At the University in Sydney they have Exchange Server 2007 installed on Windows Server 2003 servers. They needed a solution for people to use Outlook Anywhere using laptops that were attached to the domain with logged on domain user accounts, also local user accounts with laptops that weren’t on the domain. However, they didn’t want to have the password dialog box popping up all the time primarily for the domain based users, and for users using local accounts, it was ok for the password dialog box to pop up when logging into Outlook.

At first, when I tried to switch the Outlook Anywhere publishing rule in ISA 2006 and CAS Outlook Anywhere to NTLM, users logged on with local computer accounts couldn’t log into Outlook, the credentials dialog box kept popping up all the time. For users that were logged on with a domain based account the credentials passed through perfectly with NTLM, and no credentials dialog box popped up.

Back end

First I had to edit the Outlook Anywhere publish rule in ISA 2006, changing it to NTLM authentication.

Then I had to change the Outlook Anywhere setting of the two Exchange Client Access servers to NTLM.

 

Client side

The way we fixed it was quiet simple, we made sure the two options about connecting via HTTP first were unchecked from the client side. So in essence the clients will connect using TCP/IP.

 

Windows Server 2008

If your CAS  Windows Server 2008 you will need to actually install RPC IIS components if they don’t already exist, type this into the command prompt on your Exchange 2007 CAS server.

ServerManagerCmd -i RPC-over-HTTP-proxy

You will need to actually enable Outlook Anywhere using the Exchange Management Console.

Then you will need to check the IISAuthenticationMethods running this get-outlookanywhere | fl in PowerShell.

If it doesn’t have “Basic, NTLM” and only NTLM, then run this command in PowerShell.

get-outlookanywhere | set-outlookanywhere -IISauthentication basic,Ntlm
get-outlookanywhere | set-outlookanywhere -Clientauthentication basic,Ntlm

 

When an Outlook client using Outlook Anywhere tries to connect to Exchange 2007 running on Windows Server 2008, the client receives repeated prompts to enter their credentials and can’t connect.

This is because Internet Information Services (IIS) 7.0, the Web server role in Windows Server 2008, has kernel mode enabled by default for Integrated Windows authentication.

%systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false

appcmd.exe Stop Site "Default Web Site"

appcmd.exe Start Site "Default Web Site"

 

When Exchange 2007 is run under Windows Server 2008, clients who use Exchange 2007 may be repeatedly prompted for their credentials during Outlook Anywhere sessions. This issue occurs when NTLM Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box for the Outlook profile on the client computer. This issue does not occur if Basic Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box. By default, Kernel Mode Authentication is enabled in Internet Information Services (IIS) 7.0 on the Client Access server. To resolve this issue, disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008.

%systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false