So we have an Exchange 2013 environment, and a CRM solution that requires basic authentication to EWS internally.  Problem is, after a reboot of our Exchange server, all of our Outlook clients begin prompting for username and password (which nothing works) which also starts locking users AD accounts out due to failed login attempts (somehow).  If I disabled basic authentication on EWS, Outlook authenticates as normal using NTLM and there are no issues.  Once Outlook has authenticated, I can turn back on basic authentication, and Outlook will be fine until the next time the Exchange server is rebooted.

Any ideas?

Hi,

According to your description, I understand that Outlook client prompted for username and password when Exchange server restart and basic authentication is enabled for EWS.
If I misunderstand your concern, please do not hesitate to let me know.

Its normal. This caused by the difference between basic authentication and NTML authentication:
Basic, with any version of Outlook prior to 2010, results in a pop up dialog asking for creds. Outlook 2010 makes the 'save this password' actually work, so in an Outlook 2010 or later world, Basic can mean no need to authenticate every time you open/reconnect, but in all earlier versions, you will have to enter creds every time.
NTLM, when used by a client that is domain joined and logged in with cached creds, results in the client simply sending the cached in creds to the server, resulting in what looks like a pretty seamless single sign on experience. However, if you want to do pre-authentication at something like TMG, and not let the traffic go all the way to CAS, you need to configure TMG for this.

Thanks

Hey Allen, 

We are using NTLM with Outlook 2013, and normally Outlook will open without issue.  Our CRM application needs to have basic authentication enabled in order for synchronization to function fully.  Problem being when the Exchange server is rebooted, this somehow flags the Outlook clients to re-authenticate, and when EWS basic authentication is on, Outlook seems to be trying that first rather than using NTLM.

I guess my question is, is there a way to force Outlook to only use NTLM, while still having EWS basic authentication on on the IIS side.

I would have thought having the "Proxy Authentication Settings" set to NTLM Authentication, would do this.  But it is not...

I guess my question is, is there a way to force Outlook to only use NTLM, while still having EWS basic authentication on on the IIS side.

I would have thought having the "Proxy Authentication Settings" set to NTLM Authentication, would do this.  But it is not...

bump