Does Outlook Anywhere Support Kerberos RPC Auth?


  • I have a simple lab setup in which my requirement is to get Outlook Anywhere traffic using Kerberos authentication for the RPC auth.  HTTP (proxy) auth level can be either Basic or NTLM, doesn't matter.  I'm trying to figure out if this deployment is even possible, as it doesn't appear to be from my testing.

    • Regardless of my Proxy Auth settings (Basic or NTLM) or my RPC Auth settings (Kerberos, Negotiate), I'm ALWAYS seeing NTLM Authentication used for RPC.
    • If I just use standard TCP rather than HTTP, Kerberos works fine.  So Kerberos is at least possible.
    • I see LDAP traffic, and even some requests to get krbtgt tickets, which implies it should be possible at least for an internal client like mine.

    This technet blog implies that OA doesn't do Kerberos ever:  http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx

    But if you try to enable it, Outlook comes up with this message (which implies that you can inside a firewall, I have no firewall):  “Kerberos has been specified as the protocol for network authentication.  When connection to your Microsoft Exchange mailbox using HTTP, Kerberos authentication can only be used if you are connecting inside a firewall.  If you connect from outside a firewall, NTLM authentication will be used.”

    Can Outlook Anywhere do Kerberos RPC Auth and if it can, what is required to get it working?  It seems many people on here have had problems with this giving multiple password prompt and they just changed the setting to use NTLM RPC Auth instead of Kerberos.  This isn't acceptable for me as my requirement is using Kerberos for RPC.

    Thanks for any help.

    Monday, May 23, 2011 10:11 PM


All replies