none
Changing Exchange 2010 Outlook Anywhere from Basic to NTLM authentication RRS feed

  • Question

  • We have exchange 2010 OA published through forefront TMG.

    This was set up with basic authentication and is causing many annoying credential popups for our users.
    From researching this it seems changing to NTLM would solve this issue.

    http://blogs.technet.com/b/exchange/archive/2011/01/17/using-ntlm-outlook-anywhere-authentication-through-forefront-tmg-and-uag.aspx

    http://anewmessagehasarrived.blogspot.co.uk/2011/07/outlook-authentication-popup-when.html

    I have found many articles / white papers (see below) detailing set up from scratch but not on changing the mechanism on a deployed system and clients.
    http://www.microsoft.com/en-us/download/details.aspx?id=22723

    Has anyone done this change on a live system and can advise of the steps and if there are any potential issues.
    Thanks
    Chris

    Wednesday, May 23, 2012 10:23 PM

Answers

  • Hi Chris,

    To get rid of credential prompt, we may enable NTLM authentication only if the clients is a domain join machine and the Windows profile is working fine. It is easy to change the authentication settings for Outlook Anywhere in EMC. remember run IISreset /noforce to apply it and adjust TMG rules to allow Outlook Anywhere.

    However,  the clients might still be prompted for credentials based on my experience. Some because of the corrupted Windows profile which fail to provide credentials; some because of Exchange web-based service related configuration. Your understanding would be appreciated.


    Fiona Liao

    TechNet Community Support

    Friday, May 25, 2012 9:26 AM
    Moderator

All replies

  • Hi Chris,

    To get rid of credential prompt, we may enable NTLM authentication only if the clients is a domain join machine and the Windows profile is working fine. It is easy to change the authentication settings for Outlook Anywhere in EMC. remember run IISreset /noforce to apply it and adjust TMG rules to allow Outlook Anywhere.

    However,  the clients might still be prompted for credentials based on my experience. Some because of the corrupted Windows profile which fail to provide credentials; some because of Exchange web-based service related configuration. Your understanding would be appreciated.


    Fiona Liao

    TechNet Community Support

    Friday, May 25, 2012 9:26 AM
    Moderator
  • I have never changed it on the UAG side, was about to 2 months ago but changed my mind. Our issue is similar, because of Outlook and the setting " on slow network connect using http first" internal Outlook clients periodically connect back outside through the UAG causing the auth prompts because it's set to use basic auth to exchange.

    There is no option to get this unchecked via registry, GPO or  Exchange without using a convoluted script that would have to be routinely run in order to catch new profiles that are being created. The funny thing is Exchange has the option to set the “on fast networks…” via PowerShell but there is no setting to configure the “on slow networks…” which I find strange.

    From my understanding when I did the analyses back then you will have to re-configure the UAG to and split out the Outlook Anywhere and Activesync (AS must use Basic) into their own published app, export a Kerberos delegation file and import into AD, reconfigure the authentication on Exchange to use Basic, then configure Exchange to push out NTLM on the Outlook Anywhere settings.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Friday, May 25, 2012 2:05 PM