none
NTLM AND Basic Authentication for Outlook Anywhere (both)

    Question

  • In Exchange 2007 SP1, allowing both NTLM and Basic authentication on the /rpc virtual directory was deemed a security vulnerability.

     

    In Exchange 2010 you are given radial buttons to select NTLM OR Basic authentication, but not both.  Listed here are the pros and cons of NTLM and Basic.

     

    At first glance one might think you can just go into IIS and set whatever you want.  While this is true, IIS will read the Exchange data from AD every 15 minutes and reconfigure itself.  This means a manual IIS setting will not stick.  The configuration must be made “in Exchange”.

     

    I was looking around and found this unofficial article:

     

    http://cid-a19e3265de255fbb.spaces.live.com/blog/cns!A19E3265DE255FBB!2221.entry

    UPDATE - THE 2ND COMMAND IN THIS LINK DOES NOT WORK.  SEE "ANSWER" HERE FOR EXPLINATION.

    &

    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/3e4bb79d-b31b-423a-b49d-628dd66db6a3

     

    It looks like, while the GUI only allows for one selection, you can use a comma to specify both NTLM and Basic authentication via this command:

     

    get-outlookanywhere | set-outlookanywhere -IISauthentication basic,Ntlm

     

     

    When you look at the official TechNet article on the get-outlookanywhere, you are not told commas are supported, however after running them, you can verify it accepted both values (get-outlookanywhere).

     

    I have the following questions:

     

    1.       Is this “supported”?

    2.       If both values are supplied (both above commands run), what authentication method does autodiscover populate the client’s with?

    3.       How is this “supposed” to be done.  I don’t want my users typing credentials each time they connect(Basic Auth), and Outlook 2003/7 requires extra client-side work to get it to remember passwords.  But NTLM authentication re-prompts the login box over and over from some off-campus locations.

     

     



    Mike Crowley
    Check out My Blog!

    lundi 17 mai 2010 15:13
    Modérateur

Réponses

  • You need to differenciate between IIS and ClientAuth methods. Exchange only supports one method, alhtough you can set two in IIS. (Thus the radio button and not checkboxes when enabling OA)

    Although IISAuthenticationMethod supports multiple values, mutliple values are not supported for clientAuthentication. If you set Basic+NTLM, it will be set to NTLM. Autodiscover will return EXPR values with NTLM as the authentication method. Trying to login using OA with a client set to basic will might however work as this the login allowed is dictated by the IISAuthentication method. However, Outlook 2007+ will probably override the basic setting and change it to NTLM as returned through Autodiscover.


    Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007

    mardi 25 mai 2010 05:41

Toutes les réponses

  • Hi Mike,

    That is not supported for the Client Authentication even though you can run the command in EMS. You can set both in IIS, for the IIS Auth Method, but you can’t set both for the Client Auth Method.

    Thanks

    Allen

    lundi 24 mai 2010 02:40
    Modérateur
  • Only one set-outlookanywhere -Clientauthentication method is supported. If you select both basic and NTLM, Exchange will use NTLM and NTLM only. Not sure why the parameter allows for multiple values, but only one will work.


    Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007
    lundi 24 mai 2010 04:09
  • Only one set-outlookanywhere -Clientauthentication method is supported. If you select both basic and NTLM, Exchange will use NTLM and NTLM only. Not sure why the parameter allows for multiple values, but only one will work.


    Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007


    Where are you getting your facts from? 

    As you'll see here, http://blogs.appriver.com/blog/is-it-monday-yet/0/0/auto-login-outlook-when-using-apprivers-hosted-exchange-2007  not only does this setting work it it recommended by some exchange hosting providers.



    Mike Crowley
    Check out My Blog!

    lundi 24 mai 2010 12:23
    Modérateur
  • Hi Mike,

    That is not supported for the Client Authentication even though you can run the command in EMS. You can set both in IIS, for the IIS Auth Method, but you can’t set both for the Client Auth Method.

    Thanks

    Allen

     

      Allen, thanks for your comment.  Why do you say it is not supported?  Are you just interpreting the documentation, or do you have some additional knowledge on this subject?  If the former, I'd disagree.  I do not believe this is how the documentation reads.  for example:

    ". Although not recommended, you can also choose to allow both Basic and Integrated Windows authentication. "

    ref: http://technet.microsoft.com/en-us/library/aa997703(EXCHG.80).aspx

    This is referring to Exchange 2007 SP1, but unless you can show otherwise, I'd have to assume the phrase applies to 2010 as well.  And that comment means it IS supported.

    Finally, I am less looking for a YES or NO answer, but an explanation.

    ------

     Also, see this text:

    This parameter must be specified if you don't use the DefaultAuthenticationMethod parameter. When you use this parameter without specifying the IISAuthenticationMethods parameter, IISAuthenticationMethods parameter is set to both NTLM and Basic.

    ref: http://technet.microsoft.com/en-us/library/bb124993.aspx



     

    Mike Crowley
    Check out My Blog!

    lundi 24 mai 2010 12:26
    Modérateur
  • You need to differenciate between IIS and ClientAuth methods. Exchange only supports one method, alhtough you can set two in IIS. (Thus the radio button and not checkboxes when enabling OA)

    Although IISAuthenticationMethod supports multiple values, mutliple values are not supported for clientAuthentication. If you set Basic+NTLM, it will be set to NTLM. Autodiscover will return EXPR values with NTLM as the authentication method. Trying to login using OA with a client set to basic will might however work as this the login allowed is dictated by the IISAuthentication method. However, Outlook 2007+ will probably override the basic setting and change it to NTLM as returned through Autodiscover.


    Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007

    mardi 25 mai 2010 05:41
  • Casper your comments clear this up for me.  I was mistakenly thinking both switches accepted the dual-input. 

    Only “get-outlookanywhere | set-outlookanywhere -IISauthentication basic,Ntlm” actually sets both values.

    “get-outlookanywhere | set-outlookanywhere -Clientauthentication basic,Ntlm” does not return an error but does not set both values.

    And you’re also right about Autodiscover.  Per this article, it reads from Clientauthentication not IISauthentication.

    I suppose the user could set to basic and disallow Autodiscover to reconfigure their profile, but since users click “yes” to just about everything it seems like such a choice would be asking for trouble.

    This is clearer now, however it still leaves me wondering what the “right” answer is.

    NTLM offers more capabilities but looks like it might not work because “some” firewalls prevent it.  Whereas Basic has significant shortcomings especially for users joined to AD already leveraging the single sign on experience.



    Mike Crowley
    Check out My Blog!

    mardi 25 mai 2010 18:03
    Modérateur
  • Hi Mike,

    As I stated, the IIS Auth method can support multiple value, but the ClientAuthentication only support one value at the same time even though you can set more authentication in the command for the Client Authentication (Set-OutlookAnywhere -ClientAuthentication Basic, NTLM).

    I get this answer from our senior program manager when sending this question to our internal discussion group. For your closely understanding this issue, I post the rely:

    (You can set both in IIS, for the IIS Auth Method, but you can’t set both for the Client Auth Method. Look closer at the output after you run that command. They are different. One tells IIS what auth to enable, the other tells AutoDiscover what auth to tell the client to use.)

    Thanks

    Allen

     

    mercredi 26 mai 2010 00:40
    Modérateur
  • Yep, you're 100% correct.  That blog I linked two suggested both commands took dual input.  I tested with one and assumed for the other.  Thank you for your help.

    I do still wonder what the "best" configuration is.  Both options seem to have significant drawbacks.  Especially migrating from a 2003 environment where both were possible.

     



    Mike Crowley
    Check out My Blog!

    mercredi 26 mai 2010 03:03
    Modérateur
  • Since Autodiscover will screw up your config if you have both enabled, I would say that say use either NTLM or Basic, but not both. NTLM is the better option, but it is abviously more complex to configure. Which ever one you choose, just make sure the IISAuthentication and ClientAuthentication settings are the same or use the DefaultAuthenticationMethod parameter instead.


    Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007
    mercredi 26 mai 2010 03:57
  • I am indeed leaning toward NTLM, but per one of the above links "NTLM may not work with firewalls that examine and modify traffic".  Is this referring to user's firewall, or just my customer's?

    Mike Crowley
    Check out My Blog!

    mercredi 26 mai 2010 14:40
    Modérateur
  • The only case I can think it is true is in a reverse proxy environment where pre-authentication takes place. i.e. TMG/ISA. Normally it takes a bit more configuration as you need to setup Kerberos Contstraint Delegation to make it work, but even that isn't to hard.

    In non reverse proxy configurations, I have never seen any issues with Cisco ASAs etc. where this becomes an issues.


    Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007
    jeudi 27 mai 2010 07:08
  • Look!! You can set it to Negotiate" in SP1!!!!! 

    .

    Set-OutlookAnywhere -IISAuthenticationMethods 'MaxValidValue' -ClientAuthenticationMethod 'MaxValidValue' -Identity 'EXCHANGE-A\Rpc (Default Web Site)'



    Mike Crowley
    Check out My Blog!

    lundi 7 juin 2010 18:10
    Modérateur
  • Could you clarify here ? is this setting available in exchange 2010 ? or are you saying I should be able to choose negotiate in exchange 2007 SP1 and later ? I don't have this setting. Also is it any better, or if you tell me exchange 2007 can't do both, will it work if I create one exchange front end to do ntlm, and the other to do basic ? I have a load balanced pair of cas servers set to basic now, and am thinking about trying to add another stand alone cas server set to ntlm ? (that was my current thinking before finding this article.  ?)
    vendredi 9 juillet 2010 16:25
  • Could you clarify here ? is this setting available in exchange 2010 ? or are you saying I should be able to choose negotiate in exchange 2007 SP1 and later ? I don't have this setting. Also is it any better, or if you tell me exchange 2007 can't do both, will it work if I create one exchange front end to do ntlm, and the other to do basic ? I have a load balanced pair of cas servers set to basic now, and am thinking about trying to add another stand alone cas server set to ntlm ? (that was my current thinking before finding this article.  ?)

    This is a screenshot from Exchange 2010 SP1 Beta, but the PS command works in RTM.

    Mike Crowley
    Check out My Blog!

    vendredi 9 juillet 2010 21:07
    Modérateur
  • Set-OutlookAnywhere -IISAuthenticationMethods 'Basic,NTLM' -ClientAuthenticationMethod 'Basic,NTLM' -Identity 'Server01\Rpc (Default Web Site)'

    change server01 with the CAS

    Notice only windows authentication will be set to enabled on IIS

    but both are working.

    lundi 25 octobre 2010 19:58
  • Set-OutlookAnywhere -IISAuthenticationMethods 'Basic,NTLM' -ClientAuthenticationMethod 'Basic,NTLM' -Identity 'Server01\Rpc (Default Web Site)'

    change server01 with the CAS

    Notice only windows authentication will be set to enabled on IIS

    but both are working.


    One instructs the client (autodiscover) and the other configures the server.

    Mike Crowley
    Check out My Blog!

    mardi 26 octobre 2010 04:47
    Modérateur
  • I think it's worth noting here that according to http://technet.microsoft.com/en-us/library/bb124503.aspx Negotiate Ex authentication should not be used.

     

    Negotiate Ex authentication   Do not click this button. Negotiate Ex authentication is an authentication type reserved for future Microsoft use and shouldn't be used. Use of this setting will cause authentication to fail.

    mercredi 6 avril 2011 17:55
  • I think it's worth noting here that according to http://technet.microsoft.com/en-us/library/bb124503.aspx Negotiate Ex authentication should not be used.

     

    Negotiate Ex authentication   Do not click this button. Negotiate Ex authentication is an authentication type reserved for future Microsoft use and shouldn't be used. Use of this setting will cause authentication to fail.


    Interesting.  This explains why I never got that working.  I'll ask why there is a "do not click" button in the UI...

    Mike Crowley | MVP
    My Blog -- Planet Technologies

    samedi 30 avril 2011 01:24
    Modérateur
  • The only case I can think it is true is in a reverse proxy environment where pre-authentication takes place. i.e. TMG/ISA. Normally it takes a bit more configuration as you need to setup Kerberos Contstraint Delegation to make it work, but even that isn't to hard.

    In non reverse proxy configurations, I have never seen any issues with Cisco ASAs etc. where this becomes an issues.


    Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007

    Let me ask this then: Why is it that I have an Exchange 2010 SP1 environment, both my IISAuthentication and my ClientAuthentication are set to NTLM, but it seems that I am constantly having to reconfigure my Exchange Proxy Settings in Outlook 2010 (and 2007) back to NTLM auth???

    ClientAuthenticationMethod      : Ntlm

    IISAuthenticationMethods        : {Ntlm}

    Thanks!

    mercredi 14 septembre 2011 01:55
  • MrBFette,

    Did you ever get this figured out?

    We are having probs with our TMG and Exchange 2010 (coexistance with 2007 right now) were if we set all to NTML on both Exchange and TMG, it fails saying only Basic is allowed. Basice on both sides work fine but we want NTLM of course.

    mercredi 4 avril 2012 06:51