Hello,

I wanted to know in depth about how CAS 2013 authenticates/verify user's credentials when they connect to via OutlookAnywhere or OWA or EAS.

Can any body refer me a good article available on Internet or a website where I can get this information in detailed.

Thanks a lot in advance.

You have an excellent write up from our senior most MVP Mr. Ratish and going through this article  would be a piece of cake for you 

 http://msexchangeguru.com/2013/03/18/e2013-architecture/

Hi Sathish,

Thank you for the response.

I have gone through the article, It's a good article.

However, it do not have the information I am looking for.

How CAS server verifies Outlook user authentication and how it interacts with Active Directory / Mailbox server ?

Dear Raghu 

The Client Access server in Exchange 2013 functions much like a front door, admitting all client requests and routing them to the correct active Mailbox database

For further understanding please read this technet articles thoroughly 

https://technet.microsoft.com/en-us/library/dd298114%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

http://blogs.technet.com/b/exchange/archive/2013/01/25/exchange-2013-client-access-server-role.aspx

Hi Ram,

Thank you for your question.

By your state, I will you the following explain:

1.        First of all, outlook connect to Exchange CAS server
2.        When the request arrive at Exchange CAS server, if the request come from internal, Exchange will use Window Identity authenticate(we logon window) by NTLM; if the request come from external, outlook will promote username and password, after we type usename and password, it will be delivered to domain controller for authentication though Exchange CAS server.
3.        If the authentication passed, domain controller will back the mailbox location which server stored the user mailbox;
4.        Then Exchange CAS server will connect to mailbox server and back the user mailbox data.

The OWA is similar to Outlook, it type Username and Password by Web.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Hi Ram

From Exchange 2013 there is no direct RPC connectivity

So Basically there are only 2 types 

1) RPC over HTTP ( Outlook Anywhere)

2) MAPI over HTTP 

Below is the scenario of an Outlook 2013 SP1 client connecting to Exchange Server 2013 SP1 after MAPI/HTTP has been enabled.

The Outlook client begins with an Autodiscover POST request. In this request Outlook includes a new attribute that advertises the client is MAPI/HTTP capable with the attribute X-MapiHTTPCapability = 1.
The Exchange server sees the request is coming from a MAPI/HTTP capable client and responds with the MAPI/HTTP information including the settings on how to connect to the mailbox using MAPI/HTTP. This assumes the MAPI/HTTP has been configured and enabled on the server.
The Outlook client detects the new connection path and prompts the user to restart Outlook to switch to use the new connection. While the restart is pending Outlook will continue using Outlook Anywhere. We recommend you deploy the latest Office client updates to provide the best user experience. The updates remove the prompt and clients are allowed to make the transition at the next unprompted restart of Outlook.
After the restart, Outlook now uses MAPI/HTTP to communicate with Exchange.

For Outlook Anywhere 

Exchange 2013 will essentially require you to utilize Autodiscover and Outlook Anywhere to actually get your Outlook client connect both internal and external

For the Authentication method for Outlook Anywhere you can have either NTLM  or basic,NTLM