Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365

Basic authentication vs NTLM authentication

rated by 0 users
This post has 2 Replies | 2 Followers

Top 75 Contributor
Male
Posts 1
Points 50
Reply
Toni Van Remortel Tongue Tied [:S] Posted: 02-01-2010 4:57

Hi,

I've set up 2 Exchange 2010 servers, both providing CAS/HUB/MBX service (MBX database in a DAG).
This works pretty well on the LAN. All clients can connect via NTLM authentication.

To provide Outlook Anywhere (RPC over HTTPS), I installed Squid on our firewall to proxy it all to Exchange. This works, but only with Basic authentication. NTLM seems to be unsupported (due to the fact that NTLM authenticates with the first hop it finds, thus the firewall and not the Exchange server).

So for the local desktops there is no problem.
For the remote laptops there is also no problem.

But the problems start when the laptops are in the LAN. Outlook 2007 tries to authenticate via NTLM, but fails (as it passes the proxy). No idea why it tries NTLM, as Outlook is configure to use Basic.

If I turn off NTLM on the Exchange, all the desktop users start to complain that they have to enter a password.
If I turn off Basic on Exchange, all laptop users are locked out.

Anybody an idea how to fix this? Disabling NTLM in Outlook is no option, as it is used by a plugin to authenticate to another server.

Thanks.

  • Filed under:
  • | Post Points: 50
Top 10 Contributor
Posts 379
Points 7.530
Reply
Johan Delimon replied on 02-04-2010 12:23

ISA Server 2006 , TMG or UAG will help you with that problem.

ISA Server can do NTLM and proxy it to the backend or even do Basic and proxy it as NTLM or Kerberos to the backend.  You see lot's of options
http://technet.microsoft.com/en-us/forefront/edgesecurity/bb734854.aspx

I don't think you will have any other way because the limiting factor is the Squid firewall

  • | Post Points: 10
Top 10 Contributor
Male
Posts 187
Points 3.795
Reply
Tonino replied on 02-10-2010 9:59

Hi,

Why are your laptop clients in the LAN connecting through the proxy to Outlook Anywhere?

First the LAN clients should have a TCP Connection available to the Exchange Server so Outlook Anywhere is not used, and should you have configured the Outlook checkbox to use HTTPS first before anything else then I would add a Proxy Exception on the client (IE) for the URL you are using. If you put in an exception the laptop will resolve the OA URL and connect directly without passing your firewall.

Sincerely,
Tonino Bruno

Sincerely,

Tonino Bruno
Tonino@btconsulting.be | ICT Consultant | B.T. Consulting bvba

  • | Post Points: 10
Page 1 of 1 (3 items) | RSS