Outlook Anywhere keeps reverting from Basic to NTLM after every restart (Network Steve Forum)

Outlook Anywhere keeps reverting from Basic to NTLM after every restart

Hi all,

We are in the middle of transition from Exchange 2010 SP3 to Exchange 2013 CU8 and everything works fine except external Outlook Anywhere. We are publishing the Exchange services through TMG 2010 and we are using Basic for external clients, which worked great for Exchange 2010. Now, using the same rules, Outlook (2013) clients fail to authenticate to Exchange from external (internet) connections.

The current settings:

Get-OutlookAnywhere | FL ServerName, *auth*

ServerName : 2010
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}

ServerName : 2013
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

For clients that are still on 2010 everything works perfect, both internal and external connections. For clients migrated or newly created on 2013, it work from internal but keep on asking for password from external. If I manually change the Authentication for Exchange proxy settings from NTLM to Basic than it work OK from external as well - BUT this setting is changed back to NTLM after every restart of the Outlook client. It seems that Autodiscover is pushing the wrong settings, even though the settings are correct. Here is the XML:

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>XXXXXXXXXXXXXXXXXXXXXX</DisplayName>
<LegacyDN>XXXXXXXXXXXXXXXXXXXXXX</LegacyDN>
<AutoDiscoverSMTPAddress>XXXXXXXXXXXXXXXXXXXXXX</AutoDiscoverSMTPAddress>
<DeploymentId>XXXXXXXXXXXXXXXXXXXXXX</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<MicrosoftOnline>False</MicrosoftOnline>
<Protocol>
<Type>EXCH</Type>
<Server>XXXXXXXXXXXXXXXXXXXXXX</Server>
<ServerDN>XXXXXXXXXXXXXXXXXXXXXX</ServerDN>
<ServerVersion>73C08434</ServerVersion>
<MdbDN>XXXXXXXXXXXXXXXXXXXXXX</MdbDN>
<PublicFolderServer>webmail.nspyre.nl</PublicFolderServer>
<AD>XXXXXXXXXXXXXXXXXXXXXX</AD>
<ASUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.nspyre.nl/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=nspyre.nl</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=nspyre.nl</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=nspyre.nl</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=nspyre.nl</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=nspyre.nl</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=nspyre.nl</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=nspyre.nl</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=nspyre.nl</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=nspyre.nl</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=nspyre.nl</EcpUrl-extinstall>
<OOFUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://webmail.nspyre.nl/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.nspyre.nl/OAB/3cde2ebe-e722-44e5-849d-7f6cd94b51fa/</OABUrl>
<ServerExclusiveConnect>off</ServerExclusiveConnect>
<CertPrincipalName>msstd:*.nspyre.nl</CertPrincipalName>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.nspyre.nl</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EmwsUrl>
<OOFUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://webmail.nspyre.nl/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.nspyre.nl/OAB/3cde2ebe-e722-44e5-849d-7f6cd94b51fa/</OABUrl>
<ServerExclusiveConnect>on</ServerExclusiveConnect>
<CertPrincipalName>msstd:*.nspyre.nl</CertPrincipalName>
<EwsPartnerUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EwsPartnerUrl>
<GroupingInformation>DataCenters</GroupingInformation>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Internal>
<OWAUrl AuthenticationMethod="Ntlm, WindowsIntegrated">https://webmail.nspyre.nl/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.nspyre.nl</Server>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<ASUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.nspyre.nl/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=nspyre.nl</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=nspyre.nl</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=nspyre.nl</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=nspyre.nl</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=nspyre.nl</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=nspyre.nl</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=nspyre.nl</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=nspyre.nl</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=nspyre.nl</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=nspyre.nl</EcpUrl-extinstall>
<OOFUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://webmail.nspyre.nl/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.nspyre.nl/OAB/3cde2ebe-e722-44e5-849d-7f6cd94b51fa/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
<CertPrincipalName>msstd:*.nspyre.nl</CertPrincipalName>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.nspyre.nl</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</EmwsUrl>
<OOFUrl>https://webmail.nspyre.nl/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://webmail.nspyre.nl/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.nspyre.nl/OAB/3cde2ebe-e722-44e5-849d-7f6cd94b51fa/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
<CertPrincipalName>msstd:*.nspyre.nl</CertPrincipalName>
</Protocol>
</Account>
</Response>
</Autodiscover>

How can I force Outlook clients (domain joined and workgroup) to get Basic authentication from Autodiscover? Any help will be greatly appreciated as I have already spent a huge amount of time and neurons on this issue.

Thank you so very much for your help.

Marian

June 10th, 2015 1:24pm

Hi Marian,

We use a GPO to force this setting (Outlook 2010) on the workstations - http://www.bictt.com/blogs/bictt.php/2011/01/09/outlook-anywhere-automatically-changes-proxy-settings .

Maybe you also have a specific GPO that apply to Outlook 2010 (that's why it works fine) but you don't have this GPO for Outlook 2013 ?

Julien

Free Windows Admin Tool Kit Click here and download it now

June 10th, 2015 5:48pm

Hi Julien,

Thank you very much for your help. Unfortunately there is no GPO for Outlook 2010 - I can use the same Outlook (2013) and get both successful connection and repeated password prompts on the same workstation, just by changing between user accounts hosted on the 2 different servers (2010 and 2013). Besides we have quite a lot of workstations that are not joined to the domain, so GPO will help only for a little bit.

The problem is somehow related to the autodiscover that is pushing the wrong settings. I am restarting the 2013 server tonight and will see the results (though I'm not too optimistic).

Do you know a way to force refresh the autodiscover settings that are being sent to clients?

Thanks again,

Marian Vulpe

June 10th, 2015 6:01pm

Hi Julien,

Thank you very much for your help. Unfortunately there is no GPO for Outlook 2010 - I can use the same Outlook (2013) and get both successful connection and repeated password prompts on the same workstation, just by changing between user accounts hosted on the 2 different servers (2010 and 2013). Besides we have quite a lot of workstations that are not joined to the domain, so GPO will help only for a little bit.

The problem is somehow related to the autodiscover that is pushing the wrong settings. I am restarting the 2013 server tonight and will see the results (though I'm not too optimistic).

Do you know a way to force refresh the autodiscover settings that are being sent to clients?

Thanks again,

Marian

Free Windows Admin Tool Kit Click here and download it now

June 10th, 2015 6:34pm

Hi,

In Exchange 2013, it is by design that the internal host name (the same as external host name in your environment with webmail.nspyre.nl) of Outlook Anywhere is always displayed as the proxy server for Exchange in the Microsoft Exchange Proxy Settings dialog box in Microsoft Outlook. Additionally, the Internal Authentication settings (NTLM) are always displayed in the Exchange Proxy Settings dialog box.

Therefore, when you restart your Outlook, the authentication setting is shown internal authentication settings which is NTLM in your environment every time. For more information about this, please refer to:

https://support.microsoft.com/en-us/kb/2754898

As for your credential prompted issue, please confirm if the issue happens to all users or specific users. Please press and hold Ctrl, and then right-click the Outlook icon in the notification area, click Connection Status to check the status (please collect the Server name, status, protocol, Authentication, and Type information) when the issue occurs.

If the issue happens to specific users, please clear the credential manager in Control Panel to have a try.

Regards,

June 11th, 2015 4:24am

Hi Andy,

"If they are the same and the internal name is resolvable on the internet, then what you are seeing is expected. Outlook will use the internal hostname and auth."

THANK YOU for your answer. Indeed the internal and external host names were identical (splin DNS). BUT, according to the documentation I've read so far, Outlook will y default display the Exchange Proxy Settings as the internal server. It's the first mention I get about the authentication as well, and also that it is not only "displayed" but also "applied". Quite different thinks I would say.
So, for short, we have removed the internal host name and configured InternalClientsRequireSsl to false and voila, everything now works as expected.

The complete command was:

Set-OutlookAnywhere -Identity "2013\Rpc (Default Web Site)" InternalHostName "" -InternalClientsRequireSsl $False -ExternalHostName "webmail.nspyre.nl" -ExternalClientsRequireSsl $True -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic, NTLM, Negotiate -ExternalClientAuthenticationMethod Basic

This was a wild ride - too bad the documentation doesn't more clearly explain this not so uncommon scenario.

Again, thanks a lot :).
Marian Vulpe

Free Windows Admin Tool Kit Click here and download it now

June 11th, 2015 8:35am

This topic is archived. No further replies will be accepted.