I'm a consultant working onsite at my customer. My computer (running Win7 Enterprise, SP1, 32-bit) is part of my company domain, and I use an account from the customer's domain to access their web proxy server. The proxy server is using NTLM authentication. IE9 on Win7 works fine, the customer domain credentials are saved so I only have to enter the password if it has changed. But accessing my company's Exchange server using Outlook 2003 RPC over HTTPS trough the proxy does not work, I just get a "403 Forbidden, Access Denied" response from the proxy. Accessing it from home works fine. My old computer with WinXP SP3 and Outlook 2003 have no problems accessing the Exchange server through the proxy. The Outlook settings are identical on the two computers, using Basic authentication over SSL. I have changed "Network security: LAN Manager authentication level" from the Win7 default "Send NTLMv2 response only" to the WinXP default "Send LM & NTLM responses" as suggested in another thread, but still get access denied. Running rpcping (from http://support.microsoft.com/kb/831051) and sniffing the traffic with WireShark, I have found out some differences between the WinXP and Win7 installations. I use rpcping with the following parameters: > rpcping -t ncacn_http -o RpcProxy=mail.mycompany.com -P "myuser,mycompany,*" -H 1 -u 10 -a connect -F 3 -v 3 -E -R customer-proxy:8080 RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002 OS Version is: 6.1, Service Pack 1 Enter password for RPC/HTTP proxy: RPCPinging proxy server mail.mycompany.com with Echo Request Packet Sending ping to server Response from server received: 403 Ping failed. Running the same command in WinXP results in a "Ping successful" message. The data sent from WinXP is using HTTP/1.0 and sends a cookie set by the proxy server: CONNECT mail.mycompany.com:443 HTTP/1.0 User-Agent: RPCPing Host: mail.mycompany.com Content-Length: 0 Proxy-Connection: Keep-Alive Cookie: BCSI-CS-70c76d823e93ac89=2 Proxy-Authorization: Negotiate [Binary NTLM data] HTTP/1.1 407 Proxy Authentication Required Proxy-Authenticate: NEGOTIATE [Binary NTLM data] Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Proxy-Connection: Keep-Alive Set-Cookie: BCSI-CS-70c76d823e93ac89=2; Path=/ Connection: Keep-Alive Content-Length: 1112 <HTML><HEAD> <TITLE>Access Denied</TITLE> </HEAD> <BODY> [...] Your credentials could not be authenticated: "Another round of authentication required.". You will not be permitted access until your credentials can be verified. [...] </BODY></HTML> CONNECT mail.mycompany.com:443 HTTP/1.0 User-Agent: RPCPing Host: mail.mycompany.com Content-Length: 0 Proxy-Connection: Keep-Alive Cookie: BCSI-CS-70c76d823e93ac89=2 Proxy-Authorization: Negotiate [Binary NTLM data] HTTP/1.1 200 Connection established When running rpcping on Win7, it uses HTTP/1.1, does not send the cookie and omits the User-Agent, Content-Length and Proxy-Connection headers. Also, the SSL port 443 is specified in the Host header. Some of these differences are probably due to using HTTP/1.1. CONNECT mail.mycompany.com:443 HTTP/1.1 Host: mail.mycompany.com:443 Proxy-Authorization: Negotiate [Binary NTLM data] HTTP/1.1 407 Proxy Authentication Required Proxy-Authenticate: NEGOTIATE [Binary NTLM data] Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Proxy-Connection: Keep-Alive Set-Cookie: BCSI-CS-70c76d823e93ac89=2; Path=/ Connection: Keep-Alive Content-Length: 1112 <HTML><HEAD> <TITLE>Access Denied</TITLE> </HEAD> <BODY> [...] Your credentials could not be authenticated: "Another round of authentication required.". You will not be permitted access until your credentials can be verified. [...] </BODY></HTML> CONNECT mail.mycompany.com:443 HTTP/1.1 Host: mail.mycompany.com:443 Proxy-Authorization: Negotiate [Binary NTLM data] HTTP/1.1 403 Forbidden Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Proxy-Connection: Keep-Alive Connection: Keep-Alive Content-Length: 888 <HTML><HEAD> <TITLE>Access Denied</TITLE> </HEAD> <BODY> [...] Access Denied [...] </BODY></HTML> As you can see, the request from Win7 ends in a "403 Forbidden instead" of "200 Connection established". Examining the binary NTLM data in WireShark, the only differences I have found are: NTLMSSP_NEGOTIATE XP Win7 ======================================= =============== =============== Flags Negotiate Key Exchange 0 1 Flags Negotiate Lan Manager Key 0 1 Flags Negotiate Sign 0 1 Version 5.1 6.1 Build 2600 7601 NTLMSSP_AUTH XP Win7 ======================================= =============== =============== Session Key "Empty" b99f15... Flags Negotiate Key Exchange 0 1 Flags Negotiate Sign 0 1 Version 5.1 6.1 Build 2600 7601 MIC Missing 755107... I'm not sure if these differences might cause the problems, but they are prime suspects. The real question is what I need to change to make the Win7 request identical to the WinXP one. I'm starting to loose my hair over this... :-) /Andreas

Hi, Since your problematic computer is part of company domain, please have a test with Windows 7 computer which is out of this domain. Here is one related article can be referred to. How to troubleshoot client RPC over HTTP connection issues in Outlook 2003 http://support.microsoft.com/kb/827330/en-us And I think you may redirect this thread to Exchange forum for further assistance. http://social.technet.microsoft.com/Forums/en-US/category/exchangeserver

Just want to clarify one thing. Is the proxy same for both xp and win7 machines??

The old computer running WinXP is also part of my company domain, and that works fine. I don't have any other Win7 machines available that I can test either. Running the test suite on https://www.testexchangeconnectivity.com succeeds without errors, so the Exchange server is accessible from the internet. It is just when accessing it through the customer's proxy I have these problems. And yes, WinXP and Win7 use the same proxy server. I have actually found out some more details since my last post. It might not be the NTLM authentication that causes the problems after all. When running from WinXP, the following request is sent: CONNECT mail.mycompany.com:443 HTTP/1.0 User-Agent: RPCPing Host: mail.mycompany.com Content-Length: 0 Proxy-Connection: Keep-Alive Cookie: BCSI-CS-70c76d823e93ac89=2 Proxy-Authorization: Negotiate [Binary NTLM data] When running from Win7, only the following headers are sent in the request: CONNECT mail.mycompany.com:443 HTTP/1.1 Host: mail.mycompany.com:443 Proxy-Authorization: Negotiate [Binary NTLM data] I ran Chrome (which works fine) first through a proxy on localhost and then through the customer's proxy, and filtered one header field at a time at the local proxy. It turns out that I can remove all extra headers fields used in WinXP, except User-Agent. So if I inject a User-Agent field in the Win7 request like: CONNECT mail.mycompany.com:443 HTTP/1.1 User-Agent: RPCPing Host: mail.mycompany.com:443 Proxy-Authorization: Negotiate [Binary NTLM data] I then get a "200 Connection established" instead of "403 Forbidden" from the customer's proxy. It seems like the proxy uses this field for some extra access control, even though the HTTP standard specifies that the User-Agent field is optional (but recommended). So now the question is: How can I make Outlook on Win7 send the User-Agent header field? Is it possible to make Outlook use HTTP/1.0 instead, maybe it will then send the User-Agent like it does on WinXP? /Andreas

Loading rpcping.exe into Dependency Walker, it's clear that it uses WinHttp.dll instead of WinInet.dll. Hmm, what would happen if I copied the WinHttp.dll from Windows XP SP3 into C:\Program Files\Microsoft Office\Office11 where Outlook.exe is located? I can't believe that actually worked, now Outlook sends HTTP/1.0 requests with User-Agent and all the other header fields just like it did on my old computer. Existing version on Windows 7 SP1: 6.1.7601.17514 Copied version from Windows XP SP3: 5.1.2600.6175 It's not the cleanest solution, but it will have to do for now. If anyone have a better idea, I'll all ears... /Andreas

Loading rpcping.exe into Dependency Walker, it's clear that it uses WinHttp.dll instead of WinInet.dll. Hmm, what would happen if I copied the WinHttp.dll from Windows XP SP3 into C:\Program Files\Microsoft Office\Office11 where Outlook.exe is located? I can't believe that actually worked, now Outlook sends HTTP/1.0 requests with User-Agent and all the other header fields just like it did on my old computer. Existing version on Windows 7 SP1: 6.1.7601.17514 Copied version from Windows XP SP3: 5.1.2600.6175 It's not the cleanest solution, but it will have to do for now. If anyone have a better idea, I'll all ears... /Andreas