Asked by:
Outlook Anywhere (2007) + TMG 2010 NTLM Issue
Question
-
Hi All,
I've had a nagging issue for a while that I've only gotten round to looking at.
I've published OutlookAnywhere through TMG as described in an article over at isaserver.org using Basic Authentication (http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part1.html). It's all working fine, Outlook 2010 clients can connect to it outside of the LAN fine but as soon as they connect to our VPN or in fact come inside the network, it seems to change back to NTLM on the last setting. Here is what's listed in the Outlook Anywhere settings on the client:
Connect Using SSL only: YES
Only connect to proxy servers that have this principal name: msstd:mail.blah.com
On fast networks, connect using HTTP first, then connect using TCP/IP: YES
On slow networks, connect using HTTP first, then connect using TCP/IP: YES
Proxy authentication settings: Basic
From what I've been searching, it sounds as if it may have something to do with the AutoConfiguration that Exchange hands out when the PC is on the LAN/VPN which would explain it, but I'm unsure as to what settings would need changed.
We have various Android/iPhone/iPad clients all connecting to this, so would be great if I can keep them all happy while still having OutlookAnywhere running for the PC users.
Thanks,
Wednesday, May 4, 2011 5:15 AM
All replies
-
Hi,
Do you want to restrict both the internal and external users use outlook anywhere with Basic authentication method?You need to change the authentication method of outlook anywhere to Basic on your CAS server:
1. Open EMC. In the console tree, navigate to Server Configuration > Client Access.
2. In the action pane, Right click your CAS server and choose properties.3. In outlookAnywhere tab, change the authentication method to Basic.
4. Restart IIS.
The internal users (VPN users are also treated as internal users) will connect to autodiscover to retrieve the authentication method of outlook anywhere. So if your CAS server is configured to use NTLM authentication for outlook anywhere, the internal users will not perform basic authentication.
Gen LinTechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFTThursday, May 5, 2011 9:12 AM -
Thanks, I'll give that a try. I think I may have done that in the past but then it just keep prompting LAN/VPN users constantly for their Mailbox password.Friday, May 6, 2011 2:21 AM
-
Hi,
When enable basic aunthenciation in outlook anywthere, please make sure that the SSL offloading if unchecked.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFTFriday, May 6, 2011 7:32 AM -
Hi,
How thing is going on?
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFTWednesday, May 11, 2011 7:08 AM -
Sorry, I've been overseas. So just catching up on some work...Sunday, May 15, 2011 8:51 PM
-
Ok so I finally got round to trying this, enabled Basic athentication on Exchange and clients on LAN and working as should, external aren't connecting now though unless on VPN, must be a setting on TMG?
Authentication on the HTTPS Listener is set to HTML Form Authentication with AD and the 'Authentication 'Delegation' tab in the TMG rule is set to NTLM (I tried this on basic with no change).
I must surely be missing something simple? I've run through the isaserver.org document several times.
Thursday, June 9, 2011 7:33 AM -
Just an update, after around 20 minutes it started working, typical TMG :)
Thanks for the help.
Sunday, June 12, 2011 10:40 PM