3

Environment:

Windows 2008R2 and 2003 DCs Exchange 2007 two servers, one client access/hub server, one mailbox server. Outlook Anywhere is configured. Windows Vista, Windows 7 Clients, Mix of Outlook 2007/2010.

Here's what's happening:

On the LAN: Clients occasionally get prompted for password, never fails to authenticate.

From the Outside: Clients almost always get prompted for password, it will either work, or prompt for password over and over and over.

I see three places for me to make adjustments here:

  1. The client and choose NTLM or Basic authentication, since this is over HTTPS, I have no preference.

  2. The directories in IIS on the OWA server have authentication properties you can set, I've ticked a few of these on and off to no avail (basic, windows integrated, etc).

  3. From Exchange Management Console, you can choose basic or NTLM.

I imagine these all need to align, but what's the RIGHT way to set this up? I've tried to find some authoritative Microsoft articles, but I'm banging my head on the table here.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
SpacemanSpiff
  • 8,733
  • 1
  • 23
  • 35

1 Answers1

1

I'm hoping this is the solution. For some reason my google-fu never found this. I had to read through every document on technet to get here:

When Exchange 2007 is run under Windows Server 2008, clients who use Exchange 2007 may be repeatedly prompted for their credentials during Outlook Anywhere sessions. This issue occurs when NTLM Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box for the Outlook profile on the client computer. This issue does not occur if Basic Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box. By default, Kernel Mode Authentication is enabled in Internet Information Services (IIS) 7.0 on Client Access servers that are running Windows Server 2008 with versions of Exchange 2007 that are earlier than Exchange Server 2007 Update Rollup 8. This issue does not occur with the following versions of Exchange 2007:

Exchange Server 2007 Service Pack 1 (SP1) with Update Rollup 8 Exchange Server 2007 Service Pack 2 (SP2) To resolve this issue, disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008.

To disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008 At a command prompt, type the following command, and then press ENTER:

%systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false

SpacemanSpiff
  • 8,733
  • 1
  • 23
  • 35
  • wow, many thakns for returning back to us here, however "This issue does not occur if Basic Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box' --> is that OK since we are using TMG 2010 ? – Senior Systems Engineer Feb 24 '11 at 03:44
  • No idea... still on 2007 here. I have observed also that the issue seems persistent when both when both exchange and the user are behind NAT's to the similarly addressed private networks. Example: I'm at home using 192.168.1.0/24 behind my router, and so is my office behind theirs. I haven't had time to figure this one out :) – SpacemanSpiff Feb 24 '11 at 04:06
  • ahh. ok, I'll post something else then. thanks forgetting back to me. – Senior Systems Engineer Feb 25 '11 at 06:19