locked
NTLM Authentication in the Outlook Anywhere RRS feed

  • Question

  • I use Exchange Server 2007 sp1 RollUp 6 installed on Windows Server 2008. I need to use Outlook Anywhere from non-domain computers. I test Outlook Anywhere with Basic and NTLM Authentication and all works fine. But when I use NTLM authentucation, Outlook promt user credential every time when it start, even "remember password" was checked. The login and password are remembered in the network password of user, but Outlook prompt password again and again, when it starts. Exchange published by 443 port directly (without any listeners)!

    When I connect by VPN, and use TCP/IP connection to the server, Outlook remeber password withoun any problems, and did not ask password again.

    get-OutlookAnywhere:

    ServerName                 : SRVEXCH2
    SSLOffloading              : False
    ExternalHostname           : mail.my_domain.ru
    ClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods   : {Ntlm}
    MetabasePath               : IIS://srvexch2.net.local/W3SVC/1/ROOT/Rpc
    Path                       : C:\Windows\System32\RpcProxy
    Server                     : SRVEXCH2
    AdminDisplayName           :
    ExchangeVersion            : 0.1 (8.0.535.0)
    Name                       : srvexch2
    DistinguishedName          : CN=srvexch2,CN=HTTP,CN=Protocols,CN=SRVEXCH2,CN=Servers,CN=Exchange Administrative Group (
                                 FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=S
                                 ervices,CN=Configuration,DC=net,DC=local
    Identity                   : SRVEXCH2\srvexch2
    Guid                       : 2c24f11b-852c-4948-b236-3f37d071d500
    ObjectCategory             : net.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
    ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
    WhenChanged                : 18.02.2009 14:17:55
    WhenCreated                : 17.02.2009 14:53:36
    OriginatingServer          : dc1.net.local
    IsValid                    : True


    I have tried this cases, but they have not helped for this issue:
    1) Disable kernel mode authentication with this command: %systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false, I  also have unchecked Kernel mode authentication in the properties of Windows Authentication for Default Web site, \Rpc and \Autodiscovery virtual directories.
    2) Modify this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa lmcompatibilitylevel=3 and 2.
    3) Set NTLM instead of Kerberos on the security tab in the properties of Outlook.
    4) Install domain controller and global catalog roles on the Exchange Server.

    Somebody have any solution for this issue? May be Outlook Anywhere and NTLM do not work at all?

    Friday, February 20, 2009 8:25 PM

Answers

All replies

  • Hi Sergey Erin,

    A few Weeks ago i had the same problem. You Must do the Following:


    DSProxy and IPv6

    If you're in a multi-server scenario where the RPCProxy is not on the same server as the Mailbox, then you need to do the following:

    1. Unselect IPv6 from the properties of your NIC (on the RPC-over-HTTP Proxy machine); that will force the RPC-over-HTTP Proxy to use IPv4 to talk to Exchange and everything will be fine. In most cases, this step suffices. If it does not, continue with steps 2 and 3.
    2. Under the regkey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters, add a 32 bit DWORD with the name DisabledComponents and value 0xFF
    3. Reboot the machine

    If you're in a single-server scenario where the RPCProxy and Mailbox are on the same machine, then the above does not work since the loopback interface still uses IPv6. In this case, you need to make the following changes in the system32\drivers\etc\hosts file:

    1. Comment out the line ":::1    localhost"
    2. Add the following two lines:
         <IPv4 address>    <hostname of the computer>
         <IPv4 address>    <FQDN of the computer>

     For more Information this is the Link http://msexchangeteam.com/archive/2008/06/20/449053.aspx

    Hope this Help.

    Regards.

    Jose Osorio R.

    Friday, February 20, 2009 11:18 PM
  •  I know about problem with IPv6 and DsProxy. I have disabled IPv6, many times ago (RPCPING respons on 6001, 6002 and 6004 ports without any problem). Outlook Anywhere work with basic and with NTLM authentication. I have only one problem, Outlook ask password, when it start, even I use NTLM authentication with "save password" option checked.

    Jose Osorio R., are you have tuned Exchange, that Outlook Anywhere do not ask password, when it starts from non-domain computers? I am interested, somebody made this?

    Saturday, February 21, 2009 9:18 AM
  • Is autodiscover.yourdomain.ru configured properly?  I saw this once with a customer that had a wildcard cert in dns.  We hadn't yet configured autodiscover but it was still pointing to the server?

    "For non domain joined clients or clients that are not able to directly access the domain, Outlook is hard coded to find the Autodiscover end point by looking up either https://company.com/Autodiscover/Autodiscover.xml or https://Autodiscover.company.com/Autodiscover/Autodiscover.xml (where company.com is the portion of the users SMTP address following the @ sign)."

    http://msexchangeteam.com/archive/2007/04/30/438249.aspx
    Tuesday, March 3, 2009 12:49 AM
  • Hi,

    I suggest that we save passwords by using following method on the client:

    1. Run control userpasswords2
    2. Under Advanced tab, click Manage Passwords
    3. Please add following entry:

    Log on to: *.domainname (such as *.microsoft.com)
    Username: domain\username
    Password: password

    Then, please restart the client to check whether we still need to provide password when log on Outlook.

    Thanks

    Allen

    Tuesday, March 3, 2009 8:37 AM
  • Have you also seen this:

     

    You must provide Windows account credentials when you connect to Exchange Server 2003 by using the Outlook 2003 RPC over HTTP feature

    http://support.microsoft.com/kb/820281

     

    1.

    Click Start, click Run, type regedit in the Open box, and then press ENTER.

    2.

    Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

    3.

    In the right pane, double-click lmcompatibilitylevel.

    4.

    In the Value data box, type a value of 2 or 3 that is appropriate for your environment, and then click OK.

    5.

    Quit Registry Editor.

    6.

    Restart your computer.

    LmCompatibilityLevel settings

    The LmCompatibilityLevel registry entry can be configured with the following values:

    LmCompatibilityLevel value of 0: Send LAN Manager (LM) response and NTLM response; never use NTLM version 2 (NTLMv2) session security. Clients use LM and NTLM authentication, and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.

    LmCompatibilityLevel value of 1: Use NTLMv2 session security, if negotiated. Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

    LmCompatibilityLevel value of 2: Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

    LmCompatibilityLevel value of 3: Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

    LmCompatibilityLevel value of 4: (Server Only) - Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers refuse LM authentication, and accept NTLM and NTLMv2 authentication.

    LmCompatibilityLevel value of 5: (Server Only) - Domain controllers refuse LM and NTLM responses, and accept only NTLMv2 responses. Clients use NTLMv2 authentication, use NTLMv2 session security if the server supports it; domain controllers refuse NTLM and LM authentication, and accept only NTLMv2 authentication.



    Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
    Thursday, March 5, 2009 2:29 PM
    • Marked as answer by Allen Song Monday, March 9, 2009 3:43 AM
    • Marked as answer by Allen Song Monday, March 9, 2009 5:17 AM
    Saturday, March 7, 2009 7:24 PM
  • After all other options mentioned here failed, setting the IncompatibilityLevel to 2 solved it for me. XP SP3 with Outlook 2007 clients, SBS2008 server.
    Tuesday, July 15, 2014 7:07 AM