Outlook Anywhere NTLM Auth & ISA 06EE (Full Version)

All Forums >> [ISA 2006 Publishing] >> Exchange Publishing



Message


muflon_ -> Outlook Anywhere NTLM Auth & ISA 06EE (27.Mar.2007 5:24:50 PM)

Hi,
i used this guide for setup Exchange 07 with ISA06
http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx
Everythink work fine except Outlook Anywhere Authentificatin.
When i use NTLM Outlook client always promt for password and dont connect to Exchange Server.(Basic auth working fine).
Any solutions?

TX




tshinder -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (2.Apr.2007 3:49:58 PM)

You must use basic.

HTH,
Tom




tempus -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (9.May2007 11:10:40 PM)

Hi Tom,

is there any reason why we have to use basic in outlook client since NTLM is used when Outlook Anywhere is enabled on Exch 2007 ?

Is there any article from Microsoft stating that ? If so, then we'll have a reason to say that this is a design by Microsoft.

Thanks..




tshinder -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (11.May2007 11:00:03 AM)

Are you using a single listener or multiple listeners? Is the OWA FBA rule using the same listener as the RPC/HTTP rule?

Tom




tempus -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (11.May2007 1:46:58 PM)

i'm using a single web listener for both OWA and Outlook Anywhere..




tshinder -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (12.May2007 12:00:02 PM)

OK, that won't work if you want to use integrated for RPC/HTTP. You'll have to create two listeners.

HTH,
Tom




tempus -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (13.May2007 10:36:54 AM)

so u mean i should use another web listerner for rpc/http with the option to use integrated authentication ? ..in that case should i use Basic Authentication for the access rule for rpc/http or what?

seems kinda confusing :)




tshinder -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (13.May2007 12:31:12 PM)

The reason is that FBA fallback is to basic. So, if you want to use FBA on the same listener, you  have to have RPC/HTTP fall back to basic.

If you create a second listener, you configure it to use integrated so that the fallback mechanism isn't required.

HTH,
Tom




uzimmermann -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (18.May2007 4:31:54 PM)

Hi Tom

you can also use the same FBA Weblistener when you Create a 2nd Webpublishing Rule for Anywhere over the OWA Role

and make the Authentication Delegation Option: "no authentication but client can authenticate directly" i know then he goes directly to exchange but so NTLM will works in the Outlook Client on the same Listener Single IP :)

when you can deal with the option to allow RPC in a Company i think you can also deal with this

Regards
uzimmermann




tshinder -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (19.May2007 2:46:42 PM)

Hi UZ,

Does that actually work? I would think that the FBA enabled Web listener would block direct authentication from the RPC/HTTP client.

Tom




uzimmermann -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (19.May2007 8:03:42 PM)

Hi Tom

Yes Actually this is working for E2k7 and ISA 2006.
i use one Rule for OWA and Activesync with NTLM Delegation and FBA enabled Listener and i
created a 2nd Rule over the OWA Rule with only RPC Virtual Directory.

This Rule i configured to use Delegation: "no delegation but client can directly
authenticate" and its working with the same FBA enabled Listener (single IP Publishing)

The RPC Client (Outlook 2003 & 2007 will still work with Basic & NTLM Settings...

I tested only in a single E2k7 Scenario but i think its also working with a separated CAS because it will nothing change on the idee. 

But i also make more tests next week


kind Regards
uzimmermann




uzimmermann -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (19.May2007 8:13:52 PM)

Sorry EAS isnt in the NTLM Delegated Rule only OWA :)

Regards
uzimmermann




uzimmermann -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (20.May2007 11:24:41 AM)

Hi Tom

i have more Feedbacks for the Scenario with MSRPC and NTLM.

so i had a interesting conversation with some Experts and
why this is working with a single FBA Listener

Because the MSRPC User Agent  ignors FBA by Default.
You can check this by use a Script to read the actually USer Agent Configs with FBA.

so when i use Authentication Delegation "no delegation but client can directly authenticate on my upper Rule  i can use NTLM but he also goes direct to Exchange so the Security isnt really strong.

I think when you use HTTPS SSL to Publish this Scenario which is the Best Practice it makes no really different to use only Basic or also NTLM Auth. with MSRPC (from the Security Part)

kind Regards
uzimmermann




tshinder -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (21.May2007 10:58:51 AM)

Hi UZ,

Well, this is very interesting, because I thought the mechanism was to fall back to basic when the form is presented to the client.

Thanks!
Tom




uzimmermann -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (22.May2007 5:31:31 AM)

Hi Tom

Yes it is and i also think it for MSRPC before this Solution.
I hope you can test this to and give some Feedbacks.

Thank you

kind Regards
UZ




tshinder -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (22.May2007 8:10:09 AM)

Hi UZ,

I will need to get a new computer to test this. I tried to work with the 32bit trial version of Exchange 2007, but the SMTP "service" failed to work correctly and there were other problems. I have a Pentium D series 820 dual core machine, but it's not VT enabled, so I can't run 64 bit guests. So I'm likely going to have to wait a few months before I can rest Exchange 2007 scenarios.

Tom




L663 -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (6.Jun.2007 11:12:42 PM)

"you can also use the same FBA Weblistener when you Create a 2nd Webpublishing Rule for Anywhere over the OWA Role

and make the Authentication Delegation Option: "no authentication but client can authenticate directly" i know then he goes directly to exchange but so NTLM will works in the Outlook Client on the same Listener Single IP :)

when you can deal with the option to allow RPC in a Company i think you can also deal with this"

Uzimmermann,

Can you post some more detail on the rules you use to get NTLM to work externally?  I've tried a 2nd rule for same listener, but can't get NTLM to work thru ISA 2006.  Basic work fine Internally and Externally or NTLM will work Internally.  I can't get NTLM to work externally.

Thanks!




tempus -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (8.Jun.2007 1:19:04 AM)

phew...finally got mine to work. what i did was to recreate the certificate from the Exchange server to include also the hostname of the ISA server using alternative domain name which allows multiple domain names in 1 certificate..

after that Outlook configured with NTLM works internally from LAN and also when outside of the LAN.




tshinder -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (8.Jun.2007 9:00:01 AM)

Hi Tempus,

How did you recreate the certificate? One gotcha I found when using the dreaded PowerHell to request the certificate is that you cannot export the certificate from the CAS with its private key -- so I had to create a new certificate using the Web enrollment site for the ISA Firewall to get OWA and ActiveSync to work -- still don't have Outlooko 2007 RPC/HTTP working yet. The Microsoft doc on how to publish Exchange 2007 is not much help in this area.

Tom




adenhaan -> RE: Outlook Anywhere NTLM Auth & ISA 06EE (10.Jun.2007 12:14:08 AM)

I found that the only way to get Outlook Anywere to work with NTLM while using an FBA listener is like uz described. Here are some more details as requested;

Use a separate web publishing rule for /rpc path.
Allow it for "All users" (not "All authenticated users") and make sure to uncheck the "require all users to authenticate". These together will effectively prevent ISA from doing any authentication, so also not the Fallback Basic auth challenge of the FBA listener.
Finally set authentication delegation to "no delegation but client can directly authenticate" and enable integrated auth on the rpc directory on the exchange server.

Note: Using this method the RPC users are NOT authenticated by ISA, but only and directly on Exchange server, as they pass anonymously through the FBA listener and this rpc rule.




Page: [1] 2 3   next >   >>