Hello Everyone, This is information about my scenario: I have Exchange Server 2013 installed on Windows Server 2012. I have 2 x Mailbox Servers configured with one DAG, the 2 members are member of this DAG and only one DB has a copy on the second server. I have 2 CAS Servers configured with NLB on Windows Server 2012. The Exchange 2013 is configured with Outlook Anywhere with Basic authentication on the 2 load balanced CAS servers. The internal outlook clients connect to Exchange Server 2013 using HTTPS without any issue. OWA for Exchange 2013 is published on TMG 2010 and OWA is working fine for internal and external computers. The used certificate is issued from AD CS, it is imported to all the 4 Exchange Server and to TMG and it has all the required SANs. The Root CA certificate and CRL files are imported to user/computer store for external computers. The Outlook anywhere is published as well on TMG 2010 and use the same web listener configured with OWA Publishing rule. For OWA Publishing Rule I use FBA authentication in the listener and Basic authentication in the Authentication Delegation For Outlook Anywhere Publishing rule I use FBA authentication in the listener (cuz it uses the same OWA publishing rule's listener) and Basic authentication for authentication delegation. Now my issue is: On external machine not joined to domain with Windows 8 and Outlook 2013 I am trying to connect using Outlook Anywhere but it keeps asking me to type the username and password. I have checked many things but still can't log-in, so can you help me in solving this issue?!! Regards,

Hi Anas, Did you pusblish the Exchange server as the following blog said? Publishing Exchange Server 2013 using TMG http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx If you have any feedback on our support, please click here Frank Wang TechNet Community Support

Have you configured AutoDiscoverServiceInternalUri on your Client Access Servers? Check your virtual directories authentication settings. I suspect there's a difference somewhere. If you have users connecting to the TMG for normal operations and connecting to a local server for autodiscover you might experience similar problems.stefan@xperta

Hi Anas, Any updates?Frank Wang TechNet Community Support

Hello again everyone, This issue will make my hair white, I tried everything possible and change many things but still can't log-in. So my issue is not solved yet. @Stefan: I tried to change the AutoDiscoverServiceInternalUri but with no luck. @Frank: I read that MS article but no luck. Regards,

This external client that is not joined to the domain, is that connected to your local network or comes in through the internet or a firewall? Could you check your connections on your outlook when trying to log on? Which server is it trying to connect to. Right-click the outlook taskbar icon by the clock while holding the ctrl key.stefan@xperta

have you configured proxy settings on outlook for external users. do connectivity check to know the exact problem . https://www.testexchangeconnectivity.com/ http://technet.microsoft.com/en-in/library/dd638082%28v=exchg.150%29.aspx http://technet.microsoft.com/en-in/library/ee633453%28v=exchg.150%29.aspxDon't forget to mark helpful or answer connect me :- http://in.linkedin.com/in/satya11 http://facebook.com/satya.1000

@Stefan: the external client in in DMZ. The internal clients connected to my CAS Servers NLB FQDN. @Satya11: I configured the proxy settings for external users. Regards,

Hi, is Your OWA is working from outside, you have to check Exchange (outlook any where) reverse proxy, rule which allow authenticated users to access. to verify open to TMG console and under firewall, see if the Outlook any where condition is set that all authenticated users, which should be

I have had the same issue for the last several days. Absolutely the same setup as you. The prompts are coming from TMG as you have Basic Auth in the publishing rule for Outlook Anywhere and, I suspect, your CAS is setup for NTLM Auth. We have disabled TMG Pre-Auth and let CAS server do the authentication by changing Outlook Anywhere publishing Authentication Delegation tab to "No delegation, but client may authenticate directly" and Users tab to "All Users" which basically disables authentication on TMG and pushes back to CAS.