locked
Outlook Anywhere Basica Authentication and LAN Manager Authentiction Level RRS feed

  • Question

  • The server is Exchange 2010 SP1 running on Windows 2008 R2 SP1. The client is Outlook 2010 running on Windows XP SP3. The client is not joined to the domain.

    I manually configured a profile to use Outlook Anywhere. I believe everything is configured correctly. However, Outlook repeatedly prompt for password when I launched it. I changed the local security policy on the XP machine. LAN manager authentication level was raised from 0 (default for WinXP) to 3. After that everything works perfectly.

    I tried running Outlook 2010 on another Windows 2008 R2 machine and hit the same issue. If LAN manager authentication level on the client is set to 3, it works. If it's set to 0, it keep asking for password.

    Is there any whitepaper from Microsoft documented this behavior? I need it to convince my customer to change the client setting so that it can use Outlook Anywhere.

    Thanks in advance.

     

    Wednesday, December 28, 2011 3:48 PM

Answers

  • Hi,

    I don´t think that there is such a whitepaper. During a conference Microsoft stated that it is not recommended to use LM or NTLM because of security risk. But at the same session they told that it is difficult to disable such outdated authentification mechanism because of application incompatibility with the new ones.

    So it is difficult to publish a whitepaper with the recommendation of using NTLMv2 because there are a lot of applications in the field which require the old authentification mechanisms.

     


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com
    • Marked as answer by Li Zhen Sunday, January 1, 2012 3:37 PM
    Thursday, December 29, 2011 8:19 AM

All replies

  • What autentication is Outlook Anywhere configured to use?

    Run:

    Get-OutlookAnywhere | Format-List
    

    and look at the ClientAuthenticationMethod and IisAuthenticationMethods properties.  Are they set the way you want them for your environment?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Wednesday, December 28, 2011 6:25 PM
  • why not use the Plain Password setting and enabling only the HTTPS Protocol? In this case the password would be encrypted.

    You will find an overview of the diffrent authentification levels under: http://technet.microsoft.com/en-us/library/cc738867(WS.10).aspx

    Please remember that LM and NTLM Authentification is nearly not secure enough. But If you use SSL for the datatransport then the data is transfered encrypted between the sever and the client.

    It is not recommended to configure Windows Server 2008R2 for LM or NTLM Authentification due to security reason.

    If you need some support in the security discussion you will find this articl http://technet.microsoft.com/en-us/library/cc512606.aspx helpful.

     


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com
    Wednesday, December 28, 2011 6:33 PM
  • What autentication is Outlook Anywhere configured to use?

    Run:

    Get-OutlookAnywhere | Format-List
    

    and look at the ClientAuthenticationMethod and IisAuthenticationMethods properties.  Are they set the way you want them for your environment?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Basic authentication
    Thursday, December 29, 2011 1:51 AM
  • why not use the Plain Password setting and enabling only the HTTPS Protocol? In this case the password would be encrypted.

    You will find an overview of the diffrent authentification levels under: http://technet.microsoft.com/en-us/library/cc738867(WS.10).aspx

    Please remember that LM and NTLM Authentification is nearly not secure enough. But If you use SSL for the datatransport then the data is transfered encrypted between the sever and the client.

    It is not recommended to configure Windows Server 2008R2 for LM or NTLM Authentification due to security reason.

    If you need some support in the security discussion you will find this articl http://technet.microsoft.com/en-us/library/cc512606.aspx helpful.

     


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com


    Yes, I did use basic authentication (which I belive is plain text password) plus HTTPS. This is actually the default setting of Exchange 2010 OA. Strange thing is, it's still affected by lmcompatibilitylevel.

    I don't intend to use LM or NTLM on my server. I tried to enable NTLMv2 on the client. The problem is, since a lot of PCs are affected, my customer asked for an official whitepaper from Microsoft to endorse the change request.

    Thursday, December 29, 2011 1:57 AM
  • Hi,

    I don´t think that there is such a whitepaper. During a conference Microsoft stated that it is not recommended to use LM or NTLM because of security risk. But at the same session they told that it is difficult to disable such outdated authentification mechanism because of application incompatibility with the new ones.

    So it is difficult to publish a whitepaper with the recommendation of using NTLMv2 because there are a lot of applications in the field which require the old authentification mechanisms.

     


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com
    • Marked as answer by Li Zhen Sunday, January 1, 2012 3:37 PM
    Thursday, December 29, 2011 8:19 AM
  • May be you are looking for this document: http://technet.microsoft.com/en-us/library/cc738867(WS.10).aspx.


    Fiona Liao

    TechNet Community Support

    Thursday, December 29, 2011 9:57 AM
    Moderator
  • I would suggest you verify the default domain controller policy, to do this:

    1. Click Start, point to Programs, and then click Administrative Tools.
    2. In the Domain Controller Security policy, expand Security Settings\Local Policies.
    3. Click Security Options.
    4. Network: LAN Manager authentication level.
    5. Change it to "Send LM & NTLM" responses
    6. Ran gpupdate /force

    Hope it is helpful.


    Fiona Liao

    TechNet Community Support

    Thursday, December 29, 2011 10:26 AM
    Moderator
  • I asked for the values of two properties.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Thursday, December 29, 2011 5:16 PM
  • Hi,

    I don´t think that there is such a whitepaper. During a conference Microsoft stated that it is not recommended to use LM or NTLM because of security risk. But at the same session they told that it is difficult to disable such outdated authentification mechanism because of application incompatibility with the new ones.

    So it is difficult to publish a whitepaper with the recommendation of using NTLMv2 because there are a lot of applications in the field which require the old authentification mechanisms.

     


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

    Thank you, Thomas.
    Sunday, January 1, 2012 3:35 PM
  • I asked for the values of two properties.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    I meant both of them are basic authentication.
    Sunday, January 1, 2012 3:39 PM