Marc Kean

February 6, 2009

Exchange 2007 SP1 Outlook Anywhere NTLM authentication for domain based and workgroup based computers

Filed under: Computers and Internet,Uncategorized — marckean @ 3:14 pm

At the University in Sydney they have Exchange Server 2007 installed on Windows Server 2003 servers. They needed a solution for people to use Outlook Anywhere using laptops that were attached to the domain with logged on domain user accounts, also local user accounts with laptops that weren’t on the domain. However, they didn’t want to have the password dialog box popping up all the time primarily for the domain based users, and for users using local accounts, it was ok for the password dialog box to pop up when logging into Outlook.

At first, when I tried to switch the Outlook Anywhere publishing rule in ISA 2006 and CAS Outlook Anywhere to NTLM, users logged on with local computer accounts couldn’t log into Outlook, the credentials dialog box kept popping up all the time. For users that were logged on with a domain based account the credentials passed through perfectly with NTLM, and no credentials dialog box popped up.

Back end

First I had to edit the Outlook Anywhere publish rule in ISA 2006, changing it to NTLM authentication.

SNAG-0000

Then I had to change the Outlook Anywhere setting of the two Exchange Client Access servers to NTLM.

SNAG-0001

 

Client side

The way we fixed it was quiet simple, we made sure the two options about connecting via HTTP first were unchecked from the client side. So in essence the clients will connect using TCP/IP.

IMG-0012

 

Windows Server 2008

If your CAS  Windows Server 2008 you will need to actually install RPC IIS components if they don’t already exist, type this into the command prompt on your Exchange 2007 CAS server.

ServerManagerCmd -i RPC-over-HTTP-proxy

You will need to actually enable Outlook Anywhere using the Exchange Management Console.

SNAG-0002

Then you will need to check the IISAuthenticationMethods running this get-outlookanywhere | fl in PowerShell.

IMG-0014

If it doesn’t have “Basic, NTLM” and only NTLM, then run this command in PowerShell.

get-outlookanywhere | set-outlookanywhere -IISauthentication basic,Ntlm
get-outlookanywhere | set-outlookanywhere -Clientauthentication basic,Ntlm

 

When an Outlook client using Outlook Anywhere tries to connect to Exchange 2007 running on Windows Server 2008, the client receives repeated prompts to enter their credentials and can’t connect.

This is because Internet Information Services (IIS) 7.0, the Web server role in Windows Server 2008, has kernel mode enabled by default for Integrated Windows authentication.

%systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false

appcmd.exe Stop Site "Default Web Site"

appcmd.exe Start Site "Default Web Site"

 

When Exchange 2007 is run under Windows Server 2008, clients who use Exchange 2007 may be repeatedly prompted for their credentials during Outlook Anywhere sessions. This issue occurs when NTLM Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box for the Outlook profile on the client computer. This issue does not occur if Basic Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box. By default, Kernel Mode Authentication is enabled in Internet Information Services (IIS) 7.0 on the Client Access server. To resolve this issue, disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008.

%systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false

3 Comments »

  1. Sorry to see your post has been spammed. Please see this thread regarding this topic. Your Clientauthentication switch does not have the result you think.http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/21867578-e623-4756-b483-dfb31162a665

    Comment by Mike — May 26, 2010 @ 4:29 am | Reply

  2. [...] bell. Perhaps something to do with NTLM authentication and outlook anywhere. This should fix it: Exchange 2007 SP1 Outlook Anywhere NTLM authentication for domain based and workgroup based computer… Reply With [...]

    Pingback by Exchange 2010 Login Prompt — January 10, 2012 @ 1:19 am | Reply

  3. Hello,
    works your howto for exchange 2010 too?! We want to use NTLM for our Notebook clients.

    Comment by Daniel — October 15, 2012 @ 7:47 am | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Customized Rubric Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 62 other followers

%d bloggers like this: