locked
Outlook Anywhere proxy changed from Basic to NTLM for external users RRS feed

  • Question

  • I have a Exchange 2013 environment that is also running Exchange 2010 coexistence (migrating). What is happening is autodiscover is handing out NTLM for the proxy settings and not basic. However when it is using NTLM we seem to get the password prompt over and over. If I manually changed it to Basic then it works fine, but when autodiscover goes again it changes back to NTLM and prompts that the Administrator made a change and you need to restart Outlook.

    I checked Outlook Anywhere and all my servers have Basic set for external users and NTLM set for internal.

    I only have a few mailboxes on 2013 and 2010 mailboxes seem not to have a problem.

    Here is an output for Outlook Anywhere on all six servers:



    Identity                           : CAS01\Rpc (Default Web Site)
    ExchangeVersion                    : 0.10 (14.0.100.0)
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm}

    Identity                           : CAS02\Rpc (Default Web Site)
    ExchangeVersion                    : 0.10 (14.0.100.0)
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm}

    Identity                           : CAS03\Rpc (Default Web Site)
    ExchangeVersion                    : 0.10 (14.0.100.0)
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm}

    Identity                           : EXCH2K13-01\Rpc (Default Web Site)
    ExchangeVersion                    : 0.20 (15.0.0.0)
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

    Identity                           : EXCH2K13-02\Rpc (Default Web Site)
    ExchangeVersion                    : 0.20 (15.0.0.0)
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

    Identity                           : EXCH2K13-03\Rpc (Default Web Site)
    ExchangeVersion                    : 0.20 (15.0.0.0)
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}



    Friday, March 27, 2015 12:40 AM

Answers

  • Is it because it can't tell if the user is external or internal since I have the internal and external hostname the same? The issue is i need internally everyone to point to mail.domain.com also because of the SSL prompts.

    I have a zone for domain.com internally that points it to the load balancer IP internally (which is Citrix Netscaler)

    If the internal and external match, then it uses the internalhostname and the internal auth, yes


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, March 27, 2015 1:06 AM

All replies

  • What is the internalhostname and externalhostname set to on the 2013 servers?


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, March 27, 2015 12:48 AM
  • This is the output. I changed my domain to just domain.com and internal is cloud.local:



    Identity         : CAS01\Rpc (Default Web Site)
    ExchangeVersion  : 0.10 (14.0.100.0)
    InternalHostname : 
    ExternalHostname : mail.domain.com

    Identity         : CAS02\Rpc (Default Web Site)
    ExchangeVersion  : 0.10 (14.0.100.0)
    InternalHostname : 
    ExternalHostname : mail.domain.com

    Identity         : CAS03\Rpc (Default Web Site)
    ExchangeVersion  : 0.10 (14.0.100.0)
    InternalHostname : 
    ExternalHostname : mail.domain.com

    Identity         : EXCH2K13-01\Rpc (Default Web Site)
    ExchangeVersion  : 0.20 (15.0.0.0)
    InternalHostname : mail.domain.com
    ExternalHostname : mail.domain.com

    Identity         : EXCH2K13-02\Rpc (Default Web Site)
    ExchangeVersion  : 0.20 (15.0.0.0)
    InternalHostname : mail.domain.com
    ExternalHostname : mail.domain.com

    Identity         : EXCH2K13-03\Rpc (Default Web Site)
    ExchangeVersion  : 0.20 (15.0.0.0)
    InternalHostname : mail.domain.com
    ExternalHostname : mail.domain.com


    Friday, March 27, 2015 12:52 AM
  • Is it because it can't tell if the user is external or internal since I have the internal and external hostname the same? The issue is i need internally everyone to point to mail.domain.com also because of the SSL prompts.

    I have a zone for domain.com internally that points it to the load balancer IP internally (which is Citrix Netscaler)

    Friday, March 27, 2015 12:54 AM
  • Is it because it can't tell if the user is external or internal since I have the internal and external hostname the same? The issue is i need internally everyone to point to mail.domain.com also because of the SSL prompts.

    I have a zone for domain.com internally that points it to the load balancer IP internally (which is Citrix Netscaler)

    If the internal and external match, then it uses the internalhostname and the internal auth, yes


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, March 27, 2015 1:06 AM
  • Awesome let me change internal auth to Basic and try that.
    Friday, March 27, 2015 1:10 AM
  • Awesome let me change internal auth to Basic and try that.

    That will cause password prompts and if you are using legacy Public Folders it should be set to NTLM.

    Don't know why external is getting prompted for NTLM unless you are doing some reverse proxy or something.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, March 27, 2015 1:13 AM
  • I'm not using a reverse proxy.

    Uhm... So I have internal and external users but my SSL is a wildcard for *.domain.com. I'm trying to get it to work both internally and externally without SSL prompts. The devices connecting internally will never go outside of the internal network and the devices connecting externaly will never come inside the network.

    I do not have any internal users using legacy public folders but I do have external users using them.

    Friday, March 27, 2015 1:20 AM
  • Hi,

    Please refer to the following KB to set the Outlook Anywhere settings on Exchange Server 2013 Client Access servers:

    http://support.microsoft.com/en-us/kb/2834139

    If it doesn’t work with the resolution above, please do the following checking in ADSI Edit:

    1. In Adsiedit, expand Configuration-->CN=Services -> CN=Microsoft Exchange -> CN=domain -> CN=Administrative Groups -> CN=Exchange Administrative Group -> CN=Databases.

    2. Right-click the listed database > Properties.

    3. Check whether the msExchHomePublicMDB value is set to an available value. Please change the value to <not set>.

    4. Click OK.

    Then check whether the issue persists.

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Monday, March 30, 2015 3:21 AM