Solved

Exchange 2013 external access authentication

Posted on 2015-01-27
23
242 Views
Last Modified: 2015-02-11
Hi Experts,

some quick facts about my environment:
Exchange 2013 deployment that has been made accessible from the internet through an IIS ARR server in the DMZ.
The Exchange 2013 system allows RPC over HTTPS and MAPI over HTTPS access.
Clients are Outlook 2013 SP1 and Outlook 2010 (January 2015 update - MAPI enabled).
MAPI virtual directory is configured with https://mail.domain.com/mapi for internalURL and externalURL as well as "Negotiate" for InternalAuthentication, ExternalAuthentication and IISAuthenticationMethods

Question: When clients start Outlook outside the corporate network it prompts them for their password once. After they supplied the correct password everything is working fine until Outlook is restarted. Now my understanding of "Negotiate" would be that Outlook tries to do Kerberos authentication and when it can't reach a KDC it falls back to NTLM and when falling back to NTLM it takes the users cached credentials from windows sign in and sends hashes of them to the Exchange server for validation which should make the user not having to input a password.

Is my assumption correct? If no - can someone educate me? If yes - why does Outlook prompt for a password then?

Best regards,
Vazko
0
Comment
Question by:Vasko Oreely
  • 11
  • 6
  • 2
  • +2
23 Comments
 
LVL 1

Expert Comment

by:hassan afzal
ID: 40572873
is this for all users or selective?
0
 

Author Comment

by:Vasko Oreely
ID: 40572929
All 3 Users I tested so far have that "problem" - sniffing the traffic with wireshark yielded unclear results because everything except DNS and certificate checks are encrypted and can't be read using wireshark
0
 
LVL 1

Expert Comment

by:hassan afzal
ID: 40572935
Think your complicating things too much - is outlook setting set to "always ask for credential" when opening up ?
0
 
LVL 1

Expert Comment

by:hassan afzal
ID: 40572939
are the credentials for the old exch server still on the machines?
0
 

Author Comment

by:Vasko Oreely
ID: 40572955
The checkbox is not checked and there is no "old exchange server". This deployment was born as Exhange 2013 only. I tested it setting up a new VM, joining it to the domain, configuring outlook using auto discover, syncing mailbox, taking VM out of network, opening outlook -> password prompt
0
 
LVL 1

Expert Comment

by:hassan afzal
ID: 40572986
try changing outlook anywhere  authentication to basic and enable allow ssl offloading on the exchange server
Hassan
0
 

Author Comment

by:Vasko Oreely
ID: 40572999
Will try! Could you please explain your thoughts behind your suggestion so that I can understand the changes?
0
 
LVL 15

Expert Comment

by:Ivan
ID: 40573000
Hi,

if im not wrong Outlook 2010 does not support MAPI over HTTP, only 2013 SP1. Those clients are 2013sp1 or 2010?

PS: There are no Outlook Anywhere settings if Outlook is using MAPI over HTTP??
0
 
LVL 11

Expert Comment

by:hecgomrec
ID: 40573047
Once the account is created successfully outlook will ask for credentials.  This credentials should be input in the "domainname\username" and password format, select to save the credentials and it should not ask for them again.
0
 

Author Comment

by:Vasko Oreely
ID: 40573130
@spriggan: Outlook 2010 supports Mapi over HTTPS since the December 2014 update. Microsoft pulled that update because of complications and republished it in the January 2015 update. So yes Outlook 2010 supports MAPI over HTTPS now

@hecgomrec: The problem is not the format of the entered credentials, it's the credential pop up in the first place that I want to get rid of - preferably not by "cheating" and saving the credentials in the credential manager (this creates problems with password change policies anyway).
Entering the credentials in form of DOMAIN\User works and always has. On a non domain joined machine this may be an acceptable behavior. But on a domain joined machine it is not.

Our network only has up to date Oulook 2010 and 2013 clients that all can handle Negotiate authentication. So the expected behaviour would be:

Internal:
Autodiscover -> server presents auth: Negotiate -> Outlook tries kerberos -> success

External:
Autodiscover -> server presents auth: Negotiate -> Outlook tries kerberos -> fails -> falls back to NTLM with cached domain credentials -> success

Which brings me back to my initial question if someone could confirm my understanding of the "Negotiate/NTLM" authentication in Exchange 2013 and if I'm wrong then educate me on how they are supposed to work respectively point out alternatives. Basic is a bad alternative to NTLM and Negotiate. I tried setting everything to NTLM but it still prompts for the password once on startup.

Thank you all for your efforts!
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 

Author Comment

by:Vasko Oreely
ID: 40574010
Hi guys,

I did some more testing:

SSL Offloading and Basic auth did not help
Setting the MAPI virtual Directory IISAuthenticationMethod to NTLM made the Password prompt go away (woohoo) and Outlook shows "NTLM" in the connection overview. It is interesting that in the MAPI virtual Directory you can't set the internal and external authentication methods. You can only set the IISAuthenticationMethods which sets internal/external authentication methods to the exact same value(s) thus disabling Negotiate (and therefore Kerberos) for the internal Clients which is not what I want.
Setting the MAPI virtual directory IISAuthenticationMethod to "NTLM,Negotiate" made the Password prompt return because Outlook chooses the strongest auth method offered by autodiscover which is Negotiate. It doesn't matter if I put NTLM first in the "Windows Authentiication" Provider list in IIS - Outlook still picks "Negotiate". Which would be good if the NTLM part of the Negotiate provider would be working as I am expecting it to work

The only conclusion that makes sense for me is that the fallback NTLM - that is part of the Negotiate Provider - works differently from the pure NTLM Provider. Can someone back this theory up?
0
 

Author Comment

by:Vasko Oreely
ID: 40574801
Alright guys - I did some more digging because I really want to crack this:

I've setup wireshark to be able to decrypt SSL traffic between my client and the server. Unfortunately that does only work for web browser traffic because exchange traffic is TLSv1.2 Diffie Hellman encrypted which can only be decrypted by knowing the session keys. Browsers have a technology (google for SSLKEYLOGFILE) to log those session keys and wireshark can use that logfile and its session keys together with the web certs private key to decrypt the traffic. So it doesn't work for Outlook traffic because there is no way (that I found) to make outlook log it's session keys.

Anyway since the autodiscover virtual directory also is using Negotiate as the primary provider I started logging with wireshark and set firefox "network.negotiate-auth.trusted-uris" setting in about:config to autodiscover.domain.com. After that I browsed https://autodiscover.domain.com/Autodiscover/Autodiscover.xml and wireshark showed the plain HTTP traffic (yay!).

Unfortunately the traffic just confirms what I have been thinking already: Outlook is f*cking sh*t up! Here is the process:

1. Server and Client do their cipher match and key exchange
2. Browser requests: GET /Autodiscover/Autodiscover.xml
3. Server responds: Anonymous request disallowed and sends www-Authenticate: Negotiate and www-Authenticate: NTLM
4. Browser can't reach a KDC and has no Tickets so he falls back to NTLMSSP_NEGOTIATE (the NEGOTIATE part is the proof that it doesn't use the also offered NTLM provider but the NTLM fallback of the Negotiate provider) and he takes the current logged on Username and sends it to the server (NOT displaying a credential prompt)
5. Server responds with NTLM challenge
6. Browser sends challenge response
7. Server sends 200 OK
8. Browser shows XML

I think this should prove that the server config is fine and Outlook is the one to blame here when even a simple browser can do what he is asked and Outlook can not ;)

Man I have way too much fun in this ...
0
 

Author Comment

by:Vasko Oreely
ID: 40575050
Just for verification I did the same test for https://mail.domain.com/mapi/nspi/?MailboxId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx@domain.com and it turns out that when you have only Negotiate enabled in the MAPI virtual directory even the browsers can't fallback to NTLM so enabling NTLM and Negotiate on the MAPI virtual directory made the process work like it did with autodiscover.
Nevertheless Outlook is still bitching arround and prompting for credentials which the browsers are not.
0
 
LVL 1

Expert Comment

by:hassan afzal
ID: 40575054
maybe try switching to rpc config ?
0
 

Author Comment

by:Vasko Oreely
ID: 40575133
RPC has the same phänomenon ... NTLM works without prompt (non interactive) and Negotiate always gives the prompt (interactive)
0
 
LVL 1

Expert Comment

by:hassan afzal
ID: 40575451
ah sorry Vasko didnt read the part where u said its working ! been a long day :(
0
 

Author Comment

by:Vasko Oreely
ID: 40575463
Well the only thing that works is setting everything to NTLM which is neither what I want nor what Microsoft recommends ... it's still the question if Outlook has a special behavior when using Negoiate which makes it prompt for passwords instead of using windows session credentials. Maybe there is a registry setting or GPO or something that I missed.

I hoped that someone here could either confirm this as a bug or as working as intended with the corresponding sources.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40602654
This has been a problem since Exchange 2003 and the first version of RPC over HTTPS.
The only cause I have found is the firewall. Nothing to do with Exchange, as I have it working elsewhere exactly as designed. Switching the firewall for another one as a test, the problem went away.

Basic authentication always works, because that is in effect plain text (even over SSL). The others have different kinds of encryption which firewalls seem to break.

If it works correctly internally, then that points the finger at the firewall.

Simon.
0
 

Author Comment

by:Vasko Oreely
ID: 40602657
Hi Simon,

that sounds promising. Do you have resources on this? Are we talking about the corporate firewall or the clients windows firewall?

Thanks and regards,
Vasko
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40602671
Not the Windows firewall. The physical firewall/router you have on your network. I haven't turned off the Windows firewall on any system I have managed since Windows 2008 was released.

I have nothing to share other than my experience with numerous clients. The more sophisticated the firewall (so something that does more than just port blocking) the bigger the problem is.

Simon.
0
 

Author Comment

by:Vasko Oreely
ID: 40602675
Well this leaves room for a lot of testing but anyway thanks for sharing your experience.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now