Exch 2007 -> 2013  Outlook Anywhere Authentication settings
I'm wondering if anyone can help me out or offer advice.  I'm in the midst of an Exchange 2007->2013 migration and am at the point where I need to change my 2007 Exchange URLs to "legacy" and then flip "autodiscover" and "mail" DNS to point to Exchange 2013. 

My existing Exchange 2007 environment did NOT have Outlook Anywhere enabled, so I have done that and tested internally and it works fine.  Externally it doesn't work, but I think that may be because my ExternalClientAuthenticationMethod is set to NTLM (?).  Unless this affects the migration I'm not concerned about having it working externally - we never had it before so don't need it now.

What I'm not sure about is the authentication methods needed for each server.  I will have 2 Exchange 2013 MBX/CAS servers behind an F5 load balancer.  The 3rd server shown is my 2007 HUB/CAS.


Server                             : EXCH13_1
InternalClientAuthenticationMethod : Ntlm
ExternalClientAuthenticationMethod : Ntlm
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

Server                             : EXCH13_2
InternalClientAuthenticationMethod : Ntlm
ExternalClientAuthenticationMethod : Ntlm
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

Server                             : Exch07
InternalClientAuthenticationMethod : Ntlm
ExternalClientAuthenticationMethod : Ntlm
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : False
IISAuthenticationMethods           : {Ntlm}


Given the information shown above, is everything set correctly for me to go ahead and set "legacy" and flip DNS?  Obviously I want this to go as seamless as possible :)


Thanks
June 12th, 2015 9:35am
Your config seems perfectly fine. You can flip the DNS  and it should work perfectly fine.
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2015 11:38am

Thanks for the reply.   I think I've figured out what InternalClientAuthenticationMethod  and ExternalClientAuthenticationMethod  are used for, but it does raise a few questions:

1 -  if ExternalClientAuthenticationMethod  is left empty, does that disable Outlook Anywhere for external users?

2 - my ExternalClientAuthenticationMethod  is set to NTLM,  would it have to be set to "basic" for it to work outside?  

Also,  what is IISAuthenticationMethods  used for?   How is it different than Internal/External Authentication methods?

Thanks again

June 12th, 2015 12:02pm

Hi,

Please run the below command to setup outlook anywhere:

Set-OutlookAnywhere -Identity "E15-01\Rpc (Default Web Site)" -InternalHostname mail.contoso.com -ExternalHostname mail.contoso.com -InternalClientAuthenticationMethod Ntlm -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl $True -InternalClientsRequireSsl $true

Set-OutlookAnywhere -Identity "E12-01\Rpc (Default WebSite)" -IISAuthenticationMethods Basic,Ntlm

Also I have found some useful information on the below official article : https://technet.microsoft.com/en-us/library/bb123741(v=exchg.150).aspx

In a coexistence scenario that still has 2007 or 2010 Client Access Servers, you need to enable Outlook Anywhere on each legacy Client Access Server.

Make sure that when you enable Outlook Anywhere on the Client Access Server, choose NTLM for IIS authentication.

You can refer to the below links to understand the authentication:

https://technet.microsoft.com/en-us/library/bb123545.aspx   

for more information about the migration,you can refer to the below blog

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-1-step-by-step-exchange-2007-to-2013-migration.aspx

Best Regards,

David 

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 6:05am

Just following up to say that everything went well.   We had one minor issue with a cert not being installed correctly on our F5 load balancer which made some activesync devices complain, but once we got that fixed up everything is good :)

Thanks again to those who replied

June 17th, 2015 7:20am

Hi SuperNintendoChalmer,

It's also worth to verify EWS and Autodiscover virtual directories in IIS of Exchange Servers:

In the VDs - pick up Authentication - Windows - Providers, move up NTLM on top over Negotiate.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 7:47am
I would also suggest you to check Autodiscover configuration. Get-ClientAccessServer | FL Name, AutoDiscoverServiceInternalUri this command will list you autodiscover URLs for domain joined PCs (Outlook starts Autoconfiguration going to this URL). I am allways configuring this URL like:  https://autodiscover.MyDomain.com/Autodiscover/Autodiscover.xml. autodiscover.MyDomain.com has to point to newest servers in Exchange infrastructure, so all clients will be configured correctly (Exchange 2007 can NOT configure migrated to Exchange 2013 clients). Good luck!
June 17th, 2015 10:32am

Thank you all for the input.  

My autodiscover is in good shape :)

I'll keep an eye for the IIS Authentication settings.   I'll be flipping the URLs/DNS tonight so hopefully it all goes well

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 3:48pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics