MVP - Most Valuable Professional
rss

Just can't get enough of IT

This blog is about mostly anything in IT. But the primary focuses are Microsoft Technologies like Exchange, Office 365, Azure and Cloud Security.

There are quite a lot of good step-by-step manuals available describing how to enable Kerberos authentication for Exchange Server 2013/2016.

The following issue has been seen in an Exchange 2013 infrastructure (8 server DAG) where Outlook clients use OutlookAnyhwere to connect to Exchange Server. MAPI over Http is disabled on an organizational level due to a compatibility issue with another client software.

Problem

Even if you follow the detailed descriptions you might end up in a situation where your Outlook clients still won't connect to Exchange Server using Kerberos. The Outlook connection status overview (Ctrl + Right Click on the Outlook icon in System Tray) still shows Ntlm as the used authentication provider:

Outlook using Ntlm as authentication provider

Reason

You are supposed to use the following PowerShell cmdlets to configure OutlookAnywhere to use Kerberos:

Get-OutlookAnywhere -Server CASSERVER | Set-OutlookAnywhere -InternalClientAuthenticationMethod  Negotiate

All eight Exchange 2013 servers where still not offering Nego as an authentication provider even after some period of time. Verifying the OutlookAnywhere configurations using PowerShell showed the correct configuration values. So what to do?

A quick check at the IIS authentication settings of the \Rpc virtual directory of the Front End web site (Default Web Site) showed that this virtual directory was still configured to use Ntlm only.

OutlookAnywhere using Ntlm only

Solution

Use the IIS management consolte to add the Negotiate authentication provider to the list of available providers and reorder the list to use Nego first.

Add Negotiate to provider list

Change to provider order to use Negotiate first

Now Outlook clients will pick up the configuration change an will connect to OutlookAnywhere using Kerberos.

Outlook connection status showing Negotiate as authentication provider

Note

You should not use the IIS management console to change any settings of the Exchange Server virtual directories during normal operations. Using the IIS management console should only be used for troubleshooting fancy situations that you encounter in your Exchange Server infrastructure. 

The preferred method to change Exchange Server vDir settings is PowerShell.

Links

Enjoy Exchange Server

 

 

Read More »