none
Set-ActiveSyncVirtualDirectory missing WindowsAuthEnabled parameter

    Question

  • Hello,

    why is the Set-ActiveSyncVirtualDirectory cmdlet in Exchange 2010 missing the WindowsAuthEnabled parameter? It was present in Exchange 2007 command set, but disappeared. The Get- version of the cmdlet (Get-ActiveSyncVirtualDirectory) actually displays this property, but it cannot be handled by the Set- cmdlet while BasicAuthEnabled is still available. I wanted to enable WindowsAuth and disable BasicAuth, so I just did it by using the BasicAuthEnabled $false, but to enable the Windows Integrated, I must have gone into the IIS to enable it. After enabling the WindowsAuth in IIS console, the Get- cmdlet correctly displays the setting well.

    So what is the reason the WindowsAuthEnabled disappeared? Is it supported to have Windows Internal Authentication enabled on Microsoft-Server-ActiveSync virtual directory? Is it supported to configure this manually by using the IIS console or do I need to consider anything else when doing so?

    thank you very much

    ondrej.

     

    Friday, December 10, 2010 9:28 AM

Answers

  • This parameter has gone in exchange 2010 SP1. There’s no official explanation for this change

    It has been investigating to see if the parameter can be brought back in the future update patch


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 13, 2010 5:02 AM

All replies

  • This parameter has gone in exchange 2010 SP1. There’s no official explanation for this change

    It has been investigating to see if the parameter can be brought back in the future update patch


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 13, 2010 5:02 AM
  • Hi

    Is there a hotfix for this yet or do you know of any workaround. We've Published ActiveSync with a TMG server using Kerberos Constained Delegation as Authentication Delegation, but after Exchange Sp1 upgrade it doesn't work anymore. As mentioned it seem to be since the WindowsAuthEnabled parameter has been removed. Is there a reson why this feature was removed, and when can we expect it back?

    Mattias

    Tuesday, March 08, 2011 2:21 PM
  • hello, in my case worked well manually changing the authentication settings on the IIS virtual folder. the problem with the updates is that it sometimes resets the settings to what it is configured originally with the cmdlet.

     

    ondrej.

     

     

    Tuesday, March 08, 2011 2:32 PM
  • Hi,

    I've tried to enable Windows Authentication on the IIS virtual directory for Microsoft-Server-ActiveSync and when testing the Publish rule in the TMG it reports that everything is fine, i'm also able to brows the https://server.domain.com/Microsoft-Server-ActiveSync and login with my credentials and get the expected 501 Not Implemented, however when i setup ActiveSync in my Smartphone the authentication is successfull and i get to select what to syncronize but then it failes. When changing to Basic it works, however that is not possible in this scenario. It used to work before the SP1 upgrade. When running Get-ActiveSyncVirtualDirectory : fl It says that WindowsAuthEnabled is True, but when running

    Set-ActiveSyncVirtualDirectory - Identity "EAS (Default Web Site)" -WindowsAuthEnabled:$true

    is still tells me thar the parameter cannot be found.

    Were you ever able to use ActiveSync with Kerberos Constained Delegation?

    Mattias

    Tuesday, March 08, 2011 3:12 PM
  • yes, no problem with the Kerberos Protocol Transition (this is your case, you are not doing just the Constrained Delegation, you are switching auth. methods over, just a terminology note, don't bother :-)). go into the IIS and check whether the Windows Integrated auth has Negotiate provider enabled. If there is only the NTLM provider, add the Negotiate as well.

     

    ondrej.

     

    Tuesday, March 08, 2011 3:15 PM
  • ... and add it as the first one.

    also check whether the Get-ActiveSyncVirtualDirectory displays you correct URLs both for internal and external access.

    ondrej.

     

    Tuesday, March 08, 2011 3:16 PM
  • Hi

    I need to use Kerberos Constained Delegation, The publish in the TMG is set to use Kerberos Constained Delgation, not Negotiate Kerberos/NTLM.
    Both Negotiate and NTLM is in the providers tab for the WindowsAuthentication and negotiate is the first one. I still get the same results when trying from a smartphone.

    Mattias

    Tuesday, March 08, 2011 3:37 PM
  • Hi,

    I finally got it to work, what seemed to do the trick was adding the Kerberos:negotiate provider, prehaps i missunderstod you before, there are 3 providers to choose from Negotiate, NTLM and Negotiate:Kerberos. adding the last one did the trick for me, Thanks a lot for the help.

    Mattias

    Tuesday, March 08, 2011 5:06 PM