Publishing Exchange 2013 / 2007 Coexistense with TMG and Kerberos Contrained Delegation for Outlook Anywhere

Question

We are in the process to migrate from Exchange 2007 CCR Cluster to Exchange 2013 DAG. We publish OWA, EAS and Outlook Anywhere and use a TMG for that purpose.

Now we would like to publish Outlook anywhere (OA) with Ntlm and Kerberos Constrained Delegation on the TMG, where we do a Preauthentication. This works fine for Mailboxes on EX13, but not for EX07 MBX.

Is there any way that we can do that, I mean publishing OA with NTLM (Kerberos Constrained Delegation) on the TMG for Mailboxes on EX13 and on EX07.

Basic Authenticaton works in this OA coexistence szenario but not NTLM with Kerberos.

Any advice would be appreciated.

Best regards - Bueschu

---

Bueschu

Answer 1

Hi Bueschu, this should work. Is Outlook Anywhere enabled on the 2007 machines? It needs to be, with NTLM auth.

Can you provide a little more info about what is configured and where?

Thanks

Greg

Answer 2

And the other question I should have asked is, do you see any errors on the 2013 server that indicate the failed proxy attempt?

Answer 3

Thanks for the reply.

If we test with https://testconnectivity.microsoft.com/ we get a message, that the authentication ist NTLM but that Basic Authentication is required. This happens only with ex07 MBX's

The Authentication for Outlook Anywhere on EX07 should be like this (Exchange Serve Deployment Assistant / Enable and configure Outlook Anywhere)

- ClientAuthentication:Basic
- IISAuthenticationMethods: NTLM,Basic

The Authentication for Outlook Anywhere on EX13 is NTLM

I don't see any Errors in LogFiles on EX013 concerning this issue

Best Regards - Bueschu

---

Bueschu

Answer 4

If you want the Outlook client to use NTLM to TMG you need to set -ClientAuthentication:NTLM on 2007. The client is being told to use Basic the way it is set now.