Home
%3CLINGO-SUB%20id%3D%22lingo-sub-590309%22%20slang%3D%22en-US%22%3EOutlook%20Anywhere%20changes%20in%20Exchange%20Server%202007%20SP1%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-590309%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20Exchange%20Server%202007%20SP1%2C%20the%20configuration%20of%20Outlook%20Anywhere%20(formerly%20known%20as%20RPC%20over%20HTTP)%20has%20been%20changed%20to%20accommodate%20the%20different%20ways%20Exchange%20CAS%20servers%20are%20deployed%20on%20the%20Internet.%20This%20blog%20post%20provides%20an%20overview%20of%20these%20changes.%3C%2FP%3E%3CH5%20id%3D%22toc-hId-1149241733%22%20id%3D%22toc-hId-1198310547%22%3E%3CSPAN%20style%3D%22color%3A%20%230000ff%22%3EExchange%202007%20RTM%3C%2FSPAN%3E%3C%2FH5%3EIn%20Exchange%202007%20RTM%2C%20enabling%20Outlook%20Anywhere%20(using%20either%20the%20Exchange%20Management%20Console%20or%20the%20Exchange%20Management%20Shell%20%3CI%3Eenable-OutlookAnywhere%3C%2FI%3E%20cmdlet)%20required%20a%20mandatory%20parameter%20called%20ExternalAuthenticationMethod.%20This%20parameter%20was%20used%20to%20update%20Outlook%202007%20clients%20using%20the%20Autodiscover%20service.%20Changing%20this%20parameter%2C%20however%2C%20did%20not%20influence%20the%20authentication%20methods%20enabled%20on%20the%20%2Frpc%20virtual%20directory%20on%20IIS%20servers.%20As%20a%20result%2C%20both%20Basic%20and%20NTLM%20authentication%20methods%20were%20always%20enabled%20even%20though%20Outlook%20clients%20would%20connect%20using%20only%201%20authentication%20method.%20Additionally%2C%20it%20was%20not%20possible%20to%20manually%20turn%20off%20an%20authentication%20method%20using%20the%20IISManager%20MMC%20snap-in%2C%20since%20every%2015%20minutes%20the%20Exchange%20Services%20Host%20Service%20would%20automatically%20re-enable%20both%20Basic%20and%20NTLM%20authentication%20methods%20in%20IIS.%20Note%20that%20if%20you%20had%20already%20enabled%20Outlook%20Anywhere%2C%20the%20ExternalAuthenticationMethod%20parameter%20could%20also%20be%20specified%20through%20the%20%3CI%3Eset-outlookAnywhere%3C%2FI%3E%20task%2C%20and%20it%20had%20the%20same%20effect%20as%20described%20above.%20For%20further%20details%2C%20you%20can%20refer%20to%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fbb123513.aspx%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fbb123513.aspx%3C%2FA%3E%3CH5%20id%3D%22toc-hId--1402915228%22%20id%3D%22toc-hId--1353846414%22%3E%3CSPAN%20style%3D%22color%3A%20%230000ff%22%3EExchange%202007%20SP1%3C%2FSPAN%3E%3C%2FH5%3EFor%20Exchange%202007%20SP1%2C%20instead%20of%20always%20enabling%20Basic%20and%20NTLM%2C%20Outlook%20Anywhere%20now%20provides%20the%20ability%20to%20choose%20the%20authentication%20methods%20that%20will%20be%20enabled%20on%20the%20%2Frpc%20virtual%20directory%20in%20IIS.%20To%20specify%20the%20authentication%20method%2C%20the%20following%20parameters%20have%20been%20added%20%3CB%3Ein%20place%20of%20%3C%2FB%3Ethe%20ExternalAuthenticationMethod%20parameter%3A%3CBLOCKQUOTE%3E%3CB%3E1.%20%3C%2FB%3E%3CB%3EClientAuthenticationMethod%3C%2FB%3E%20-%20This%20new%20parameter%20specifies%20the%20authentication%20method%20that%20the%20Autodiscover%20service%20will%20provide%20to%20the%20clients.%20This%20is%20the%20method%20that%20clients%20will%20use%20to%20authenticate%20against%20the%20Client%20Access%20server.%20In%20Exchange%202007%20RTM%2C%20the%20ExternalAuthenticationMethod%20parameter%20was%20responsible%20for%20this%20setting.%3C%2FBLOCKQUOTE%3E%0A%3CBLOCKQUOTE%3E%3CB%3E2.%20%3C%2FB%3E%3CB%3EIISAuthenticationMethods%3C%2FB%3E%20-%20This%20new%20parameter%20specifies%20the%20authentication%20methods%20that%20will%20be%20enabled%20the%20%2Frpc%20virtual%20directory%20in%20IIS.%20When%20using%20this%20parameter%2C%20all%20other%20authentication%20methods%20will%20be%20disabled.%20More%20than%20one%20value%20can%20be%20specified%20for%20this%20parameter%20by%20using%20a%20comma%20delimited%20list%20of%20authentication%20methods.%20For%20example%3A%20NTLM%2C%20Basic%3C%2FBLOCKQUOTE%3EThe%20reason%20that%20both%20parameters%20exists%20is%20scenarios%20in%20which%20you%20have%20a%20firewall%20which%20is%20configured%20to%20provide%20authentication%20delegation.%20For%20example%2C%20Outlook%20clients%20use%20Basic%20authentication%2C%20but%20an%20ISA%20Server%202006%20firewall%20delegates%20authentication%20to%20the%20%2Frpc%20virtual%20directory%20using%20NTLM%20authentication.%20In%20this%20scenario%2C%20you%20would%20set%20the%20ClientAuthenticationMethod%20to%20Basic%20and%20the%20IISAuthenticationMethod%20parameter%20to%20NTLM.%20However%2C%20since%20many%20Outlook%20Anywhere%20deployments%20do%20not%20go%20through%20authentication%20delegation%2C%20a%20more%20common%20scenario%20would%20be%20that%20both%20of%20these%20parameters%20will%20use%20the%20same%20value.%20Because%20of%20this%2C%20the%20following%20additional%20parameter%20can%20be%20used%3A%3CBLOCKQUOTE%3E%3CB%3E3.%20%3C%2FB%3E%3CB%3EDefaultAuthenticationMethod%3C%2FB%3E%20-%20This%20new%20parameter%20can%20be%20specified%20to%20set%20both%20the%20ClientAuthenticationMethod%20and%20IISAuthenticationMethod%20parameters%20to%20be%20the%20same%20value.%20When%20you%20use%20this%20parameter%2C%20only%20a%20single%20value%20can%20be%20specified.%3C%2FBLOCKQUOTE%3E%0A%3CH5%20id%3D%22toc-hId-339895107%22%20id%3D%22toc-hId-388963921%22%3E%3CSPAN%20style%3D%22color%3A%20%230000ff%22%3EUpgrading%20to%20Exchange%202007%20SP1%20from%20Exchange%202007%20RTM%3C%2FSPAN%3E%3C%2FH5%3EWhen%20you%20upgrade%20from%20an%20existing%20Exchange%202007%20RTM%20Outlook%20Anywhere%20topology%2C%20both%20NTLM%20and%20Basic%20authentication%20methods%20will%20be%20enabled.%20However%2C%20we%20recommend%20that%20disable%20one%20of%20the%20authentication%20methods%20by%20running%20the%20%3CB%3Eset-OutlookAnywhere%20-IISAuthenticationMethods%20%3CBASIC%20or%3D%22%22%20ntlm%3D%22%22%3E%20%3C%2FBASIC%3E%3C%2FB%3Ecmdlet.%20For%20further%20details%20on%20how%20to%20use%20these%20parameters%2C%20please%20refer%20to%20the%20TechNet%20documentation%20here%3A%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fbb124149.aspx%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fbb124149.aspx%3C%2FA%3E%20%3CB%3E%3C%2FB%3E%20-%20Siddhartha%20Mathur%3C%2FLINGO-BODY%3E

In Exchange Server 2007 SP1, the configuration of Outlook Anywhere (formerly known as RPC over HTTP) has been changed to accommodate the different ways Exchange CAS servers are deployed on the Internet. This blog post provides an overview of these changes.

Exchange 2007 RTM
In Exchange 2007 RTM, enabling Outlook Anywhere (using either the Exchange Management Console or the Exchange Management Shell enable-OutlookAnywhere cmdlet) required a mandatory parameter called ExternalAuthenticationMethod. This parameter was used to update Outlook 2007 clients using the Autodiscover service. Changing this parameter, however, did not influence the authentication methods enabled on the /rpc virtual directory on IIS servers. As a result, both Basic and NTLM authentication methods were always enabled even though Outlook clients would connect using only 1 authentication method. Additionally, it was not possible to manually turn off an authentication method using the IISManager MMC snap-in, since every 15 minutes the Exchange Services Host Service would automatically re-enable both Basic and NTLM authentication methods in IIS. Note that if you had already enabled Outlook Anywhere, the ExternalAuthenticationMethod parameter could also be specified through the set-outlookAnywhere task, and it had the same effect as described above. For further details, you can refer to http://technet.microsoft.com/en-us/library/bb123513.aspx
Exchange 2007 SP1
For Exchange 2007 SP1, instead of always enabling Basic and NTLM, Outlook Anywhere now provides the ability to choose the authentication methods that will be enabled on the /rpc virtual directory in IIS. To specify the authentication method, the following parameters have been added in place of the ExternalAuthenticationMethod parameter:
1. ClientAuthenticationMethod - This new parameter specifies the authentication method that the Autodiscover service will provide to the clients. This is the method that clients will use to authenticate against the Client Access server. In Exchange 2007 RTM, the ExternalAuthenticationMethod parameter was responsible for this setting.
2. IISAuthenticationMethods - This new parameter specifies the authentication methods that will be enabled the /rpc virtual directory in IIS. When using this parameter, all other authentication methods will be disabled. More than one value can be specified for this parameter by using a comma delimited list of authentication methods. For example: NTLM, Basic
The reason that both parameters exists is scenarios in which you have a firewall which is configured to provide authentication delegation. For example, Outlook clients use Basic authentication, but an ISA Server 2006 firewall delegates authentication to the /rpc virtual directory using NTLM authentication. In this scenario, you would set the ClientAuthenticationMethod to Basic and the IISAuthenticationMethod parameter to NTLM. However, since many Outlook Anywhere deployments do not go through authentication delegation, a more common scenario would be that both of these parameters will use the same value. Because of this, the following additional parameter can be used:
3. DefaultAuthenticationMethod - This new parameter can be specified to set both the ClientAuthenticationMethod and IISAuthenticationMethod parameters to be the same value. When you use this parameter, only a single value can be specified.
Upgrading to Exchange 2007 SP1 from Exchange 2007 RTM
When you upgrade from an existing Exchange 2007 RTM Outlook Anywhere topology, both NTLM and Basic authentication methods will be enabled. However, we recommend that disable one of the authentication methods by running the set-OutlookAnywhere -IISAuthenticationMethods <Basic or NTLM> cmdlet. For further details on how to use these parameters, please refer to the TechNet documentation here: http://technet.microsoft.com/en-us/library/bb124149.aspx - Siddhartha Mathur
11 Comments
Not applicable
You know... this type of informative post really makes me appreciate the Exchange team, and it makes me wish that other Microsoft teams were as forthcoming with information for their respective products.

--Aaron
Not applicable
I agree.  The Exchange Server blog is way better than any other MS product blog.
Not applicable
Speaking of SP1, any even loose further guidance on its estimated release?  Still Q407? Maybe even by the end of the month?  If anything further is known I think it would really help in planning updates around the holidays.
Not applicable
You are absolutely right this is the best MS blog, even the best blog in the whole wide world.

Now pretty please with a hotfix on top, when is SP1 out? :)
Not applicable
Please release the SP1 I'm stuck with OCS 2007 > Exchange UM integeration. Staff goes wild :)
Not applicable
Where is this SP1 release guys... come on... it's driving us nuts having to check for it every couple of weeks.... At this rate we'll be into Q1 2008!!
Not applicable
They are teasing us with whats on the Technet Exchange Downloads page - "Exchange Server 2007 Service Pack 1 (SP1): This software is not yet available for download.  Check back here again soon and/or watch for the impending release announcement on the Exchange TechCenter homepage."

Must be today (or at least this week maybe.....)

Not applicable
Very much looking forward to the release of SP1!
Not applicable
Where is the service pack 1 release?
Not applicable
Let me Know that the besta guide with [ ISA2006 & Form - CAS - Outlook Anywhere] in Exchange 2007

Not applicable