locked
Outlook Anywhere keeps reverting from Basic to NTLM after every restart RRS feed

  • Question

  • Hi all,

    We are in the middle of transition from Exchange 2010 SP3 to Exchange 2013 CU8 and everything works fine except external Outlook Anywhere. We are publishing the Exchange services through TMG 2010 and we are using Basic for external clients, which worked great for Exchange 2010. Now, using the same rules, Outlook (2013) clients fail to authenticate to Exchange from external (internet) connections.

    The current settings:

    Get-OutlookAnywhere | FL ServerName, *auth*

    ServerName                         : 2010
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm}

    ServerName                         : 2013
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

    For clients that are still on 2010 everything works perfect, both internal and external connections. For clients migrated or newly created on 2013, it work from internal but keep on asking for password from external. If I manually change the Authentication for Exchange proxy settings from NTLM to Basic than it work OK from external as well - BUT this setting is changed back to NTLM after every restart of the Outlook client. It seems that Autodiscover is pushing the wrong settings, even though the settings are correct. Here is the XML:

    <?xml version="1.0" encoding="utf-8"?>
    <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
      <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
        <User>
          <DisplayName>XXXXXXXXXXXXXXXXXXXXXX</DisplayName>
          <LegacyDN>XXXXXXXXXXXXXXXXXXXXXX</LegacyDN>
          <AutoDiscoverSMTPAddress>XXXXXXXXXXXXXXXXXXXXXX</AutoDiscoverSMTPAddress>
          <DeploymentId>XXXXXXXXXXXXXXXXXXXXXX</DeploymentId>
        </User>
        <Account>
          <AccountType>email</AccountType>
          <Action>settings</Action>
          <MicrosoftOnline>False</MicrosoftOnline>
          <Protocol>
            <Type>EXCH</Type>
            <Server>XXXXXXXXXXXXXXXXXXXXXX</Server>
            <ServerDN>XXXXXXXXXXXXXXXXXXXXXX</ServerDN>
            <ServerVersion>73C08434</ServerVersion>
            <MdbDN>XXXXXXXXXXXXXXXXXXXXXX</MdbDN>
            <PublicFolderServer>webmail.nspyre.nl</PublicFolderServer>
            <AD>XXXXXXXXXXXXXXXXXXXXXX</AD>
            <ASUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</ASUrl>
            <EwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EwsUrl>
            <EmwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EmwsUrl>
            <EcpUrl>https://webmail.nspyre.nl/ecp/</EcpUrl>
            <EcpUrl-um>?rfr=olk&amp;p=customize/voicemail.aspx&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-um>
            <EcpUrl-aggr>?rfr=olk&amp;p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-aggr>
            <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&amp;exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;&amp;realm=nspyre.nl</EcpUrl-mt>
            <EcpUrl-ret>?rfr=olk&amp;p=organize/retentionpolicytags.slab&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-ret>
            <EcpUrl-sms>?rfr=olk&amp;p=sms/textmessaging.slab&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-sms>
            <EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&amp;chgPhoto=1&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-photo>
            <EcpUrl-tm>?rfr=olk&amp;ftr=TeamMailbox&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-tm>
            <EcpUrl-tmCreating>?rfr=olk&amp;ftr=TeamMailboxCreating&amp;SPUrl=&lt;SPUrl&gt;&amp;Title=&lt;Title&gt;&amp;SPTMAppUrl=&lt;SPTMAppUrl&gt;&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-tmCreating>
            <EcpUrl-tmEditing>?rfr=olk&amp;ftr=TeamMailboxEditing&amp;Id=&lt;Id&gt;&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-tmEditing>
            <EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-extinstall>
            <OOFUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</OOFUrl>
            <UMUrl>https://webmail.nspyre.nl/EWS/UM2007Legacy.asmx</UMUrl>
            <OABUrl>https://webmail.nspyre.nl/OAB/3cde2ebe-e722-44e5-849d-7f6cd94b51fa/</OABUrl>
            <ServerExclusiveConnect>off</ServerExclusiveConnect>
            <CertPrincipalName>msstd:*.nspyre.nl</CertPrincipalName>
          </Protocol>
          <Protocol>
            <Type>EXPR</Type>
            <Server>webmail.nspyre.nl</Server>
            <SSL>On</SSL>
            <AuthPackage>Basic</AuthPackage>
            <ASUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</ASUrl>
            <EwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EwsUrl>
            <EmwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EmwsUrl>
            <OOFUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</OOFUrl>
            <UMUrl>https://webmail.nspyre.nl/EWS/UM2007Legacy.asmx</UMUrl>
            <OABUrl>https://webmail.nspyre.nl/OAB/3cde2ebe-e722-44e5-849d-7f6cd94b51fa/</OABUrl>
            <ServerExclusiveConnect>on</ServerExclusiveConnect>
            <CertPrincipalName>msstd:*.nspyre.nl</CertPrincipalName>
            <EwsPartnerUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EwsPartnerUrl>
            <GroupingInformation>DataCenters</GroupingInformation>
          </Protocol>
          <Protocol>
            <Type>WEB</Type>
            <Internal>
              <OWAUrl AuthenticationMethod="Ntlm, WindowsIntegrated">https://webmail.nspyre.nl/owa/</OWAUrl>
              <Protocol>
                <Type>EXCH</Type>
                <ASUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</ASUrl>
              </Protocol>
            </Internal>
          </Protocol>
          <Protocol>
            <Type>EXHTTP</Type>
            <Server>webmail.nspyre.nl</Server>
            <SSL>On</SSL>
            <AuthPackage>Ntlm</AuthPackage>
            <ASUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</ASUrl>
            <EwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EwsUrl>
            <EmwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EmwsUrl>
            <EcpUrl>https://webmail.nspyre.nl/ecp/</EcpUrl>
            <EcpUrl-um>?rfr=olk&amp;p=customize/voicemail.aspx&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-um>
            <EcpUrl-aggr>?rfr=olk&amp;p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-aggr>
            <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&amp;exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;&amp;realm=nspyre.nl</EcpUrl-mt>
            <EcpUrl-ret>?rfr=olk&amp;p=organize/retentionpolicytags.slab&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-ret>
            <EcpUrl-sms>?rfr=olk&amp;p=sms/textmessaging.slab&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-sms>
            <EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&amp;chgPhoto=1&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-photo>
            <EcpUrl-tm>?rfr=olk&amp;ftr=TeamMailbox&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-tm>
            <EcpUrl-tmCreating>?rfr=olk&amp;ftr=TeamMailboxCreating&amp;SPUrl=&lt;SPUrl&gt;&amp;Title=&lt;Title&gt;&amp;SPTMAppUrl=&lt;SPTMAppUrl&gt;&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-tmCreating>
            <EcpUrl-tmEditing>?rfr=olk&amp;ftr=TeamMailboxEditing&amp;Id=&lt;Id&gt;&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-tmEditing>
            <EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&amp;exsvurl=1&amp;realm=nspyre.nl</EcpUrl-extinstall>
            <OOFUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</OOFUrl>
            <UMUrl>https://webmail.nspyre.nl/EWS/UM2007Legacy.asmx</UMUrl>
            <OABUrl>https://webmail.nspyre.nl/OAB/3cde2ebe-e722-44e5-849d-7f6cd94b51fa/</OABUrl>
            <ServerExclusiveConnect>On</ServerExclusiveConnect>
            <CertPrincipalName>msstd:*.nspyre.nl</CertPrincipalName>
          </Protocol>
          <Protocol>
            <Type>EXHTTP</Type>
            <Server>webmail.nspyre.nl</Server>
            <SSL>On</SSL>
            <AuthPackage>Basic</AuthPackage>
            <ASUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</ASUrl>
            <EwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EwsUrl>
            <EmwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EmwsUrl>
            <OOFUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</OOFUrl>
            <UMUrl>https://webmail.nspyre.nl/EWS/UM2007Legacy.asmx</UMUrl>
            <OABUrl>https://webmail.nspyre.nl/OAB/3cde2ebe-e722-44e5-849d-7f6cd94b51fa/</OABUrl>
            <ServerExclusiveConnect>On</ServerExclusiveConnect>
            <CertPrincipalName>msstd:*.nspyre.nl</CertPrincipalName>
          </Protocol>
        </Account>
      </Response>
    </Autodiscover>

    How can I force Outlook clients (domain joined and workgroup) to get Basic authentication from Autodiscover? Any help will be greatly appreciated as I have already spent a huge amount of time and neurons on this issue.

    Thank you so very much for your help.

    Marian Vulpe


    Marian VULPE

    Wednesday, June 10, 2015 5:21 PM

Answers

  • Hi Julien,

    Thank you very much for your help. Unfortunately there is no GPO for Outlook 2010 - I can use the same Outlook (2013) and get both successful connection and repeated password prompts on the same workstation, just by changing between user accounts hosted on the 2 different servers (2010 and 2013). Besides we have quite a lot of workstations that are not joined to the domain, so GPO will help only for a little bit.

    The problem is somehow related to the autodiscover that is pushing the wrong settings. I am restarting the 2013 server tonight and will see the results (though I'm not too optimistic).

    Do you know a way to force refresh the autodiscover settings that are being sent to clients?

    Thanks again,

    Marian Vulpe


    Marian VULPE

    What are the OutlookAnywhere hostnames set to ?

    If they are the same and the internal name is resolvable on the internet, then what you are seeing is expected. Outlook will use the internal hostname and auth.

    Also: Did you follow:

    http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Wednesday, June 10, 2015 10:31 PM
  • Hi Andy,

    "If they are the same and the internal name is resolvable on the internet, then what you are seeing is expected. Outlook will use the internal hostname and auth."

    THANK YOU for your answer. Indeed the internal and external host names were identical (splin DNS). BUT, according to the documentation I've read so far, Outlook will y default display the Exchange Proxy Settings as the internal server. It's the first mention I get about the authentication as well, and also that it is not only "displayed" but also "applied". Quite different thinks I would say.
    So, for short, we have removed the internal host name and configured InternalClientsRequireSsl to false and voila, everything now works as expected.

    The complete command was:

    Set-OutlookAnywhere -Identity "2013\Rpc (Default Web Site)" –InternalHostName "" -InternalClientsRequireSsl $False -ExternalHostName "webmail.nspyre.nl" -ExternalClientsRequireSsl $True -InternalClientAuthenticationMethod NTLM  -IISAuthenticationMethods  Basic, NTLM, Negotiate -ExternalClientAuthenticationMethod Basic

    This was a wild ride - too bad the documentation doesn't more clearly explain this not so uncommon scenario.

    Again, thanks a lot :).
    Marian Vulpe



    Marian VULPE

    • Marked as answer by Marian Vulpe Thursday, June 11, 2015 12:34 PM
    Thursday, June 11, 2015 12:34 PM

All replies

  • Hi Marian,

    We use a GPO to force this setting (Outlook 2010) on the workstations - http://www.bictt.com/blogs/bictt.php/2011/01/09/outlook-anywhere-automatically-changes-proxy-settings .

    Maybe you also have a specific GPO that apply to Outlook 2010 (that's why it works fine) but you don't have this GPO for Outlook 2013 ?

    Julien

    Wednesday, June 10, 2015 9:45 PM
  • Hi Julien,

    Thank you very much for your help. Unfortunately there is no GPO for Outlook 2010 - I can use the same Outlook (2013) and get both successful connection and repeated password prompts on the same workstation, just by changing between user accounts hosted on the 2 different servers (2010 and 2013). Besides we have quite a lot of workstations that are not joined to the domain, so GPO will help only for a little bit.

    The problem is somehow related to the autodiscover that is pushing the wrong settings. I am restarting the 2013 server tonight and will see the results (though I'm not too optimistic).

    Do you know a way to force refresh the autodiscover settings that are being sent to clients?

    Thanks again,

    Marian Vulpe


    Marian VULPE

    Wednesday, June 10, 2015 9:58 PM
  • Hi Julien,

    Thank you very much for your help. Unfortunately there is no GPO for Outlook 2010 - I can use the same Outlook (2013) and get both successful connection and repeated password prompts on the same workstation, just by changing between user accounts hosted on the 2 different servers (2010 and 2013). Besides we have quite a lot of workstations that are not joined to the domain, so GPO will help only for a little bit.

    The problem is somehow related to the autodiscover that is pushing the wrong settings. I am restarting the 2013 server tonight and will see the results (though I'm not too optimistic).

    Do you know a way to force refresh the autodiscover settings that are being sent to clients?

    Thanks again,

    Marian Vulpe


    Marian VULPE

    What are the OutlookAnywhere hostnames set to ?

    If they are the same and the internal name is resolvable on the internet, then what you are seeing is expected. Outlook will use the internal hostname and auth.

    Also: Did you follow:

    http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Wednesday, June 10, 2015 10:31 PM
  • Hi,

    In Exchange 2013, it is by design that the internal host name (the same as external host name in your environment with webmail.nspyre.nl) of Outlook Anywhere is always displayed as the proxy server for Exchange in the Microsoft Exchange Proxy Settings dialog box in Microsoft Outlook. Additionally, the Internal Authentication settings (NTLM) are always displayed in the Exchange Proxy Settings dialog box.

    Therefore, when you restart your Outlook, the authentication setting is shown internal authentication settings which is NTLM in your environment every time. For more information about this, please refer to:

    https://support.microsoft.com/en-us/kb/2754898

    As for your credential prompted issue, please confirm if the issue happens to all users or specific users. Please press and hold Ctrl, and then right-click the Outlook icon in the notification area, click Connection Status to check the status (please collect the Server name, status, protocol, Authentication, and Type information) when the issue occurs.

    If the issue happens to specific users, please clear the credential manager in Control Panel to have a try.

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Thursday, June 11, 2015 8:23 AM
  • Hi Andy,

    "If they are the same and the internal name is resolvable on the internet, then what you are seeing is expected. Outlook will use the internal hostname and auth."

    THANK YOU for your answer. Indeed the internal and external host names were identical (splin DNS). BUT, according to the documentation I've read so far, Outlook will y default display the Exchange Proxy Settings as the internal server. It's the first mention I get about the authentication as well, and also that it is not only "displayed" but also "applied". Quite different thinks I would say.
    So, for short, we have removed the internal host name and configured InternalClientsRequireSsl to false and voila, everything now works as expected.

    The complete command was:

    Set-OutlookAnywhere -Identity "2013\Rpc (Default Web Site)" –InternalHostName "" -InternalClientsRequireSsl $False -ExternalHostName "webmail.nspyre.nl" -ExternalClientsRequireSsl $True -InternalClientAuthenticationMethod NTLM  -IISAuthenticationMethods  Basic, NTLM, Negotiate -ExternalClientAuthenticationMethod Basic

    This was a wild ride - too bad the documentation doesn't more clearly explain this not so uncommon scenario.

    Again, thanks a lot :).
    Marian Vulpe



    Marian VULPE

    • Marked as answer by Marian Vulpe Thursday, June 11, 2015 12:34 PM
    Thursday, June 11, 2015 12:34 PM