Does Outlook Anywhere Support Kerberos RPC Auth?
I have a simple lab setup in which my requirement is to get Outlook Anywhere traffic using Kerberos authentication for the RPC auth. HTTP (proxy) auth level can be either Basic or NTLM, doesn't matter. I'm trying to figure out if this deployment
is even possible, as it doesn't appear to be from my testing.
Regardless of my Proxy Auth settings (Basic or NTLM) or my RPC Auth settings (Kerberos, Negotiate), I'm ALWAYS seeing NTLM Authentication used for RPC.
If I just use standard TCP rather than HTTP, Kerberos works fine. So Kerberos is at least possible.
I see LDAP traffic, and even some requests to get krbtgt tickets, which implies it should be possible at least for an internal client like mine.
This technet blog implies that OA doesn't do Kerberos ever:
http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx
But if you try to enable it, Outlook comes up with this message (which implies that you can inside a firewall, I have no firewall): “Kerberos has been specified as the protocol for network authentication. When connection to your Microsoft
Exchange mailbox using HTTP, Kerberos authentication can only be used if you are connecting inside a firewall. If you connect from outside a firewall, NTLM authentication will be used.”
Can Outlook Anywhere do Kerberos RPC Auth and if it can, what is required to get it working? It seems many people on here have had problems with this giving multiple password prompt and they just changed the setting to use NTLM RPC Auth instead of
Kerberos. This isn't acceptable for me as my requirement is using Kerberos for RPC.
Thanks for any help.
May 23rd, 2011 6:11pm
The answer is YES, But read the article before you opt for it.
http://technet.microsoft.com/en-us/library/bb331973.aspx
http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx
Cheers,
Gulab | MCTS-MCITP Messaging: 2010 | MCTS-MCITP Messaging: 2007 | MCC 2011 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2011 6:18am
Hey Gulab,
Thanks for the response, but I don't see what in those articles indicates it's possible to use Kerberos Auth for the RPC channel of RPC-over-HTTP. The first article addresses the HTTP auth level of RPC-over-HTTP (Basic, NTLM), but not the RPC auth.
The blog indicates no, but is not diffinitive.
Again, I'm not concerned with the HTTP auth, just the RPC auth.
Thanks,
Lee
June 7th, 2011 12:23pm
Check this article by Henrik, its so amazing and awesome, you should read it
http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/enabling-kerberos-authentication-mapi-clients-connecting-exchange-2010-sp1.html Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2011 1:04pm
The answer is YES, But read the article before you opt for it.
http://technet.microsoft.com/en-us/library/bb331973.aspx
http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx
Cheers,
Gulab | MCTS-MCITP Messaging: 2010 | MCTS-MCITP Messaging: 2007 | MCC 2011 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.blogspot.com
I'm not sure why this is marked as the answer. Per the article linked:
External or Internet-based clients that use Outlook Anywhere wont use Kerberos authentication as they cannot directly contact
a KDC.
Mike Crowley | MVP
My Blog --
Planet Technologies
April 20th, 2012 11:05am