic or NTLM.  Is that all I need to do? I haven't tested it as of yet.

 - Tim
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39214971
That is all that you need to do. Clients that support Autodiscover (so Outlook 2007 or higher) will use Basic Authentication. If you change it, then it will go back.
If the majority of the clients are
a. On the domain (even roaming)
b. Outlook 2007 or higher

Then I would look at setting it to NTLM to test. If that fails then you will have to use basic only.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39215021
My goal is to connect non-domain joined computers (xp pro, win 7 pro, or vista business) running outlook 2003, to exchange using NTLM because basic requires a password be entered each time outlook is launched. I'm assuming (again still haven't been able to test) that the reason outlook repeatedly requested credentials without acceptance is because IIS wasn't accepting NTLM as an authentication method.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39215026
There are actually two reasons why you can authentication prompts from Outlook 2003.
The first one is authentication mismatch - so having NTLM in the client and Basic on the server. It can also occur if NTLM authentication is broken by something en-route, such as a firewall.

The second reason is SSL certificate issues. If the client doesn't trust the SSL certificate being used, then it thows up the authentication prompt. It cannot cope with the SSL prompt.

Simon.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question