Solved

Exchange 2007 - using NTLM and Basic authentication across RPC/HTTP

Posted on 2013-06-01
5
815 Views
Last Modified: 2013-09-07
Hello -

Here's my environment:

Exchange 2007
Outlook 2007 and 2003
Outlook clients are offsite, and onsite.

Problem:  offsite computers who attempt to use NTLM as authentication method using outlook over HTTP are continually prompted for the password, and the server doesn't accept any attempts at entering the password, despite using different conventions (user@domain, domain\user) it just won't accept a password while ntlm is used as the auth method.  If basic is selected, all is well.

In the exchange 2007 system manager, under the outlook anyhere section, the authentication method selected is BASIC.  It appears it's an either/or selection, as I can't pick them both.  It is a radio box choice, rather than checkboxes for multi-select.

Question:  Can I run basic and ntlm on the same exchange 2007 server?  I am able to select NTLM on the PC's that are on the internal network.  That seems to work, but those who are offsite and need access over HTTPS are unsuccessful.  I can't really just switch it to NTLM if the folks using basic will experience issues because I have many users configured to use their outlook in basic auth mode, and they would all experience down time if I reconfigure for NTLM (assuming it's either / or, and would kill the basic auth method).

I would like NTLM to work over HTTPS if possible, because I have some folks using outlook 2003 with XP and they want to be able to save their password.  Outlook 2003 won't save passwords in basic mode, only NTLM - and if someone knows a way I can make it save passwords in basic auth mode, please let me know.  

Help is appreciated!  Thanks!
0
Comment
Question by:TimFarren
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39214168
You can enable both. You will need to use the Shell to enable it.
However you can only have one as the default, and that is what Outlook 2007 and higher will use.

Repeating prompts for NTLM is usually a sign that the authentication packets are being broken. If the machines are on the domain there is no need to save the password, as it should pass through. The firewall is the usual source of this problem. I know that NTLM will go over the internet as I have been doing so since RPC Over HTTPS on Exchange 2003.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39214675
Ok, I noticed that my IIS Authentication method was only basic, along with the default authentication method when I issued get-outlookanywhere, so I ran the following command:

set-outlookanywhere -IISauthentication basic,Ntlm -Identity:'ServerName\Rpc (Default Web Site)'

After that, I noticed it is set to basic by default, but shows it will accept either basic or NTLM.  Is that all I need to do? I haven't tested it as of yet.

 - Tim
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39214971
That is all that you need to do. Clients that support Autodiscover (so Outlook 2007 or higher) will use Basic Authentication. If you change it, then it will go back.
If the majority of the clients are
a. On the domain (even roaming)
b. Outlook 2007 or higher

Then I would look at setting it to NTLM to test. If that fails then you will have to use basic only.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39215021
My goal is to connect non-domain joined computers (xp pro, win 7 pro, or vista business) running outlook 2003, to exchange using NTLM because basic requires a password be entered each time outlook is launched. I'm assuming (again still haven't been able to test) that the reason outlook repeatedly requested credentials without acceptance is because IIS wasn't accepting NTLM as an authentication method.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39215026
There are actually two reasons why you can authentication prompts from Outlook 2003.
The first one is authentication mismatch - so having NTLM in the client and Basic on the server. It can also occur if NTLM authentication is broken by something en-route, such as a firewall.

The second reason is SSL certificate issues. If the client doesn't trust the SSL certificate being used, then it thows up the authentication prompt. It cannot cope with the SSL prompt.

Simon.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question