Hello, on Exchange Server 2010 what does the Outlook Anywhere Authentication be set to, NTLM or Basic. Can I set both the client and the server to NTLM only and if yes will a machine which is not a domain member connect ? Thanks

Hello Enable Outlook Anywhere wizard in the EMC you can select the authentication method that you want to use for Microsoft Office Outlook 2007 Authentication method is automatically provided to the client by the Autodiscover service, If you want to use NTLM or basic you can configured it accordingly but if you clients are using outlook anywhere it is recommend to use basic authentication for security purpose Basic authentication is requires a user and password in plain text format you required SSL to secure the connection between outlook client and exchange server. Similar post you can also refer http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/21867578-e623-4756-b483-dfb31162a665/ Thanks Mhussain

While the GUI only allows one or the other, you can configure both using PowerShell. With Basic authentication, the client will usually get a prompt, everytime they start Outlook when it is connecting with Outlook Anywhere. Doesn't matter whether their machine is on the domain or not. With NTLM, they will get no authentication prompt if the machine is a member of the domain and their username/password is good (so the account is disabled). From a security point of view, the above poster is incorrect - there is no difference and I have never seen a recommendation to use basic for security reasons. Both go over the SSL session, so they are as secure as each other. The only difference is that with NTLM you are dependant on Windows providing the login control, with basic it is Outlook. Therefore if most of your users are using domain members, I would suggest that you enable NTLM to begin with - otherwise you will have users complaining, and seeking out methods to store passwords in other ways rather than entering it over and over again. NTLM can also be broken by some firewalls, so if you enable NTLM and find that things don't work correctly you may have to use basic authentication. Simon. Simon Butler, Exchange MVP Blog | Exchange Resources

When setting Outlook Anywhere authentication settings why is it that I have to both set the settings from EMC and IIS. for example to make sure that users who are using domain joined machines do not need a password I have to set to NTLM ( is EMC enough or do I need to check also IIS ? ) for machines not joined to the domain I will require authentication to be prompted

Hello When you change the authentication in EMC it will automatically changes in IIS Yes users who are already in domain need not required password but you need to make sure in outlook configuration that you have set NTLM authentication. Those users who are not joined in domain configured them as a basic authentication in outlook settings.Thanks Mhussain

The GUI doesn't allow you to select both authentication types. You need to use the command line for that. You should remember that EVERYTHING in the GUI has a command line equivalent. Therefore you are simply duplicating work by doing things in the GUI and the command line. You should not change IIS manually, let Exchange do it, so that everything is updated correctly inside Exchange as well. For machines that are not on the domain they will get a prompt no matter what, because they aren't members of the domain. The only reason for using NTLM is so that domain members do NOT get a prompt. If you enabled BASIC then everyone, domain members or not, gets a prompt. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.