none
Exchange Integration on Communicator - Supported Authentication Methods RRS feed

  • Question

  • We've got a customer that's always had the infamous Exchange Integration error on Communicator (2007 R2) when connected externally (internally it's all sweet). It's only now that they're migrating to Lync that they have decided it is time to do something about it... I've read all (well... most... well... a bunch) of the forum posts, blogs and Technet articles that talk about this, but I can't seem to find the one that fits this particular issue.

    OWA, EWS, autodiscover, etc. are all published externally via TMG. Authentication on the listener is set to FBA; delegation is Basic for all rules, and all external virtual directories are enabled for Basic authentication. TMG is not domain-joined! (I know, I know... We've argued this one until blue in the face but they won't have a bar of it - workgroup it is and workgroup it will stay!)

    So what we're seeing is Communicator hitting autodiscover.customer.domain with the usual GET/POST requests and TMG responding with a 401 challenge. However, when we enter the correct credentials in the resulting authentication pop-up on the client, we just get another challenge. This continues indefinitely as long as Communicator continues trying to discover the Exchange services.

    If I understand correctly, that was just a Basic authentication challenge (fallback for FBA)... Does Communicator not like this? If not, what alternatives will it support? We can live with a single pop-up upon login, though would prefer it were transparent. I don't understand enough about publishing through TMG and authentication to put my finger of what's happening here, or what our options are. Any help with this would be greatly appreciated!

    Strangely, it seems that the Lync client quite happily responds to the Basic challenge when connected externally, without so much as a pop-up in sight. We're a long way off getting all the clients migrated across, however, so really need to fix this for Communicator clients.

    Friday, June 15, 2012 2:06 AM

Answers

  • Lync does not support pre authentiation for any Exchange webservices, the external  Lync client needs to use pass through  authentication to CAS and will use NTLM

    There are multiple ways you could get this working:

    Say for e.g. you have certificate on the CAS which already has autodiscover.domain.com in the SAN and you are using a certificate on the TMG which also has autodiscover.domain.com in the SAN

    You can then use a different pubilc IP and publish the autodiscover.domain.com record in the public DNS to use the new IP

    Configure a listener on the TMG for this new public IP and configure No authentication  and the correct certificate

    Create a new rule on the TMG which would have public name autodiscover.domain.com and use the new listener and use /* for paths

    On the CAS you can change the externalURL of Exchange webservices to https://autodiscover.domain.com/ews/exchange.asmx using exchange cmdlet set-webservicesvirtauldirectory on the internet facing CAS server

    You can refer to http://www.isaserver.org/tutorials/web-listeners-web-publishing-rules.html for more understanding

    • Marked as answer by LS81 Wednesday, July 11, 2012 5:30 AM
    Saturday, June 23, 2012 7:45 AM

All replies

  • Hi,

    I hope the following links can give you some useful information:

    http://www.proexchange.be/blogs/exchange2010/archive/2012/03/09/enabling-kerberos-authentication-on-a-cas-array.aspx

    http://www.microsoft.com/en-us/download/details.aspx?id=15668


    Regards,

    Kent Huang

    TechNet Community Support ************************************************************************************************************************

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.


    • Edited by Kent-Huang Monday, June 18, 2012 5:41 AM
    Monday, June 18, 2012 5:41 AM
  • Thanks for the info, Kent.

    Unfortunately, the first link you sent does not apply as the TMG in this scenario is not domain-joined, so Kerberos is out of the question.

    Regardless, I'm pretty sure the issue we're having is with authentication to TMG, not delegation to the CAS. Having said that, I re-read the second article you forwarded and something I must have skimmed over before in the "Reverse Proxy Pre-Authentication" section (page 20) caught my eye:

    Requests involving the following web services may fail when pre-authentication is enabled for external UC clients and devices:

    • Exchange Autodiscover service
    • Exchange Web Services
    • Lync WebTicket service
    • Lync Certificate Provisioning Web service
    • Lync Server Address Book Download Web service
    • Lync Server Address Book Web Query service
    • Lync Device Update Web service

    Is this saying that the publishing rules for the above services must be set up on TMG to not do pre-authentication? This is contrary to anything I've read about publishing Exchange through TMG. It also defeats the main point of putting things behind TMG in the first place. Surely this means to say "... may fail when pre-authentication is enabled, depending on the authentication method used on the TMG listener...".

    Can anyone confirm whether I've understood correctly? Again, is there a list of authentication methods Lync/Communicator do/don't support for web service requests?

    Monday, June 18, 2012 6:21 AM
  • Lync does not support pre authentiation for any Exchange webservices, the external  Lync client needs to use pass through  authentication to CAS and will use NTLM

    There are multiple ways you could get this working:

    Say for e.g. you have certificate on the CAS which already has autodiscover.domain.com in the SAN and you are using a certificate on the TMG which also has autodiscover.domain.com in the SAN

    You can then use a different pubilc IP and publish the autodiscover.domain.com record in the public DNS to use the new IP

    Configure a listener on the TMG for this new public IP and configure No authentication  and the correct certificate

    Create a new rule on the TMG which would have public name autodiscover.domain.com and use the new listener and use /* for paths

    On the CAS you can change the externalURL of Exchange webservices to https://autodiscover.domain.com/ews/exchange.asmx using exchange cmdlet set-webservicesvirtauldirectory on the internet facing CAS server

    You can refer to http://www.isaserver.org/tutorials/web-listeners-web-publishing-rules.html for more understanding

    • Marked as answer by LS81 Wednesday, July 11, 2012 5:30 AM
    Saturday, June 23, 2012 7:45 AM
  • Sure enough - I ended up raising this with Microsoft support to get clarification on the below statement from the Understanding and Troubleshooting Microsoft Exchange Server Integration document:

    Requests involving the following web services may fail when pre-authentication is enabled for external UC clients and devices

    Their response was that pre-authentication is not supported by UC clients.

    Strangely, for us Exchange integration works fine for external Lync clients, but not for Communicator clients. We're using FBA on the listener and Basic delegation towards the CAS. I'm guessing this is one of those "it'll work, but it's not supported" scenarios.

    Wednesday, July 11, 2012 5:30 AM