locked
SFB 2016 authetication prompt for EWS RRS feed

  • Question

  • Hello

    I have Exchange 2010 environment with latest service pack and patches.  Also I have SFB 2015 environment with latest patches.   I am using TMG and Kemp to publish and load balance exchange services for outside. my exchange is  using ntlm for EWS services.  and TMG is publishing the services for EWS exchange, also TMG is just  passing the request to exchange it is not doing any FBA.

    So issue is when domain joined machine starts skype 2016(with latest patches) it logs in automatically and asks for credential for EWS connection with this prompt "Exchange  needs your credential until then you might see outdated info in skype for business" Once I put in username password  it works.  and it never asks again unless I delete the cache from the skype client.

    My question is, Is this  a normal behavior. my understanding was since I am using ntlm it should use my logged in credentials since machine  is part of the domain and should not ask for username password in the first place but ews should just connect automatically,  Just like outlook anywhere.  Outlook anywhere never ask for any credentials it just connects automatically.  Also my IE is setup correctly without any proxy info but with AutoDetect connection.


    • Edited by mod 13 Sunday, July 9, 2017 11:42 PM
    Sunday, July 9, 2017 11:41 PM

All replies

  • Are the clients are on Lan? If so, it shouldn't be going in to the Reverse Proxy anyway. Is there a autodiscover record put in internally to access EWS? As long as TMG is configure for pass through authentication, it should work. 


    http://thamaraw.com


    Monday, July 10, 2017 12:38 AM
  • Just to clarify this clients are not on corporate lan or vpn.  But outside without  vpn. also autodiscover works fine there  is not issue with auto discover.  On corporate LAN or VPN everything works fine.  Also if I put in username/password once it never asks me again, unless I delete cache from skype client.   My question is that even normal for asking for once? My understanding was it should never ask for password on corporate join laptop since I am using ntlm for authentication for ews.  Just like outlook anywhere.
    • Edited by mod 13 Monday, July 10, 2017 1:06 AM
    Monday, July 10, 2017 1:05 AM
  • It shouldn't be asking for credentials. Auth should pass through over the reverse Proxy. I recon the Reverse proxy is not doing the pass through authentication for Skype for Business virtual directories.

    http://thamaraw.com

    Monday, July 10, 2017 1:27 AM
  • I am using TMG for reverse proxy and my listener  has  FBA turned off as well under the rule authentication delegation,  I have selected no authentication. so TMG(reverse proxy} definitely bypassing the authentication.  I have  three exchange CAS,  and they are before Kemp load balancer  where  I am doing ssl offloading.  so after tmg it lands on Kemp and then it passes to exchange.

    as per  this article.  seems like its a normal to have first prompt but then after you will get a prompt.  So it is expected to get first prompt but then its not ntlm.  since NTLM was suppose to be used logged in credential of domain join machine.

    http://troubleshootinglync.blogspot.com/2012/11/ews-not-working-externally.html

    So in this case I should not get any prompt(when I am outside and not on vpn) on skype if the machine is domain joined.. I may have to look at my load balancer kemp and tmg combination. 


    • Edited by mod 13 Monday, July 10, 2017 4:47 AM
    Monday, July 10, 2017 3:48 AM
  • Try bypassing the Loadbalancer, just to isolate the issue. Then you'd know if TMG's doing what it supposed to.

    http://thamaraw.com


    Monday, July 10, 2017 6:35 AM
  • When you try to open EWS URL in internet explorer ,does it asking fro credentials?this should be tested from IE only.If it is asking credentials please disable windows integrated authentication in IE and Check.Now it should go through.

    If above test is success then its problem of Kerberose authentication and fall back is asking for credentials.

    Also make sure that TMG is configured authentication mechanism to direct.


    Jayakumar K

    Monday, July 10, 2017 9:12 AM
  • i  tried bypassing the load balancer and going directly to exchange but issues still exists. so  I think issue is on exchange. I can get to the ews url from outside without prompt. so I know that's  working.  I also checked  the EWS virtual directory under  IIS has  ntlm has first authentication.  But when I checked  the logs on exchgane for ews I see that user  is trying to negotiate.

     one thing I noticed that my ews is not configured for  ssl with cert.  so basically I am doing ssl offloading on my kemp lb. 

    • Edited by mod 13 Saturday, July 15, 2017 11:29 PM
    Saturday, July 15, 2017 11:05 PM
  • Hi mod 13,

    Does it work on a non-domain joined machine?

    Due to the limited resource, we are unable to test and repro this issue. We found an issue which is similar like yours, it seems like a normal behavior.


    https://social.technet.microsoft.com/Forums/en-US/cbdfde5c-d78c-4c32-8037-16878cd492db/exchange-needs-your-credentials?forum=sfbfr


    Would you please help check what response did you get for the 401 in your fiddler trace?


    Best Regards,

    Molly Wu
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Wednesday, July 19, 2017 10:40 AM
  • Hello Molly

    I get "401 unauthorized" on fiddler trace.  we don't have any machine non domain joined. our issue is mainly around domain joined machine off network without vpn.

    also the issue you mentioned is for f5 load balancer we are using kemp load balancer


    • Edited by mod 13 Wednesday, July 19, 2017 3:24 PM
    Wednesday, July 19, 2017 3:23 PM
  • Hi,

    can you confirm if account has same UPN, SIP and SMTP?

    For me, seems like they are not the same.

    Neither TMG or KEMP should do any authentication, just bypass it.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Thursday, July 20, 2017 8:38 AM
  • Hi mod 13,

    Kleutd’s issue is similar to yours, which is not related to f5 load balancer.

    Would you please share the screenshot of the 401 error in detail in your fiddler trace?


    Best Regards,

    Molly Wu
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 21, 2017 12:40 PM
  • Hello:

    upn, smtp and sip matches and kemp and tmg just bypassing the traffic..so there is no issue on that  side. here is the screenshot of the 401 unauthorized

    Friday, July 21, 2017 2:55 PM
  • Hi mod 13,

    Thanks for your screenshot, and indeed, EWS is asking for credential.

    May I know whether you have connected to Exchange via outlook on the same machine when you start Skype for business 2016 on external domain joined machine?

    If no, please help to test and see if it still asks for credential for EWS connection.


    Best Regards,

    Molly Wu
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 25, 2017 11:36 AM