Export (0) Print
Expand All
8 out of 17 rated this helpful - Rate this topic

How to Configure Authentication for Outlook Anywhere

 

Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007

Topic Last Modified: 2008-08-13

This topic explains how to use the Exchange Management Console and the Exchange Management Shell to configure authentication for Outlook Anywhere.

The first time that you run the Enable Outlook Anywhere wizard in the Exchange Management Console, you can select the authentication method that you want to use for Microsoft Office Outlook 2007 or Outlook 2003 clients. However, if you want to configure authentication and you have already run the Enable Outlook Anywhere wizard, you can use the Set-OutlookAnywhere cmdlet in the Exchange Management Shell.

noteNote:
When you specify authentication for Outlook Anywhere, you provide the authentication method that will be used by the Outlook client. This authentication method is automatically provided to the client by the Autodiscover service. This authentication method is separate from the authentication method on the /rpc virtual directory that is located on your Exchange 2007 Client Access servers. The /rpc virtual directory is enabled for Basic and Integrated Windows authentication and cannot be modified.

By default, in the original release (RTM) version of Exchange 2007, the /rpc virtual directory was enabled for both Basic authentication and Integrated Windows authentication and could not be modified. Even if you were only using one authentication method, both authentication methods were always enabled for the /rpc virtual directory. Because using a single authentication method will help you reduce attack surface area, in Exchange 2007 SP1, you can now choose to use only one authentication method on the /rpc virtual directory. However, you can still also choose to allow both Basic and Integrated Windows authentication.

For new installations of Exchange 2007 SP1, by default, the authentication method on the /rpc virtual directory will be the same as the authentication method that you choose when you enable Outlook Anywhere by using the Enable Outlook Anywhere wizard. The default authentication method for Internet Information Services (IIS) can be modified by using the Set-OutlookAnywhere cmdlet to be either Integrated Windows authentication or Basic authentication or both. As an alternative to using the Enable Outlook Anywhere wizard, the Enable-OutlookAnywhere cmdlet can be used to configure Outlook Anywhere.

Important   After you upgrade from the RTM version of Exchange 2007 to Exchange 2007 SP1, we recommend that you manually restrict the IIS authentication methods to include only the ones that you need to enable for your environment by using the Set-OutlookAnywhere cmdlet.

If you deploy a firewall server that performs authentication delegation, you must change the authentication method on the /rpc virtual directory to a method different from the authentication method that is used by the client. For example, if you deploy a firewall server that performs authentication delegation, the firewall server authenticates to the Client Access server by using NTLM authentication. The client, however, uses Basic authentication. In this example, the firewall server is responsible for delegating the user’s authentication. This is why you configure the /rpc virtual directory in IIS to use NTLM authentication.

Although not recommended, in Exchange 2007 SP1 you can configure the /rpc virtual directory in IIS to use both NTLM and Basic authentication. A common situation in which both authentication methods might be used is when additional services for RPC over HTTP are proxied to the same Client Access server that provides Outlook Anywhere access. In this example, each service requires both authentication methods. To configure the /rpc virtual directory in IIS to use both NTLM and Basic authentication, run the following command:

Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic,NTLM

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

  • Run the following command:

    Set-OutlookAnywhere -Name Server01 -DefaultAuthenticationMethod <Basic or NTLM>
    
  • To enable only Basic authentication for Outlook Anywhere on your IIS virtual directory, run the following command:

    Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic
    
  • To enable only NTLM authentication for Outlook Anywhere on your IIS virtual directory, run the following command:

    Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod NTLM
    
  • To enable both Basic and NTLM authentication for Outlook Anywhere on your IIS virtual directory, run the following command:

    Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic,NTLM
    
  • To enable only Basic authentication for Outlook 2007 clients that are using Outlook Anywhere, run the following command:

    Set-OutlookAnywhere -Name Server01 -ClientAuthenticationMethod Basic
    
  • To enable only NTLM authentication for Outlook 2007 clients that are using Outlook Anywhere, run the following command:

    Set-OutlookAnywhere -Name Server01 -ClientAuthenticationMethod NTLM
    
  • To use Basic authentication for Outlook Anywhere, run the following command:

    Set-OutlookAnywhere -Name Server01 -ExternalAuthenticationMethod Basic
    
  • To use NTLM authentication for Outlook Anywhere, run the following command:

    Set-OutlookAnywhere -Name Server01 -ExternalAuthenticationMethod NTLM
    

For more information about syntax and parameters, see Set-OutlookAnywhere.

For more information about how to configure security for Outlook Anywhere, see Managing Outlook Anywhere Security.

To ensure that you are reading the most up-to-date information and to find additional Exchange Server 2007 documentation, visit the Exchange Server TechCenter.
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.