2 X 2010 CAS', Load balanced pool

4X 2013 Mutilrole (will take the place of the 2010's in the load balanced pool)

Currently we use TMG to publish owa externally.  From TMG, the traffic goes to a load balancer, and to the 2010 CAS's from there.  TMG is doing pre authentication.

However, if I take the 2010 CAS' out of the load balanced pool and enable the 2013 in the load balanced pool, users start getting dual prompts - one at the TMG, and then the 2013 OWA login (no mailboxes on 2013 yet, so have only tested with mailbox still on 2010).

I have been through both of the following articles - however, basic auth. is not an option on the exchange side, as then internal users get prompted for windows credentials.  Has anyone in coexistence been able to get this working without basic auth (currently use Basic, Windows Auth, and NTLM)?

http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx

http://www.isaserver.org/articles-tutorials/configuration-general/publishing-exchange-2013-outlook-web-app-forefront-threat-management-gateway-tmg-201