In Exchange Server 2007 SP1, the configuration of Outlook Anywhere (formerly known as RPC over HTTP) has been changed to accommodate the different ways Exchange CAS servers are deployed on the Internet. This blog post provides an overview of these changes.
Exchange 2007 RTM
In Exchange 2007 RTM, enabling Outlook Anywhere (using either the Exchange Management Console or the Exchange Management Shell enable-OutlookAnywhere cmdlet) required a mandatory parameter called ExternalAuthenticationMethod. This parameter was used to update Outlook 2007 clients using the Autodiscover service. Changing this parameter, however, did not influence the authentication methods enabled on the /rpc virtual directory on IIS servers. As a result, both Basic and NTLM authentication methods were always enabled even though Outlook clients would connect using only 1 authentication method. Additionally, it was not possible to manually turn off an authentication method using the IISManager MMC snap-in, since every 15 minutes the Exchange Services Host Service would automatically re-enable both Basic and NTLM authentication methods in IIS.
Note that if you had already enabled Outlook Anywhere, the ExternalAuthenticationMethod parameter could also be specified through the set-outlookAnywhere task, and it had the same effect as described above.
For further details, you can refer to http://technet.microsoft.com/en-us/library/bb123513.aspx
Exchange 2007 SP1
For Exchange 2007 SP1, instead of always enabling Basic and NTLM, Outlook Anywhere now provides the ability to choose the authentication methods that will be enabled on the /rpc virtual directory in IIS.
To specify the authentication method, the following parameters have been added in place of the ExternalAuthenticationMethod parameter:
1. ClientAuthenticationMethod - This new parameter specifies the authentication method that the Autodiscover service will provide to the clients. This is the method that clients will use to authenticate against the Client Access server. In Exchange 2007 RTM, the ExternalAuthenticationMethod parameter was responsible for this setting.
2. IISAuthenticationMethods - This new parameter specifies the authentication methods that will be enabled the /rpc virtual directory in IIS. When using this parameter, all other authentication methods will be disabled. More than one value can be specified for this parameter by using a comma delimited list of authentication methods. For example: NTLM, Basic
The reason that both parameters exists is scenarios in which you have a firewall which is configured to provide authentication delegation. For example, Outlook clients use Basic authentication, but an ISA Server 2006 firewall delegates authentication to the /rpc virtual directory using NTLM authentication. In this scenario, you would set the ClientAuthenticationMethod to Basic and the IISAuthenticationMethod parameter to NTLM.
However, since many Outlook Anywhere deployments do not go through authentication delegation, a more common scenario would be that both of these parameters will use the same value. Because of this, the following additional parameter can be used:
3. DefaultAuthenticationMethod - This new parameter can be specified to set both the ClientAuthenticationMethod and IISAuthenticationMethod parameters to be the same value. When you use this parameter, only a single value can be specified.
Upgrading to Exchange 2007 SP1 from Exchange 2007 RTM
When you upgrade from an existing Exchange 2007 RTM Outlook Anywhere topology, both NTLM and Basic authentication methods will be enabled. However, we recommend that disable one of the authentication methods by running the set-OutlookAnywhere -IISAuthenticationMethods <Basic or NTLM> cmdlet.
For further details on how to use these parameters, please refer to the TechNet documentation here:
- Siddhartha Mathur