locked
Outlook Anywhere (2007) + TMG 2010 NTLM Issue RRS feed

  • Question

  • Hi All,

    I've had a nagging issue for a while that I've only gotten round to looking at.

    I've published OutlookAnywhere through TMG as described in an article over at isaserver.org using Basic Authentication (http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part1.html). It's all working fine, Outlook 2010 clients can connect to it outside of the LAN fine but as soon as they connect to our VPN or in fact come inside the network, it seems to change back to NTLM on the last setting. Here is what's listed in the Outlook Anywhere settings on the client:

     

    URL: https://mail.blah.com

    Connect Using SSL only: YES

    Only connect to proxy servers that have this principal name: msstd:mail.blah.com

    On fast networks, connect using HTTP first, then connect using TCP/IP: YES

    On slow networks, connect using HTTP first, then connect using TCP/IP: YES

    Proxy authentication settings: Basic

     

    From what I've been searching, it sounds as if it may have something to do with the AutoConfiguration that Exchange hands out when the PC is on the LAN/VPN which would explain it, but I'm unsure as to what settings would need changed.

     

    We have various Android/iPhone/iPad clients all connecting to this, so would be great if I can keep them all happy while still having OutlookAnywhere running for the PC users.

     

    Thanks,

    Wednesday, May 4, 2011 5:15 AM

All replies

  • Hi,


    Do you want to restrict both the internal and external users use outlook anywhere with Basic authentication method?

    You need to change the authentication method of outlook anywhere to Basic on your CAS server:

    1. Open EMC. In the console tree, navigate to Server Configuration > Client Access.
    2. In the action pane, Right click your CAS server and choose properties.

    3. In outlookAnywhere tab, change the authentication method to Basic.

    4. Restart IIS.

    The internal users (VPN users are also treated as internal users) will connect to autodiscover to retrieve the authentication method of outlook anywhere. So if your CAS server is configured to use NTLM authentication for outlook anywhere, the internal users will not perform basic authentication.


    Gen Lin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com 

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    • Marked as answer by Gen Lin Friday, May 13, 2011 2:20 AM
    • Unmarked as answer by DaveR_NZ Thursday, June 9, 2011 7:33 AM
    Thursday, May 5, 2011 9:12 AM
  • Thanks, I'll give that a try. I think I may have done that in the past but then it just keep prompting LAN/VPN users constantly for their Mailbox password.
    Friday, May 6, 2011 2:21 AM
  • Hi,

    When enable basic aunthenciation in outlook anywthere, please make sure that the SSL offloading if unchecked.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    Friday, May 6, 2011 7:32 AM
  • Hi,

    How thing is going on?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    Wednesday, May 11, 2011 7:08 AM
  • Sorry, I've been overseas. So just catching up on some work...
    Sunday, May 15, 2011 8:51 PM
  • Ok so I finally got round to trying this, enabled Basic athentication on Exchange and clients on LAN and working as should, external aren't connecting now though unless on VPN, must be a setting on TMG?

    Authentication on the HTTPS Listener is set to HTML Form Authentication with AD and the 'Authentication 'Delegation' tab in the TMG rule is set to NTLM (I tried this on basic with no change).

     

    I must surely be missing something simple? I've run through the isaserver.org document several times.

     


    Thursday, June 9, 2011 7:33 AM
  • Just an update, after around 20 minutes it started working, typical TMG :)

     

    Thanks for the help.

    Sunday, June 12, 2011 10:40 PM