• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Outlook Anywhere NTLM Auth & ISA 06EE

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Outlook Anywhere NTLM Auth & ISA 06EE Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
Outlook Anywhere NTLM Auth & ISA 06EE - 27.Mar.2007 5:24:50 PM   
muflon_

 

Posts: 3
Joined: 29.Aug.2004
Status: offline
Hi,
i used this guide for setup Exchange 07 with ISA06
http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx
Everythink work fine except Outlook Anywhere Authentificatin.
When i use NTLM Outlook client always promt for password and dont connect to Exchange Server.(Basic auth working fine).
Any solutions?

TX
Post #: 1
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 2.Apr.2007 3:49:58 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
You must use basic.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to muflon_)
Post #: 2
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 9.May2007 11:10:40 PM   
tempus

 

Posts: 5
Joined: 9.May2007
Status: offline
Hi Tom,

is there any reason why we have to use basic in outlook client since NTLM is used when Outlook Anywhere is enabled on Exch 2007 ?

Is there any article from Microsoft stating that ? If so, then we'll have a reason to say that this is a design by Microsoft.

Thanks..

(in reply to tshinder)
Post #: 3
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 11.May2007 11:00:03 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Are you using a single listener or multiple listeners? Is the OWA FBA rule using the same listener as the RPC/HTTP rule?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tempus)
Post #: 4
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 11.May2007 1:46:58 PM   
tempus

 

Posts: 5
Joined: 9.May2007
Status: offline
i'm using a single web listener for both OWA and Outlook Anywhere..

(in reply to tshinder)
Post #: 5
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 12.May2007 12:00:02 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
OK, that won't work if you want to use integrated for RPC/HTTP. You'll have to create two listeners.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tempus)
Post #: 6
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 13.May2007 10:36:54 AM   
tempus

 

Posts: 5
Joined: 9.May2007
Status: offline
so u mean i should use another web listerner for rpc/http with the option to use integrated authentication ? ..in that case should i use Basic Authentication for the access rule for rpc/http or what?

seems kinda confusing :)

(in reply to tshinder)
Post #: 7
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 13.May2007 12:31:12 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The reason is that FBA fallback is to basic. So, if you want to use FBA on the same listener, you  have to have RPC/HTTP fall back to basic.

If you create a second listener, you configure it to use integrated so that the fallback mechanism isn't required.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tempus)
Post #: 8
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 18.May2007 4:31:54 PM   
uzimmermann

 

Posts: 39
Joined: 15.May2007
Status: offline
Hi Tom

you can also use the same FBA Weblistener when you Create a 2nd Webpublishing Rule for Anywhere over the OWA Role

and make the Authentication Delegation Option: "no authentication but client can authenticate directly" i know then he goes directly to exchange but so NTLM will works in the Outlook Client on the same Listener Single IP :)

when you can deal with the option to allow RPC in a Company i think you can also deal with this

Regards
uzimmermann

(in reply to muflon_)
Post #: 9
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 19.May2007 2:46:42 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi UZ,

Does that actually work? I would think that the FBA enabled Web listener would block direct authentication from the RPC/HTTP client.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to uzimmermann)
Post #: 10
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 19.May2007 8:03:42 PM   
uzimmermann

 

Posts: 39
Joined: 15.May2007
Status: offline
Hi Tom

Yes Actually this is working for E2k7 and ISA 2006.
i use one Rule for OWA and Activesync with NTLM Delegation and FBA enabled Listener and i
created a 2nd Rule over the OWA Rule with only RPC Virtual Directory.

This Rule i configured to use Delegation: "no delegation but client can directly
authenticate" and its working with the same FBA enabled Listener (single IP Publishing)

The RPC Client (Outlook 2003 & 2007 will still work with Basic & NTLM Settings...

I tested only in a single E2k7 Scenario but i think its also working with a separated CAS because it will nothing change on the idee. 

But i also make more tests next week


kind Regards
uzimmermann

(in reply to muflon_)
Post #: 11
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 19.May2007 8:13:52 PM   
uzimmermann

 

Posts: 39
Joined: 15.May2007
Status: offline
Sorry EAS isnt in the NTLM Delegated Rule only OWA :)

Regards
uzimmermann

(in reply to muflon_)
Post #: 12
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 20.May2007 11:24:41 AM   
uzimmermann

 

Posts: 39
Joined: 15.May2007
Status: offline
Hi Tom

i have more Feedbacks for the Scenario with MSRPC and NTLM.

so i had a interesting conversation with some Experts and
why this is working with a single FBA Listener

Because the MSRPC User Agent  ignors FBA by Default.
You can check this by use a Script to read the actually USer Agent Configs with FBA.

so when i use Authentication Delegation "no delegation but client can directly authenticate on my upper Rule  i can use NTLM but he also goes direct to Exchange so the Security isnt really strong.

I think when you use HTTPS SSL to Publish this Scenario which is the Best Practice it makes no really different to use only Basic or also NTLM Auth. with MSRPC (from the Security Part)

kind Regards
uzimmermann

(in reply to uzimmermann)
Post #: 13
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 21.May2007 10:58:51 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi UZ,

Well, this is very interesting, because I thought the mechanism was to fall back to basic when the form is presented to the client.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to uzimmermann)
Post #: 14
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 22.May2007 5:31:31 AM   
uzimmermann

 

Posts: 39
Joined: 15.May2007
Status: offline
Hi Tom

Yes it is and i also think it for MSRPC before this Solution.
I hope you can test this to and give some Feedbacks.

Thank you

kind Regards
UZ

(in reply to muflon_)
Post #: 15
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 22.May2007 8:10:09 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi UZ,

I will need to get a new computer to test this. I tried to work with the 32bit trial version of Exchange 2007, but the SMTP "service" failed to work correctly and there were other problems. I have a Pentium D series 820 dual core machine, but it's not VT enabled, so I can't run 64 bit guests. So I'm likely going to have to wait a few months before I can rest Exchange 2007 scenarios.

Tom

< Message edited by tshinder -- 22.May2007 8:53:20 AM >


_____________________________

Thomas W Shinder, M.D.

(in reply to uzimmermann)
Post #: 16
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 6.Jun.2007 11:12:42 PM   
L663

 

Posts: 6
Joined: 6.Jun.2007
Status: offline
"you can also use the same FBA Weblistener when you Create a 2nd Webpublishing Rule for Anywhere over the OWA Role

and make the Authentication Delegation Option: "no authentication but client can authenticate directly" i know then he goes directly to exchange but so NTLM will works in the Outlook Client on the same Listener Single IP :)

when you can deal with the option to allow RPC in a Company i think you can also deal with this"

Uzimmermann,

Can you post some more detail on the rules you use to get NTLM to work externally?  I've tried a 2nd rule for same listener, but can't get NTLM to work thru ISA 2006.  Basic work fine Internally and Externally or NTLM will work Internally.  I can't get NTLM to work externally.

Thanks!

(in reply to muflon_)
Post #: 17
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 8.Jun.2007 1:19:04 AM   
tempus

 

Posts: 5
Joined: 9.May2007
Status: offline
phew...finally got mine to work. what i did was to recreate the certificate from the Exchange server to include also the hostname of the ISA server using alternative domain name which allows multiple domain names in 1 certificate..

after that Outlook configured with NTLM works internally from LAN and also when outside of the LAN.

(in reply to L663)
Post #: 18
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 8.Jun.2007 9:00:01 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tempus,

How did you recreate the certificate? One gotcha I found when using the dreaded PowerHell to request the certificate is that you cannot export the certificate from the CAS with its private key -- so I had to create a new certificate using the Web enrollment site for the ISA Firewall to get OWA and ActiveSync to work -- still don't have Outlooko 2007 RPC/HTTP working yet. The Microsoft doc on how to publish Exchange 2007 is not much help in this area.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tempus)
Post #: 19
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 10.Jun.2007 12:14:08 AM   
adenhaan

 

Posts: 36
Joined: 15.Jul.2005
Status: offline
I found that the only way to get Outlook Anywere to work with NTLM while using an FBA listener is like uz described. Here are some more details as requested;

Use a separate web publishing rule for /rpc path.
Allow it for "All users" (not "All authenticated users") and make sure to uncheck the "require all users to authenticate". These together will effectively prevent ISA from doing any authentication, so also not the Fallback Basic auth challenge of the FBA listener.
Finally set authentication delegation to "no delegation but client can directly authenticate" and enable integrated auth on the rpc directory on the exchange server.

Note: Using this method the RPC users are NOT authenticated by ISA, but only and directly on Exchange server, as they pass anonymously through the FBA listener and this rpc rule.

< Message edited by adenhaan -- 10.Jun.2007 12:28:33 AM >

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Outlook Anywhere NTLM Auth & ISA 06EE Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts