I have had a problem with a SBS 2008 Server where I needed to provide Outlook Anywhere and Terminal Services Gateway for users with one SSL Certificate FQDN.
I had the SSL Certificate enabled in Exchange 2007 and testing this I could access a mailbox from an Outlook client at a remote location. This was using a SSL Certificate from www.digicert.com
The problem came when I enabled TS Gateway on the same server to publish an internal Windows 2008 Terminal Server. Everytime I tried to connect I would get asked for credentials and then once entered the process would repeat.
The problem stems from the fact that this is a SBS 2008 Server and TS gateway and Outlook Anywhere share the same IIS website and you have to make a few changes to enable both services.
In Exchange Management Console I changed Outlook Anywhere authentication to use NTLM from basic, this is because both TS Gateway and Outlook Anywhere cannot use the same authentication and by default Outlook Anywhere uses basic authentication and TS Gateway will use Windows Integrated Authentication.
If you mix the two you get this Event ID in the Application Log
Event 3003 MsExchange RPC over HTTP Autoconfig
The Outlook Anywhere authentication settings have been updated.
Old settings: Basic, Ntlm
New settings: Basic
This is because Exchange will change the authentication back to Basic only for the RPC virtual website in IIS when TS Gateway changes it to use Windows Integrated Authentication. If you wait 5 minutes then Exchange reverts the changes that the TS Gateway MMC makes and you cannot logon with TS Gateway.
The solution is to enabled NTLM authentication in Exchange Management Console for Outlook Anywhere and then in IIS under the RPC virtual site enabled Windows Authentication manually.
Now that you have NTLM for Outlook Anywhere, Exchange will not try to change the authentication for the RPC virtual site back to basic and the Windows Authentication setting remains and TS Gateway works as expected.
No comments:
Post a Comment