NTLM Authentication in the Outlook Anywhere
I use Exchange Server 2007 sp1 RollUp 6 installedon Windows Server 2008. I need to use Outlook Anywhere from non-domain computers. I test Outlook Anywhere with Basic and NTLM Authenticationand all works fine. But when I use NTLM authentucation, Outlook promt user credential every time when it start, even "remember password" was checked. The login and password are remembered in the network password of user, but Outlook prompt password again and again, when it starts. Exchange published by 443 port directly (without any listeners)!When I connect by VPN, and use TCP/IP connection to the server, Outlook remeber password withoun any problems, and did not ask password again.
get-OutlookAnywhere:
ServerName : SRVEXCH2SSLOffloading : FalseExternalHostname : mail.my_domain.ruClientAuthenticationMethod : NtlmIISAuthenticationMethods : {Ntlm}MetabasePath : IIS://srvexch2.net.local/W3SVC/1/ROOT/RpcPath : C:\Windows\System32\RpcProxyServer : SRVEXCH2AdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)Name : srvexch2DistinguishedName : CN=srvexch2,CN=HTTP,CN=Protocols,CN=SRVEXCH2,CN=Servers,CN=Exchange Administrative Group ( FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=S ervices,CN=Configuration,DC=net,DC=localIdentity : SRVEXCH2\srvexch2Guid : 2c24f11b-852c-4948-b236-3f37d071d500ObjectCategory : net.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-DirectoryObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}WhenChanged : 18.02.2009 14:17:55WhenCreated : 17.02.2009 14:53:36OriginatingServer : dc1.net.localIsValid : TrueI have tried this cases, but they have not helped for this issue:1) Disable kernel mode authentication with this command: %systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false, I also have unchecked Kernel mode authentication in the properties of Windows Authentication for Default Web site, \Rpc and \Autodiscovery virtual directories.2) Modify this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa lmcompatibilitylevel=3 and 2.3) Set NTLM instead of Kerberos on the security tab in the properties of Outlook.4) Install domain controller and global catalog roles on the Exchange Server.Somebody have any solution for this issue? May be Outlook Anywhere and NTLM do not work at all?
February 20th, 2009 11:25pm
Hi Sergey Erin,A few Weeks ago i had the same problem. You Must do the Following:DSProxy and IPv6
If you're in a multi-server scenario where the RPCProxy is not on the same server as the Mailbox, then you need to do the following:
Unselect IPv6 from the properties of your NIC (on the RPC-over-HTTP Proxy machine); that will force the RPC-over-HTTP Proxy to use IPv4 to talk to Exchange and everything will be fine. In most cases, this step suffices. If it does not, continue with steps 2 and 3.
Under the regkey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters, add a 32 bit DWORD with the name DisabledComponents and value 0xFF
Reboot the machine
If you're in a single-server scenario where the RPCProxy and Mailbox are on the same machine, then the above does not work since the loopback interface still uses IPv6. In this case, you need to make the following changes in the system32\drivers\etc\hosts file:
Comment out the line ":::1 localhost"
Add the following two lines: <IPv4 address> <hostname of the computer> <IPv4 address> <FQDN of the computer>
For more Information this is the Linkhttp://msexchangeteam.com/archive/2008/06/20/449053.aspxHope this Help.
Regards.Jose Osorio R.
Free Windows Admin Tool Kit Click here and download it now
February 21st, 2009 2:18am
I know about problem with IPv6 and DsProxy. I have disabled IPv6, many times ago (RPCPING respons on 6001, 6002 and 6004 ports without any problem). Outlook Anywhere work with basic and with NTLM authentication. I have only one problem, Outlook ask password, when it start, even I use NTLM authentication with "save password" option checked.
Jose Osorio R., are you have tuned Exchange, that Outlook Anywhere do not ask password, when it starts from non-domain computers?I am interested, somebody made this?
February 21st, 2009 12:18pm
Is autodiscover.yourdomain.ru configured properly? I saw this once with a customer that had a wildcard cert in dns. We hadn't yet configured autodiscover but it was still pointing to the server?"For non domain joined clients or clients that are not able to directly access the domain, Outlook is hard coded to find the Autodiscover end point by looking up either https://company.com/Autodiscover/Autodiscover.xml or https://Autodiscover.company.com/Autodiscover/Autodiscover.xml (where company.com is the portion of the users SMTP address following the @ sign)."http://msexchangeteam.com/archive/2007/04/30/438249.aspx
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2009 3:49am
Hi,I suggest that we save passwords by using following method on the client:
1. Run control userpasswords22. Under Advanced tab, click Manage Passwords3. Please add following entry:
Log on to: *.domainname (such as *.microsoft.com)Username: domain\usernamePassword: password
Then, please restart the client to check whether we still need to provide password when log on Outlook. ThanksAllen
March 3rd, 2009 11:37am
Have you also seen this:
You must provide Windows account credentials when you connect to Exchange Server 2003 by using the Outlook 2003 RPC over HTTP featurehttp://support.microsoft.com/kb/820281
1.
Click
Start,
click Run,
type regedit in the Open
box, and then press ENTER.
2.
Locate
and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
3.
In
the right pane, double-click lmcompatibilitylevel.
4.
In
the Value data
box, type a value of 2 or 3 that is appropriate for your environment, and
then click OK.
5.
Quit
Registry Editor.
6.
Restart
your computer.
LmCompatibilityLevel
settings
The
LmCompatibilityLevel registry entry can be configured with the following
values:
LmCompatibilityLevel
value of 0:
Send LAN Manager (LM) response and NTLM response; never use NTLM version 2
(NTLMv2) session security. Clients use LM and NTLM authentication, and
never use NTLMv2 session security; domain controllers accept LM, NTLM, and
NTLMv2 authentication.
LmCompatibilityLevel
value of 1:
Use NTLMv2 session security, if negotiated. Clients use LM and NTLM
authentication, and use NTLMv2 session security if the server supports it;
domain controllers accept LM, NTLM, and NTLMv2 authentication.
LmCompatibilityLevel
value of 2:
Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2
session security if the server supports it; domain controllers accept LM,
NTLM, and NTLMv2 authentication.
LmCompatibilityLevel
value of 3:
Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2
session security if the server supports it; domain controllers accept LM,
NTLM, and NTLMv2 authentication.
LmCompatibilityLevel
value of 4:
(Server Only) - Domain controllers refuse LM responses. Clients use NTLM
authentication, and use NTLMv2 session security if the server supports it;
domain controllers refuse LM authentication, and accept NTLM and NTLMv2
authentication.
LmCompatibilityLevel
value of 5:
(Server Only) - Domain controllers refuse LM and NTLM responses, and accept
only NTLMv2 responses. Clients use NTLMv2 authentication, use NTLMv2
session security if the server supports it; domain controllers refuse NTLM
and LM authentication, and accept only NTLMv2 authentication.
Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2009 5:29pm
This solution help for me:http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/bc67310e-8133-4b77-be3b-380f0b0b4184
March 7th, 2009 10:24pm