United States - English
Home
Online
2010
2007
2003
Library
Forums
Partners
EHLO Blog
6 out of 13 rated this helpful Rate this topic

How to Configure Authentication for Outlook Anywhere

Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007

Topic Last Modified: 2008-08-13

This topic explains how to use the Exchange Management Console and the Exchange Management Shell to configure authentication for Outlook Anywhere.

The first time that you run the Enable Outlook Anywhere wizard in the Exchange Management Console, you can select the authentication method that you want to use for Microsoft Office Outlook 2007 or Outlook 2003 clients. However, if you want to configure authentication and you have already run the Enable Outlook Anywhere wizard, you can use the Set-OutlookAnywhere cmdlet in the Exchange Management Shell.

Bb124149.note(en-us,EXCHG.80).gifNote:
When you specify authentication for Outlook Anywhere, you provide the authentication method that will be used by the Outlook client. This authentication method is automatically provided to the client by the Autodiscover service. This authentication method is separate from the authentication method on the /rpc virtual directory that is located on your Exchange 2007 Client Access servers. The /rpc virtual directory is enabled for Basic and Integrated Windows authentication and cannot be modified.

By default, in the original release (RTM) version of Exchange 2007, the /rpc virtual directory was enabled for both Basic authentication and Integrated Windows authentication and could not be modified. Even if you were only using one authentication method, both authentication methods were always enabled for the /rpc virtual directory. Because using a single authentication method will help you reduce attack surface area, in Exchange 2007 SP1, you can now choose to use only one authentication method on the /rpc virtual directory. However, you can still also choose to allow both Basic and Integrated Windows authentication.

For new installations of Exchange 2007 SP1, by default, the authentication method on the /rpc virtual directory will be the same as the authentication method that you choose when you enable Outlook Anywhere by using the Enable Outlook Anywhere wizard. The default authentication method for Internet Information Services (IIS) can be modified by using the Set-OutlookAnywhere cmdlet to be either Integrated Windows authentication or Basic authentication or both. As an alternative to using the Enable Outlook Anywhere wizard, the Enable-OutlookAnywhere cmdlet can be used to configure Outlook Anywhere.

Important   After you upgrade from the RTM version of Exchange 2007 to Exchange 2007 SP1, we recommend that you manually restrict the IIS authentication methods to include only the ones that you need to enable for your environment by using the Set-OutlookAnywhere cmdlet.

If you deploy a firewall server that performs authentication delegation, you must change the authentication method on the /rpc virtual directory to a method different from the authentication method that is used by the client. For example, if you deploy a firewall server that performs authentication delegation, the firewall server authenticates to the Client Access server by using NTLM authentication. The client, however, uses Basic authentication. In this example, the firewall server is responsible for delegating the user’s authentication. This is why you configure the /rpc virtual directory in IIS to use NTLM authentication.

Although not recommended, in Exchange 2007 SP1 you can configure the /rpc virtual directory in IIS to use both NTLM and Basic authentication. A common situation in which both authentication methods might be used is when additional services for RPC over HTTP are proxied to the same Client Access server that provides Outlook Anywhere access. In this example, each service requires both authentication methods. To configure the /rpc virtual directory in IIS to use both NTLM and Basic authentication, run the following command:

Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic,NTLM

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

  • Run the following command:

    Copy 
    Set-OutlookAnywhere -Name Server01 -DefaultAuthenticationMethod <Basic or NTLM>

  • To enable only Basic authentication for Outlook Anywhere on your IIS virtual directory, run the following command:

    Copy 
    Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic

  • To enable only NTLM authentication for Outlook Anywhere on your IIS virtual directory, run the following command:

    Copy 
    Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod NTLM

  • To enable both Basic and NTLM authentication for Outlook Anywhere on your IIS virtual directory, run the following command:

    Copy 
    Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic,NTLM

  • To enable only Basic authentication for Outlook 2007 clients that are using Outlook Anywhere, run the following command:

    Copy 
    Set-OutlookAnywhere -Name Server01 -ClientAuthenticationMethod Basic

  • To enable only NTLM authentication for Outlook 2007 clients that are using Outlook Anywhere, run the following command:

    Copy 
    Set-OutlookAnywhere -Name Server01 -ClientAuthenticationMethod NTLM

  • To use Basic authentication for Outlook Anywhere, run the following command:

    Copy 
    Set-OutlookAnywhere -Name Server01 -ExternalAuthenticationMethod Basic

  • To use NTLM authentication for Outlook Anywhere, run the following command:

    Copy 
    Set-OutlookAnywhere -Name Server01 -ExternalAuthenticationMethod NTLM

For more information about syntax and parameters, see Set-OutlookAnywhere.

For more information about how to configure security for Outlook Anywhere, see Managing Outlook Anywhere Security.

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
Order of the Name parameter

Using a 2007 lab on the Microsoft site (not SP1) having the -Name parameter before the Identity parameter produced an error:

The opreation could not be performed because 'SMBEX01\Rpc (Default Web Site) could not be found on SMBEX01.nwtraders.com.



The command was:

Set-OutlookAnywhere -Name SMBEX01 -Identity "SMBEX01\Rpc (Default Web Site)" -ExternalAuthenticationMethod ntlm


It seems the -Name parameter actually changed the name because subsequent issuance of the command

Get-OutlookAnywhere | fl Identity



Produced

Identity : SMBEX01\SMBEX01



To change the name back I actually had to issue the command

Set-OutlookAnywhere -Identity SMBEX01\SMBEX01 -Name "Rpc (Default Web Site)"


which changed the Identity back. Odd behavior. I recommend not using the Name parameter at all, just use Identity. In the documentation for Set-OutlookAnywhere, the Name parameter even has a weird description:

Use the name parameter to specify name of the user.

What the heck does that mean?
History
The IISAuthentication commands are missing the -identity parameter
The IISAuthentication commands are missing the -identity parameter, which should be the virtual directory in IIS. The appropriate value can be obtained from running the powershell command "get-outlookanywhere" and noting the value.

So for example the command to enable both basic and nltlm authentication would be:


Set-OutlookAnywhere -Name server01 -identity "server01\Rpc (Default Web Site)" -IISAuthenticationMethod Basic,NTLM
-Keith Schneider
http://keithschneider.blogspot.com/
History