Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-08-13

This topic explains how to use the Exchange Management Console and the Exchange Management Shell to configure authentication for Outlook Anywhere.

The first time that you run the Enable Outlook Anywhere wizard in the Exchange Management Console, you can select the authentication method that you want to use for Microsoft Office Outlook 2007 or Outlook 2003 clients. However, if you want to configure authentication and you have already run the Enable Outlook Anywhere wizard, you can use the Set-OutlookAnywhere cmdlet in the Exchange Management Shell.

Note:
When you specify authentication for Outlook Anywhere, you provide the authentication method that will be used by the Outlook client. This authentication method is automatically provided to the client by the Autodiscover service. This authentication method is separate from the authentication method on the /rpc virtual directory that is located on your Exchange 2007 Client Access servers. The /rpc virtual directory is enabled for Basic and Integrated Windows authentication and cannot be modified.

Authentication Options for Outlook Anywhere in Exchange 2007 Service Pack 1 (SP1)

By default, in the original release (RTM) version of Exchange 2007, the /rpc virtual directory was enabled for both Basic authentication and Integrated Windows authentication and could not be modified. Even if you were only using one authentication method, both authentication methods were always enabled for the /rpc virtual directory. Because using a single authentication method will help you reduce attack surface area, in Exchange 2007 SP1, you can now choose to use only one authentication method on the /rpc virtual directory. However, you can still also choose to allow both Basic and Integrated Windows authentication.

For new installations of Exchange 2007 SP1, by default, the authentication method on the /rpc virtual directory will be the same as the authentication method that you choose when you enable Outlook Anywhere by using the Enable Outlook Anywhere wizard. The default authentication method for Internet Information Services (IIS) can be modified by using the Set-OutlookAnywhere cmdlet to be either Integrated Windows authentication or Basic authentication or both. As an alternative to using the Enable Outlook Anywhere wizard, the Enable-OutlookAnywhere cmdlet can be used to configure Outlook Anywhere.

Important   After you upgrade from the RTM version of Exchange 2007 to Exchange 2007 SP1, we recommend that you manually restrict the IIS authentication methods to include only the ones that you need to enable for your environment by using the Set-OutlookAnywhere cmdlet.

Using Multiple Authentication Methods for Outlook Anywhere

If you deploy a firewall server that performs authentication delegation, you must change the authentication method on the /rpc virtual directory to a method different from the authentication method that is used by the client. For example, if you deploy a firewall server that performs authentication delegation, the firewall server authenticates to the Client Access server by using NTLM authentication. The client, however, uses Basic authentication. In this example, the firewall server is responsible for delegating the user’s authentication. This is why you configure the /rpc virtual directory in IIS to use NTLM authentication.

Although not recommended, in Exchange 2007 SP1 you can configure the /rpc virtual directory in IIS to use both NTLM and Basic authentication. A common situation in which both authentication methods might be used is when additional services for RPC over HTTP are proxied to the same Client Access server that provides Outlook Anywhere access. In this example, each service requires both authentication methods. To configure the /rpc virtual directory in IIS to use both NTLM and Basic authentication, run the following command:

Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic,NTLM

Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Procedure

Exchange 2007 SP1

To use the Exchange Management Shell to configure the authentication method to be the same for both the /rpc virtual directory in IIS and Outlook 2007

  • Run the following command:

    Copy Code
    Set-OutlookAnywhere -Name Server01 -DefaultAuthenticationMethod <Basic or NTLM>
    

To use the Exchange Management Shell to configure authentication for Outlook Anywhere

  • To enable only Basic authentication for Outlook Anywhere on your IIS virtual directory, run the following command:

    Copy Code
    Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic
    
  • To enable only NTLM authentication for Outlook Anywhere on your IIS virtual directory, run the following command:

    Copy Code
    Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod NTLM
    
  • To enable both Basic and NTLM authentication for Outlook Anywhere on your IIS virtual directory, run the following command:

    Copy Code
    Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic,NTLM
    

To use the Exchange Management Shell to configure authentication for your Outlook 2007 clients

  • To enable only Basic authentication for Outlook 2007 clients that are using Outlook Anywhere, run the following command:

    Copy Code
    Set-OutlookAnywhere -Name Server01 -ClientAuthenticationMethod Basic
    
  • To enable only NTLM authentication for Outlook 2007 clients that are using Outlook Anywhere, run the following command:

    Copy Code
    Set-OutlookAnywhere -Name Server01 -ClientAuthenticationMethod NTLM
    

Exchange 2007 RTM

To use the Exchange Management Shell to configure authentication for Outlook Anywhere

  • To use Basic authentication for Outlook Anywhere, run the following command:

    Copy Code
    Set-OutlookAnywhere -Name Server01 -ExternalAuthenticationMethod Basic
    
  • To use NTLM authentication for Outlook Anywhere, run the following command:

    Copy Code
    Set-OutlookAnywhere -Name Server01 -ExternalAuthenticationMethod NTLM
    

For more information about syntax and parameters, see Set-OutlookAnywhere.

For More Information

For more information about how to configure security for Outlook Anywhere, see Managing Outlook Anywhere Security.