יום רביעי 02 מאי 2012 13:58
I've had this problem for a while and found some "solutions" to it, even have a thread about it. Our costumers get's prompted for password every time they start their Outlook. I found out that one reason could be that in a CAS Array setup, the hostname that everyone is using is "mail.hosted.com" and the hostname of the servers in the array has "cas1.hosted.com, cas2.hosted.com" so when Outlook sees that it doesn't have the hostname specified it breaks the trust and asks for password.
However I recently read that "Basic Authentication" will ask the user for password every time it connects because it's not encrypted, thus not secure.
And in /hosting the only option is to use Basic Authentication. The users aren't joined to the /hosting domain so they can't use NTLM and there aren't any other options to choose from.
So how do we get a secure connection from Outlook to the /hosting servers? Are there any other configuration that I've missed completely?
How does everyone else with /hosting manage this? Do you tell your costumers that for security reasons the password prompt will pop-up every time they start Outlook? To you tell them they have to add "*.hosted.com" to their "Windows logon credential" ?
Is it not possible to get an encrypted session with /hosting?
יום שני 14 מאי 2012 12:40
The connection between Outlook and the CAS server (or SSL terminator) is secure with SSL. The traffic that passes through the SSL connection is un-encrypted.
A CAS array object performs no load balancing. It's an Active Directory object used to automate some functions within Exchange and that's all.
The primary reason, and perhaps the only reason, a CAS array object exists is to automatically populate the RpcClientAccessServer attribute of any new Exchange 2010 mailbox database created in the same Active Directory site (as the CAS array object).
The RpcClientAccessServer attribute is used to tell Outlook clients during the profile creation process what server name should be in the profile.
Patrick de Rover
יום שני 14 מאי 2012 16:36
So a couple of corrections:
You can do NTLM despite not being a member of the domain. NTLM only differs from Basic in that the creds themselves are not passed over the wire, it's a challenge/response, but however it works, non-domain members can do NTLM, though they are as likely to get credentials pop ups as those using Basic, if they are not members of the domain.
The RPC traffic inside the HTTPs tunnel IS encrpyted by default.
Question for you - is the certificate principal name (the value that ends up on the client in the msstd: OA settings box) the actual subject name of your certificate? Did you do any monkeying around with certificates in that way?
And another question, is the name configured for the RPC Client Access Array the same as the Outlook Anywhere hostname? Clients should not be able to resolve hte RPC CA name, only the Outlook Anywhere hostname. Check that.
If neither help, the only solution you really have is Outlook 2010 - which does a much better job at saving credentials, and to use the Windows cred store.