locked
Outlook Anywhere - Enable both NTLM and Basic Authentication RRS feed

  • Question

  • Any one know if this is possible:

    Set-OutlookAnywhere -Identity:'servername\Rpc (Default Web Site)' -ClientAuthenticationMethod:basic,Ntlm

    When you run the command after enabling both, get-OutlookAnywhere, the server only shows one authentication method enabled.

    Would like to enable both authentication methods, as we have a number of users with Outlook anywhere enabled using basic authentication, and don't want to force everyone to update their settings.

    Thanks

     

     

     

     

    Saturday, May 1, 2010 2:23 PM

Answers

  • This is incorrect.  Making a change on a local Client Access Server's IIS settings (through IIS Manager or the registry) will be overwritten by the settings on the object's AD attributes.  This is only untrue when RpcHttpConfigurator is set to 0.  But even that wouldn't apply here.

    The long and short is, in Exchange 2010 you cannot set the Autodiscover service to supply both values.  To configure IIS to accept both you can run:

    get-outlookanywhere | set-outlookanywhere -IISauthentication basic,Ntlm

    but this will not affect what is supplied to the client. 

    See here for more.  I just learned about this myself:

    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/21867578-e623-4756-b483-dfb31162a665



    Mike Crowley
    Check out My Blog!

    • Proposed as answer by Mike Crowley Tuesday, May 25, 2010 6:32 PM
    • Marked as answer by Mike Crowley Monday, May 21, 2012 8:30 PM
    Tuesday, May 25, 2010 6:32 PM

All replies

  • the client authentication method sets the authentication provided to users in autodiscover, but doesn't affect the IIS directory, you will have to use the following PS:

    Set-OutlookAnywhere -Identity:'servername\Rpc (Default Web Site)' -DefaultAuthenticationMethod :basic,Ntlm

     


    Regards, Mahmoud Magdy http://busbar.blogspot.com http://ingazat.wordpress.com
    Sunday, May 2, 2010 6:05 PM
  • I just posted a similiar thread

    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/21867578-e623-4756-b483-dfb31162a665

    before realizing you had one too.  I've included this thread on my post as well.



    Mike Crowley
    Check out My Blog!

    Monday, May 17, 2010 3:14 PM
  • You would need to do the following registry

    http://msexchangeteam.com/archive/2008/06/20/449053.aspx

    Monday, May 17, 2010 8:44 PM
  • You would need to do the following registry

    http://msexchangeteam.com/archive/2008/06/20/449053.aspx


    What?  Do what to the registry?

    Mike Crowley
    Check out My Blog!

    Monday, May 17, 2010 11:14 PM
  • If he wants to have both ntlm and basic auth for outlook anwyhere set at the same time
    Wednesday, May 19, 2010 6:30 PM
  • This is incorrect.  Making a change on a local Client Access Server's IIS settings (through IIS Manager or the registry) will be overwritten by the settings on the object's AD attributes.  This is only untrue when RpcHttpConfigurator is set to 0.  But even that wouldn't apply here.

    The long and short is, in Exchange 2010 you cannot set the Autodiscover service to supply both values.  To configure IIS to accept both you can run:

    get-outlookanywhere | set-outlookanywhere -IISauthentication basic,Ntlm

    but this will not affect what is supplied to the client. 

    See here for more.  I just learned about this myself:

    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/21867578-e623-4756-b483-dfb31162a665



    Mike Crowley
    Check out My Blog!

    • Proposed as answer by Mike Crowley Tuesday, May 25, 2010 6:32 PM
    • Marked as answer by Mike Crowley Monday, May 21, 2012 8:30 PM
    Tuesday, May 25, 2010 6:32 PM
  • the client authentication method sets the authentication provided to users in autodiscover, but doesn't affect the IIS directory, you will have to use the following PS:

    Set-OutlookAnywhere -Identity:'servername\Rpc (Default Web Site)' -DefaultAuthenticationMethod :basic,Ntlm

     


    Regards, Mahmoud Magdy http://busbar.blogspot.com http://ingazat.wordpress.com

    Busbar, this does not work.  See here:

    [PS] C:\>Get-OutlookAnywhere | Set-OutlookAnywhere -DefaultAuthenticationMethod basic, ntlm

    [PS] C:\>Get-OutlookAnywhere | fl *auth*

     

     

    ClientAuthenticationMethod : Ntlm

    IISAuthenticationMethods   : {Ntlm}

     



    Mike Crowley
    Check out My Blog!

    Tuesday, May 25, 2010 6:38 PM
  • Thanks Mike!  The command you provided [    get-outlookanywhere | set-outlookanywhere -IISauthentication basic,Ntlm    ] allowed me to enable NTLM as well.

    While everything was working fine with Basic authentication, Outlook 2007 clients could not save their password. By enabling NTLM and manually changing the setting on the Outlook 2007 clients, those users were no longer asked for their passwords.

     

    Wednesday, December 1, 2010 9:04 PM