none
Publishing Exchange 2013 / 2007 Coexistense with TMG and Kerberos Contrained Delegation for Outlook Anywhere RRS feed

  • Question

  • We are in the process to migrate from Exchange 2007 CCR Cluster to Exchange 2013 DAG. We publish OWA, EAS and Outlook Anywhere and use a TMG for that purpose.

    Now we would like to publish Outlook anywhere (OA) with Ntlm and Kerberos Constrained Delegation on the TMG, where we do a Preauthentication. This works fine for Mailboxes on EX13, but not for EX07 MBX.

    Is there any way that we can do that, I mean publishing OA with NTLM (Kerberos Constrained Delegation) on the TMG for Mailboxes on EX13 and on EX07.

    Basic Authenticaton works in this OA coexistence szenario but not NTLM with Kerberos.

    Any advice would be appreciated.

    Best regards - Bueschu


    Bueschu

    Monday, November 24, 2014 6:15 AM

All replies

  • Hi Bueschu, this should work. Is Outlook Anywhere enabled on the 2007 machines? It needs to be, with NTLM auth.

    Can you provide a little more info about what is configured and where?

    Thanks

    Greg

    Tuesday, November 25, 2014 8:08 PM
  • And the other question I should have asked is, do you see any errors on the 2013 server that indicate the failed proxy attempt?
    Tuesday, November 25, 2014 11:57 PM
  • Thanks for the reply.

    If we test with https://testconnectivity.microsoft.com/ we get a message, that the authentication ist NTLM but that Basic Authentication is required. This happens only with ex07 MBX's

    The Authentication for Outlook Anywhere on EX07 should be like this (Exchange Serve Deployment Assistant / Enable and configure Outlook Anywhere)

    - ClientAuthentication:Basic
    - IISAuthenticationMethods: NTLM,Basic

    The Authentication for Outlook Anywhere on EX13 is NTLM

    I don't see any Errors in LogFiles on EX013 concerning this issue

    Best Regards - Bueschu


    Bueschu

    Wednesday, November 26, 2014 6:27 AM
  • If you want the Outlook client to use NTLM to TMG you need to set -ClientAuthentication:NTLM on 2007. The client is being told to use Basic the way it is set now.
    Wednesday, November 26, 2014 3:48 PM