Friday, July 15, 2011

Outlook Anywhere NTLM Authentication by TMG 2010

This MS White Paper provides a nice step-by-step instruction on how to use TMG\UAG to publish Outlook Anywhere with NTLM authentication. However there are still some "Gotchas" that are not covered in the article.

1. The TMG server must be domain-joined.

2. If your Web Listener uses FBA (in most cases it does) to publsh OWA\ActiveSync\Autodiscover\EWS\OAB, you can't use the same listener to publish Outlook Anywhere. The reason behind this is the nice "FBA Fallback to Basic" feature does not apply to NTLM. As the name implies, it only falls back to Basic, not NTLM. If you try to use the same Listener for Outlook Anywhere with NTLM, you will get promot endlessly for credentials in the Outlook client.  So if you want to keep FBA for OWA, you'll have to create a separate Listener for Outlook Anywhere that will use HTTP\Integrated authentication.


So what's the big deal? Well, a separate Listener means the following:
  • a new public URL\DNS for Outlook Anywhere
  • a new cert that has the URL\DNS as the common name
  • a new external IP address for the ULR\DNS
  • a new internal IP on the TMG server
  • firewall rules changes
So you'll end up having something like this:

IP Address
URL\DNS
Description
131.107.155.10
Owa.contoso.com
OWA\ActiveSync
131.107.155.11
Outlook.contoso.com
Outlook Anywhere\EWS\OAB
131.107.155.10 or .11
Autodiscover.contoso.com
Can be either .10 or .11

3. So you change the ExternalHostName for Outlook Anywhere to Outlook.contoso.com. And you just add outlook.contoso.com to the existing certificate instead of buying a new one since it's a SAN certificate. Let's say the common name of the SAN certificate is owa.contoso.com, you will get some error below when you run Exchange Remote Connectivity Analyzer against OutlookAnywhere

The certificate common name owa.contoso.com doesn’t validate against the mutual authentication string that was provided: msstd:outlook.contoso.com

As the errro indicates, the MSSTD name must match the common name on the certificate. Since outlook.contoso.com is not the common name on the certificate, the mutual authentication would fail. To fix it, run the following Comlet:

Set-OutlookProvider -CertPrincipalName "msstd:owa.contoso.com"

These are the things I've run into so far. You probably don't have to do it depending on different scenarios.

For those of you who want to know the difference between Basic and NTLM authentication, here are some quick notes from Microsoft.


Basic authentication
  • Basic authentication sends the user's user name and password in clear text – this doesn’t mean the connection is not secure. It’s still encrypted by the SSL layer.
  • Basic authentication also requires the user to enter their domain, user name, and password every time they connect to the Client Access server.

NTLM authentication
  • NTLM authentication is also known as Integrated Windows authentication. When NTLM authentication is used, the user's credentials aren't sent over the network. Instead, the client computer and the server exchange hashed values of the user's credentials.  
  • NTLM can also use the current Microsoft Windows operating system logon information.

No comments:

Post a Comment