Outlook/Exchange 2007 in a domain using Kerberos Realm authenticat

[Simon Collier]

Hi,

I have been asked to cross-post into the Outlook group as the lines are a
bit blurry as to where the problem lies.

The full thread can be found here:
http://www.microsoft.com/technet/co...etup&mid=493d3f18-0dd2-4076-90db-3533bb1f0dc7

We have an Exchange 2007 server in a single-server configuration (CAS,
Mailbox, Hub Transport) within an AD domain. The AD domain user accounts are
mapped to a central campus Kerberos Realm that provides authentication
services. This is used for logging on to Windows, and this allows seamless
integration with Windows shares, internal IIS sites such as SharePoint, and
Exchange 2007.

When using Outlook 2007 to connect to Exchange 2007 the user is prompted for
credentials. This appears to be happening when Outlook 2007 is attempting to
connect to the Autodiscover URL provided by Active Directory.

The username is required in the form KERBREALM.CA\username. If the prompt is
cancelled then email and calendaring works, but Free/Busy information and the
OAB download fails.

My questions are:
1. Does anybody know how to make this configuration work? It's fine with
Outlook 2003.
2. As it works with Outlook 2003, is there a way to set Outlook 2007 to
avoid using autodiscovery at all? Some sort of legacy mode? For example I
found this, which would be a start:
http://www.awomantoldme.com/women/how-to/29667472/can-outlook-2007-be-confi.aspx

Thanks for any help or advice!
Simon

 

[Emily Lin]

Hi Simon,

We are unable to set Outlook 2007 to avoid using auto-discovery. It is a by design feature in Outlook 2007. By default, we don't need to always
type in the credentials to access the autodiscovery. Please perform the following steps and let me know the result.

Test E-mail AutoConfiguration
=======================
1. In Outlook 2007, hold Ctrl key and right click the Outlook icon in the system tray.
2. Select Test E-mail AutoConfiguration.
3. Only select Use AutoDiscover and click Test.
What is the result? Is Autoconfiguration successful?

If it fails, the issue is with Autodiscover. Please ignore the following steps and offer the following information for my further research:

1. Are the users in domain or out of domain?
2. Do they use Outlook Anywhere or normal RPC connection to access the Exchange 2007 server?
3. What is your Exchange environment? Is it a pure Exchange 2007 environment or a mixed environment?

If it is successful, please check the Results tab to determine what the Availbility Service url is. There are two sections: one for Protocol
Exchange RPC, and one for Protocol Exchange HTTP if you enable Outlook anywhere on the Exchange 2007 server. Please take notes of the url.

In addition, please take a screen shot of the Results tab, save it as a .jpg file and send to (e-mail address removed) for research.

Also, refer to the following steps to see if it works.

- On the exchange server under the local security policy gave the "authenticated users" the "access this computer from the network" right.
- check the EWS virtual directory on the exchange server. This is the virtual directory that manages free/busy time and Out of Office time.
Change the authentication to Integrated authentication (not anonymous).
- On the client machine under control panel>user accounts>advanced>manage password, check if there is any stored password. If so, remove it.
And then reopen Outlook 2007 to test the issue.

If anything is unclear or if you have any other concerns, please don't hesitate to contact me.

Regards,

Emily Lin

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------

 

[Emily Lin]

Hi Simon,

I am just writing to see how everything is going. If you have any updates or need any further assistance on this issue, please feel free to let me
know. I am glad to be of assistance.

Sincerely,

Emily Lin,
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

======================================================
When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------

 

[Simon Collier]

Hi Emily,

Sorry for the delay in getting back to you until now.

Autoconfiguration is not successful until the username/password is entered
again, either in the form DOMAIN\username or REALM\username.

1. Users are in the domain.
2. They are using regular RPC connections (i.e. not Outlook Anywhere).
3. The environment is Exchange 2007 coexisting with Exchange 2003 during a
transition. Exchange 2003 will be retired once this works!
4. Authenticated users have "access this computer from the network" rights.
5. EWS directory is already set to "Integrated Authentication".
6. I removed managed passwords from the User Accounts console.

The above steps did not change the behaviour of Outlook 2007 accessing
Exchange 2007 using Kerberos Realm credentials.

Thanks for your support so far!

Simon

 

[Emily Lin]

Hi Simon,

Please also disabled Basic Authentication and enabled Integrated Windows Authentication on the /oab virtual directories in IIS on the CAS server.

Test the issue again. What is the result?

If anything is unclear or if you have any other concerns, please don't hesitate to contact me.

Sincerely,

Emily Lin,
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

======================================================
When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------

Thread-Topic: Outlook/Exchange 2007 in a domain using Kerberos Realm authent
thread-index: AcjKUtEPMgSPUy7oS52vvio6pWjWeQ==
X-WBNR-Posting-Host: 207.46.192.207
From: =?Utf-8?B?U2ltb24gQ29sbGllcg==?= <[email protected]>
References: <[email protected]> <[email protected]>

 

[Simon Collier]

Hi Emily,

Thanks for your follow-up suggestion. I have done as you asked but this did
not result in any change in behavour.

Anything else you can think of to try?

Thanks!
Simon

 

[Emily Lin]

Hi Simon,

As you said before, this issue may be caused when OL2007 access the AutoDisconver service. Based on my further research, Integrated
Authentication is required on Auto Discovery Virtual Directory in IIS.

Please also check the settings on the Auto Discovery Virtual Directory in IIS. Enable Integrated Authentication on Auto Discovery Virtual
Directory on IIS on E2K7. What is the result?

If anything is unclear or if you have any other concerns, please don't hesitate to contact me.

Sincerely,

Emily Lin,
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------

Thread-Topic: Outlook/Exchange 2007 in a domain using Kerberos Realm authent
thread-index: AcjLBF+5OEGss+LJT2e5MwqJAjGTGg==
X-WBNR-Posting-Host: 207.46.19.168
From: =?Utf-8?B?U2ltb24gQ29sbGllcg==?= <[email protected]>
References: <[email protected]> <[email protected]>

 

[Simon Collier]

Hi Emily,

Thanks again for your response. I can confirm that the Autodiscover folder
in IIS is already set to allow Integrated Authentication, along with Basic
Authentication defaulting to the REALM.

Anything else you can think of to try?

Thanks!
Simon

 

[Emily Lin]

Hi Simon,

I notice that you have posted the same question in our Exchange.setup newsgroup. And now Avdhesh Kumar is working with you.

If you need any further assistance on this particular issue, please reply to that post or contact Avdhesh Kumar so they can follow up with you in
time.

Also, please don't cross-post the same question in multiple newsgroups in the future so that our engineers can work on your question efficiently.
Your understanding and cooperation is appreciated.

Sincerely,

Emily Lin,
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

======================================================
When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

Thread-Topic: Outlook/Exchange 2007 in a domain using Kerberos Realm authent
thread-index: AcjL0tjiHdxzjO8jQYGMa1/t+E00fA==
X-WBNR-Posting-Host: 207.46.19.197
From: =?Utf-8?B?U2ltb24gQ29sbGllcg==?= <[email protected]>
References: <[email protected]> <[email protected]>

 

[Simon Collier]

Hi Emily,

To be clear, I cross-posted at the request of the support rep in the
Exchange Setup newsgroup, which I believe I told you when I was initially
describing the problem.

As an update, I am working with Microsoft Support on this issue. It appears
to be a problem related to how Outlook 2007 passes credentials to Exchange
2007. I will post the solution once it is found.

Simon

 

[Emily Lin [MSFT]]

Hi Simon,

Thanks for letting us know the status of the issue. Hope everything will be fine soon! When the issue is fixed, you may share the resolution here
for others' benifit. We do appreciate your sharing.

Sincerely,

Emily Lin,
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

======================================================
When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

Thread-Topic: Outlook/Exchange 2007 in a domain using Kerberos Realm authent
thread-index: AcjXCcnCNS8nlak6QAWsBvl2eEVrYg==
X-WBNR-Posting-Host: 207.46.19.168
From: =?Utf-8?B?U2ltb24gQ29sbGllcg==?= <[email protected]>
References: <[email protected]> <[email protected]>

<[email protected]> <[email protected]> <BYIqtYsyIHA.1784