Does Outlook Anywhere Support Kerberos RPC Auth?
I have a simple lab setup in which my requirement is to get Outlook Anywhere traffic using Kerberos authentication for the RPC auth. HTTP (proxy) auth level can be either Basic or NTLM, doesn't matter. I'm trying to figure out if this deployment is even possible, as it doesn't appear to be from my testing. Regardless of my Proxy Auth settings (Basic or NTLM) or my RPC Auth settings (Kerberos, Negotiate), I'm ALWAYS seeing NTLM Authentication used for RPC. If I just use standard TCP rather than HTTP, Kerberos works fine. So Kerberos is at least possible. I see LDAP traffic, and even some requests to get krbtgt tickets, which implies it should be possible at least for an internal client like mine. This technet blog implies that OA doesn't do Kerberos ever: http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx But if you try to enable it, Outlook comes up with this message (which implies that you can inside a firewall, I have no firewall): “Kerberos has been specified as the protocol for network authentication. When connection to your Microsoft Exchange mailbox using HTTP, Kerberos authentication can only be used if you are connecting inside a firewall. If you connect from outside a firewall, NTLM authentication will be used.” Can Outlook Anywhere do Kerberos RPC Auth and if it can, what is required to get it working? It seems many people on here have had problems with this giving multiple password prompt and they just changed the setting to use NTLM RPC Auth instead of Kerberos. This isn't acceptable for me as my requirement is using Kerberos for RPC. Thanks for any help.
May 23rd, 2011 10:11pm
The answer is YES, But read the article before you opt for it. http://technet.microsoft.com/en-us/library/bb331973.aspx http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx Cheers, Gulab | MCTS-MCITP Messaging: 2010 | MCTS-MCITP Messaging: 2007 | MCC 2011 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.blogspot.com
May 24th, 2011 10:18am
Hey Gulab, Thanks for the response, but I don't see what in those articles indicates it's possible to use Kerberos Auth for the RPC channel of RPC-over-HTTP. The first article addresses the HTTP auth level of RPC-over-HTTP (Basic, NTLM), but not the RPC auth. The blog indicates no, but is not diffinitive. Again, I'm not concerned with the HTTP auth, just the RPC auth. Thanks, Lee
June 7th, 2011 4:23pm
Check this article by Henrik, its so amazing and awesome, you should read it http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/enabling-kerberos-authentication-mapi-clients-connecting-exchange-2010-sp1.html Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.blogspot.com
June 7th, 2011 5:04pm