• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Outlook Anywhere NTLM Auth & ISA 06EE

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> RE: Outlook Anywhere NTLM Auth & ISA 06EE Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 10.Jun.2007 2:00:19 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Well, I finally got Outlook Anywhere to work for both internal and external clients. However, I do require pre-authentication at the ISA Firewall, otherwise we allow anonymous connections to the /rpc directory, which is not something I really want to do for security reasons.

I'll write the paper up next week showing the procedures from start to finish. I'll tell you PowerHell really earned its moniker!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to adenhaan)
Post #: 21
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 28.Jun.2007 2:45:51 PM   
itadmin

 

Posts: 30
Joined: 21.Jul.2006
Status: offline
Is this Outlook Anywhere paper written up yet? :) 

I have a situation where I am installing Exchange 2007 to my network.  We are moving from Communigate Pro and this has been a mission.  If anyone needs some pointers on moving from Communigate to Exchange, let me know.  This has been quite the learning experience.

My problems... 

I can not get Outlook Anywhere to work correctly.
Because of Active Sync, I don't think I will be able to use SSO with Exchange and Sharepoint.  (This problem will be tackled later, but if someone has some advice, let me know.) 
Also, because Active Sync requires basic authentication, I don't think I have use forms based authentication with OWA.  Anyone have those two working together?

(in reply to tshinder)
Post #: 22
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 29.Jun.2007 10:42:08 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The paper is 90% done and is about 200 pages (I screenshot each step and included Exchange Server configuration, that's what makes it so long).

It will be done this weekend and will be published probably in four parts. If you need the entire doc ASAP, send me a note to tshinder@isaserver.org and I'll forward you my "pre-release" version.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to itadmin)
Post #: 23
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 2.Jul.2007 6:04:12 PM   
itadmin

 

Posts: 30
Joined: 21.Jul.2006
Status: offline
In case my email gets shredded by your spam filter, please shoot that paper my way.  itadmin at federalprotection dot com.  Thank you.

(in reply to tshinder)
Post #: 24
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 4.Jul.2007 11:47:36 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
You got it!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to itadmin)
Post #: 25
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 8.Jul.2007 5:58:36 PM   
itadmin

 

Posts: 30
Joined: 21.Jul.2006
Status: offline
Ok... The article did give me some good stuff, but still couldn't get Outlook Anywhere to work until this weekend.  The only problem is that I can't seem to get the ISA to pass NTLM authentication.  It works fine with basic and watching ISA logging I can see the https traffic.   When I switch to NTLM, nothing is sent to the internal IP of my Exchange Server.  Any tips would be great. 

One thing I noticed.  When you enable Outlook Anywhere on the Exchange box, you have to select whether you will be using NTLM or basic.  Mine has been set at NTLM the whole time, but has worked with basic authentication.  I guess it just disregards that.

Question about forms based authenication.  If my listener is set up for forms based, I know if will drop down to basic if necessary.  Does it only do FBA or basic?  Might my listener be the problem?  I tried switching my listener, but it didn't help much.

(in reply to tshinder)
Post #: 26
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 8.Jul.2007 7:04:31 PM   
itadmin

 

Posts: 30
Joined: 21.Jul.2006
Status: offline
Wow.  I just re-read this whole thread and answered most of my questions.  I still would like to have a more secure option than bypassing the ISA.  Anyone who has that working should shout it out with pride!

(in reply to itadmin)
Post #: 27
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 11.Jul.2007 10:32:33 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
When FBA is installed on the listener, it will automatically fallback to basic for RPC/HTTP clients. You can then delegate that as NTLM to the RPC/HTTP site.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to itadmin)
Post #: 28
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 17.Jul.2008 4:47:05 AM   
Levwinski

 

Posts: 35
Joined: 11.Dec.2007
From: Turkey
Status: offline
I too am using NTLM via straight pass through (method described in earlier posts) to the Exchange server.

Also, we make extensive use of SharePoint lists in Outlook and Microsoft, by design apparently, requires a separate login for each list. To prevent users have to login a dozen or so times, we have also had to remove FBA for the SharePoint rule and use the same passthrough authentication.

Given the precedence MS gives to reminding us of the fact that ISA is the best way to publish Outlook and SharePoint, it would be great if they could find some way of allowing us to benefit from these features without the unworkable scenario of several logins each time Outlook Anywhere with SharePoint lists is fired up.

I am a big fan of ISA and would love to be able to take full advantage. I will wait and hope for a flexible FBA fallback configuration, if this is in any way possible.

(in reply to adenhaan)
Post #: 29
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 17.Jul.2008 9:33:55 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi All,

As Tom knows, I am still trying to write some of this stuff up on my blog, as Ihave a lof this working in my own production network and for some customers...

My plan was to explain a lot of the concepts behind the scenes (like certs and the necessary Exchange setup to prepare for correct ISA publishing) but this is just taking too long and quite difficult!!!. Hence I may just release a few blogs that covers the "key" elements that you need in place for publishing Exchange 2007 advanced features with nice-to-haves like NLTM auth for Outlook Anywhere and full OWA document access with NTLM.

My original plan was to produce blog entries for the following:

         Publishing Exchange 2007 Services with ISA Server 2006 Part 1: Things You Need to Know about Exchange 2007
         Publishing Exchange 2007 Services with ISA Server 2006 Part 2: Things You Need to Know about Certificates
         Publishing Exchange 2007 Services with ISA Server 2006 Part 3: Preparing the Exchange 2007 Environment
         Publishing Exchange 2007 Services with ISA Server 2006 Part 4: Creating the Publishing Rules for OWA with the Document Access Feature
         Publishing Exchange 2007 Services with ISA Server 2006 Part 5: Creating the Publishing Rules for ActiveSync
         Publishing Exchange 2007 Services with ISA Server 2006 Part 6: Creating the Publishing Rules for Outlook Anywhere with Transparent Windows Authentication
         Publishing Exchange 2007 Services with ISA Server 2006 Part 7: Creating the Publishing Rules for Exchange 2003/2007 Coexistence



However, I am thinking of just skipping to parts 4-7 to get something out there...but I am not sure how well it will hang together without the introduction parts


I've done most of the screen captures, but just need to wrap the text around it which, as ever, is taking the time...I also have a life too!


I will keep you posted!


Cheers

JJ


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Levwinski)
Post #: 30
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 18.Jul.2008 9:45:47 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jason,

If you can get the blog posts up, I could piece them together and include the 4-7 information and create a BIG article for ISAserver.org that ties them all together and includes all the step by steps, even for the simple stuff that you don't need to waste time on when writing it up on your blog.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 31
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 18.Jul.2008 6:50:58 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Tom,

Should be able to get something in place next week...hopefully

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 32
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 28.Sep.2010 6:16:56 PM   
freeze12341

 

Posts: 5
Joined: 28.Sep.2010
Status: offline
Hi Jason,

I am pretty much in the same situation as itadmin is in this thread

"The only problem is that I can't seem to get the ISA to pass NTLM authentication.  It works fine with basic and watching ISA logging I can see the https traffic.   When I switch to NTLM, nothing is sent to the internal IP of my Exchange Server.  Any tips would be great. 

One thing I noticed.  When you enable Outlook Anywhere on the Exchange box, you have to select whether you will be using NTLM or basic.  Mine has been set at NTLM the whole time, but has worked with basic authentication.  I guess it just disregards that.

Question about forms based authenication.  If my listener is set up for forms based, I know if will drop down to basic if necessary.  Does it only do FBA or basic?  Might my listener be the problem?"

I am not sure if you have updated your blog or if you can point me to the solution for this problem that would be great!!!!  And as a future reference I would really love to have a look at the 200-page document that has been created. I am kind of held up with getting NTLM to work.

Thanks

(in reply to Jason Jones)
Post #: 33
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 28.Sep.2010 7:55:21 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Freeze,

Did you follow my article? http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html

An FBA listener can only fall back to basic; hence you will need to use two web listeners for the best user experience...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to freeze12341)
Post #: 34
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 29.Sep.2010 3:23:04 AM   
freeze12341

 

Posts: 5
Joined: 28.Sep.2010
Status: offline
quote:

ORIGINAL: Jason Jones

Hi Freeze,

Did you follow my article? http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html

An FBA listener can only fall back to basic; hence you will need to use two web listeners for the best user experience...

Cheers

JJ


Jason

I appreciate your prompt an quick response

Just wondering if you ever got a chance to finish the document about configuring ISA as mentioned in http://forums.isaserver.org/m_2002041377/mpage_2/tm.htm and if you are done I would really appreciate if you could forward me the doc as I am having a problem configuring outlookanywhere to communicate over ISA using NTLM. The current setting is   1.Exhange is set to use NTLM and IIS(RPC virtual directory is set to Integrated Windows Authentication)   2.ISA Weblistener is set to HTTP integrated and the Published Rule is set to use NTLM   3. The outlook client is set to use NTLM and I have no clue why its not working, but with the exact same setting if I change the Outlook client to Basic everything works fine(provided I type in the username and password)   Please advice what am I doing incorrectly and any help is highly appreciated   Thanks

(in reply to Jason Jones)
Post #: 35
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 29.Sep.2010 3:30:27 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
That article covers most of what you need from the ISA/TMG end, but I never got time to expand the series...

What is the article missing?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to freeze12341)
Post #: 36
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 29.Sep.2010 9:36:22 AM   
freeze12341

 

Posts: 5
Joined: 28.Sep.2010
Status: offline
quote:

ORIGINAL: Jason Jones

That article covers most of what you need from the ISA/TMG end, but I never got time to expand the series...

What is the article missing?

Cheers

JJ


Hi JJ

None of the articles are missing but I thought you might have a pdf version of the same article. Can you tell me what is going wrong in the way everything is setup on my end.I have  created 2 weblisteners(one for owa and other for Outlook Anywhere) and OWA works fine but I wanted Outlook Anywhere to work with NTLM authentication

I am having a problem configuring outlookanywhere to communicate over ISA using NTLM. The current setting is  
1.Exhange is set to use NTLM and IIS(RPC virtual directory is set to Integrated Windows Authentication) 
2.ISA Weblistener is set to HTTP integrated and the Published Rule is set to use NTLM 
3. The outlook client is set to use NTLM and I have no clue why its not working, but with the exact same setting if I change the Outlook client to Basic everything works fine(provided I type in the username and password)

Thank you

(in reply to Jason Jones)
Post #: 37
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 29.Sep.2010 10:31:54 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
You need to use KCD not NTLM delegation...are you sure you have read that article???

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to freeze12341)
Post #: 38
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 29.Sep.2010 5:01:15 PM   
freeze12341

 

Posts: 5
Joined: 28.Sep.2010
Status: offline
Hi JJ

I have read your entire article and it's pretty informative and tried to do a KCD instead of NTLM but your article says:

" Active Directory will need to be running at Windows 2003 native functional level (or greater) in order to see the Delegation tab. Also, both computer objects will need to be in the same Active Directory domain for KCD to function (even with ISA Server 2006 SP1)."

In the setup that I have these two objects(ISA and CAS) are in two different domains and I am not sure how I would deal with this situation. Let me know if you have any thoughts

Thanks!!!!
Freeze12341

(in reply to Jason Jones)
Post #: 39
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 29.Sep.2010 6:19:49 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Ah, ok....the best you can get is basic delegation then

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to freeze12341)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> RE: Outlook Anywhere NTLM Auth & ISA 06EE Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts