locked
Ex2010 > Ex2013 - Outlook Anywhere client authentication RRS feed

  • Question

  • Hi,

    I have an Exchange 2010 server with all roles installed and users mailboxes on it. Most users are domain-joined, but some are external 'home' users and connect via Outlook Anywhere.

    I also have an Exchange 2013 server (again, all roles) which is mostly set-up and is in co-existence with Ex2010. I have moved one test mailbox onto this server. One issue is accessing Public Folders, which are still on the Ex2010 mailbox user. I get a password prompt (which doesn't accept my password) and if I click cancel, I get an error "Cannot expand the folder. The set of folders cannot be opened. Microsoft Exchange is not available, etc, etc"

    Other info
    -My servers are fully patched and up-to-date and I'm using the latest Office service packs on Windows 7
    -I have a split DNS (webmail.domain.co.uk points to Ex2013)
    -I have no TMG

    As I understand it, the problem may well be the difference between authentication methods on Ex2010 and Ex2013. I understand I need to use the same authentication method but herein lies my problem.

    Get-OutlookAnywhere on Ex2010

    ExternalHostName: webmail.domain.co.uk
    ClientAuthenticationMethod: Basic
    IISAuthenticationMethod: {Basic, NTLM}

    Get-OutlookAnywhere on Ex2013

    ExternalHostName: webmail.domain.co.uk
    InternalHostName: webmail.domain.co.uk
    ExternalClientAuthenticationMethod: Basic
    InternalClientAuthenticationMethod: NTLM
    ISSAuthenticationMethods: {Basic, NTLM, Negotiate}

    If I change Ex2010 to NTLM (to match Ex2013) then it will break my home users.
    If I change Ex2013 to Basic (to match Ex2010) then it will annoy my domain-joined users as they will constantly need to enter credentials.

    So, I need to use NTLM internally, but Basic for external 'home' users. 

    Although currently domain-joined Outlook users on Ex2010 are configured for Outlook Anywhere, they connect over RPC, not HTTP, therefore the Basic setting on Ex2010 is not affecting them. However, I cannot migrate them to Ex2013 as the Public Folder issue is a problem.

    Comments and suggestions gladly welcome
    Thanks.
    Wednesday, August 13, 2014 2:58 PM

Answers

  • How long ago did you make the changes? You should be able to access legacy PFs on 2010 from the a 2013 Mailbox with NTLM set. Give it some time for autodiscover to kick in and the changes to propagate on the server side or try creating a new Outlook profile.

    If you use split DNS and the internal and external hostnames are the same, then no. Outlook will actually only use the internalhostname and its auth - even if its external.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Thursday, August 14, 2014 12:16 PM
  • Try this..

    On the 2010 servers, go to IIS > RPC vdir > Authentication > Windows Authentication and choose "Providers" in the Actions pane. Make sure NTLM is first on the list here.

    Thursday, August 14, 2014 12:32 PM

All replies

  • You should use NTLM for Exchange 2010 OutlookAnywhere for the coexistence. For your home users, if NTLM fails or is unavailable (non domain joined computers) will fall back to basic auth.

    Thursday, August 14, 2014 12:26 AM
  • Thanks. I had tried this previously but it prevented all my 'home' users logging in. They would get a login box repeatedly. 

    I have set this again and tested from outside the network and it prompts once for login then lets me in. The only thing I may have changed in between is setting the IISAuthenticationMethods to be both {Basic, NTLM}.

    So, my home users are ok, but I still cannot open the Public Folders when using Outlook as an Ex2013 mailbox users. I get the same error as before.

    A lot of advice suggests checking the Account Options in Outlook on the 'Security' tab, specifically the 'Logon Network Security' setting. The advice is that this should not be 'Anonymous Authentication'. Mine is currently set to 'Negotiate Authentication'. The same setting appears for users still on Ex2010. 

    Is there anything else I should be looking at?

    Thanks.

    Thursday, August 14, 2014 8:51 AM
  • IISAuthenticationMethods is just what method IIS accepts.

    So, you want to make ExternalClientAuthenticationMethod and InternalClientAuthenticationMethod Ntlm for both 2013 and 2010 servers.

    Has this been done?

    Thursday, August 14, 2014 11:44 AM
  • Thanks

    To answer your question, yes this has been done and my values are now

    (from Get-OutlookAnywhere on Ex2013)

    ServerName: Ex2010
    ExternalHostName: webmail.domain.co.uk
    InternalHostName: {empty}
    ExternalCLientAuthenticationMethod: NTLM
    InternalCLientAuthenticationMethod: NTLM
    IISAuthenticationMethods: {Basic. NTLM}

    ServerName: Ex2013
    ExternalHostName: webmail.domain.co.uk
    InternalHostName: webmail.domain.co.uk
    ExternalCLientAuthenticationMethod: NTLM
    InternalCLientAuthenticationMethod: NTLM
    IISAuthenticationMethods: {Basic. NTLM, Negotiate}

    What this has fixed is now when I test Outlook Anywhere, to a mailbox on Ex2010, from outside my domain, I can login successfully on the first attempt. Great.

    What still doesn't work is accessing Public Folder which are on Ex2010 whilst using Outlook as a user with a mailbox on Ex2013. When I click on the Public Folder tree, I get a password prompt. Cancelling that, I get an error as described in my first post.

    May I ask, is there a difference between ExternalClientAuthenticationMethod and InternalClientAuthenticationMethod if I use split DNS?

    Thanks.

    Thursday, August 14, 2014 12:04 PM
  • How long ago did you make the changes? You should be able to access legacy PFs on 2010 from the a 2013 Mailbox with NTLM set. Give it some time for autodiscover to kick in and the changes to propagate on the server side or try creating a new Outlook profile.

    If you use split DNS and the internal and external hostnames are the same, then no. Outlook will actually only use the internalhostname and its auth - even if its external.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Thursday, August 14, 2014 12:16 PM
  • Try this..

    On the 2010 servers, go to IIS > RPC vdir > Authentication > Windows Authentication and choose "Providers" in the Actions pane. Make sure NTLM is first on the list here.

    Thursday, August 14, 2014 12:32 PM
  • Bingo!

    Moving NTLM up to top in the list fixed this for me. Thanks Brenle. Public Folders are now opening from the Ex2013 mailbox user.

    I'm surprised how difficult Ex2010 > Ex2013 has been. The move from Ex2003 > Ex2010 was a piece of cake in comparison.

    One side point I have to mention (which I'm happy to open a new thread for), is about the Outlook settings 'One fast networks, connect using HTTP first, then connect using TCP/IP'.

    With this ticked, and accessing a mailbox on either Ex2010 or 2013, Outlook take a few seconds longer to open.

    For example, connecting via TCP, the Outlook 2010 splash screen shows for around 1 second (you briefly see the words 'Starting' then 'Loading Profile' before Outlook opens). However, connecting via HTTPS the splash screen takes around 5-6 seconds. I appreciate this is a small issue, but I noticed it and so will my users. We are a small company of 60 users. Both Exchange servers have been sized correctly.

    Can anything be done to speed this up? I have read about using Kerberos, but this was only suggested for very large firms to avoid bottlenecks. Does Kerberos even work with HTTPS?

    Thanks all for your comments.

    Thursday, August 14, 2014 2:42 PM
  • No problem! Glad you got it working.

    As far as the Outlook startup issue - this is more of an Outlook question - but are you using Outlook in Cached or Online mode? In cached mode, typically the actually connectivity to Exchange occurs after the splash screen is gone and the application is open (you can see connecting to Exchange in the bottom right corner).  Have you tried a brand new profile?

    Friday, August 15, 2014 2:45 AM
  • Hi,

    Thanks. We are not using cached, but Outlook online. I have created numerous new profiles and tested and retested. The speed at which outlook starts is directly linked to whether it connects over HTTP or RPC. When set to RPC it is very quick. HTTP takes noticeably longer. Again, this is with mailboxes on both Ex2010 and Ex2013

    Friday, August 15, 2014 2:55 PM
  • Try with cached mode. I would expect that to load up quicker.
    Friday, August 15, 2014 3:26 PM
  • Cached isn't an option here. Users have huge mailboxes (15-20Gb is not uncommon). But that's another discussion altogether.

    The size of the mailbox doesn't seem to be related to the speed which Outlook loads. I have a users with a small mailbox on 2013 (600mb) and it takes the same amount of time to open as a 15GB user.

    Friday, August 15, 2014 4:15 PM
  • Alright, I would recommend opening a new thread under Outlook for this question then.
    Friday, August 15, 2014 4:36 PM