RE: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm

Hi Simon,

Thanks for posting in our newsgroup.

From your description, I know that RPC over HTTPS only works when the user
authenticates with DOMAIN\username and you cannot get it to work with
KERBREALM.CA\username credentials. If I am off-base, please don't hesitate
to let me know.

Please take the following steps to narrow down this issue:

Step 1: Check IIS settings:

1. Open IIS Manager console.
2. Right click RPC virtual directory and click Properties.
3. Click Directory Security and click Edit in the "Authentication and
Access control" area.
4. Click to select "Integrated Windows Authentication".

Step 2: Do you have firewall installed? The problem may be caused by some
firewall.

Based on my research, If you have a firewall that examines HTTP traffic and
modifies it in any way, you may have to use Basic authentication, instead
of NTLM authentication. NTLM authentication fails if the RPC proxy server
does not trust the authentication information. For example, you may have a
firewall that ends the session from the Internet and establishes a new
session to the RPC proxy server, instead of passing the HTTPS (SSL) session
to the Exchange server without modification. This process is known as
reverse proxying or Web publishing. Certain firewalls, such as Microsoft
Internet Security and Acceleration (ISA) Server 2004, can successfully
reverse proxy or Web publish the session and still permit NTLM
authentication to succeed.

For more information, please refer to the following article:

RPC over HTTP Authentication and Security
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/
179dce5a-00d2-40d9-933d-d7b88e40c513.mspx

Note
ISA Server 2000 cannot reverse proxy or Web publish the session and still
permit NTLM authentication to succeed.

I'd like to provide you the following article for your reference:

Outlook 2003 Performs Slowly or Stops Responding When Connected to Exchange
Server 2003 Through HTTP
http://support.microsoft.com/?id=331320

827330 How to troubleshoot client RPC over HTTP connection issues in Office
Outlook 2003
http://support.microsoft.com/?id=827330

You must provide Windows account credentials when you connect to Exchange
Server 2003 by using the Outlook 2003 RPC over HTTP feature
http://support.microsoft.com/default.aspx?scid=KB;[LN];820281

Hope above information helps.

If you need further assistance, please don't hesitate to let me know.

Best Regards,

Robert Li(MSFT)

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<Reply-To: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<From: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<Subject: Outlook using RPC over HTTPS does not authenticate using the
Kerberos Realm
<Date: Tue, 3 Apr 2007 14:27:02 -0600
<Lines: 18
<Message-ID: <1112CED8-E6AB-4C5F-91C8-975911A2EE5C@xxxxxxxxxxxxx>
<MIME-Version: 1.0
<Content-Type: text/plain;
< format=flowed;
< charset="iso-8859-1";
< reply-type=original
<Content-Transfer-Encoding: 7bit
<X-Priority: 3
<X-MSMail-Priority: Normal
<X-Newsreader: Microsoft Windows Mail 6.0.6000.16386
<X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386
<X-MS-CommunityGroup-MessageCategory: {E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
<X-MS-CommunityGroup-PostID: {1112CED8-E6AB-4C5F-91C8-975911A2EE5C}
<Newsgroups: microsoft.public.exchange.admin
<Path: TK2MSFTNGHUB02.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.exchange.admin:21125
<NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
<X-Tomcat-NG: microsoft.public.exchange.admin
<
<Outlook using RPC over HTTPS does not authenticate using the Kerberos
Realm.
<
<I have RPC over HTTPS working like a dream when the user authenticates
with
<DOMAIN\username. However, I cannot get it to work with
KERBREALM.CA\username
<credentials, even when that's what they logged onto the machine with.
<
<a. I have put KERBREALM.CA in the Domain Name and Realm Name fields in IIS
<for the "RPC" virtual folder.
<b. I have Basic Authentication (clear text) set in IIS for that folder
also.
<c. I have webmail working with the KERBREALM.CA Kerberos Realm.
<d. I have users logged on to a Windows AD domain using their KERBREALM.CA
<Kerberos Realm credentials.
<
<I'm baffled.
<
<If anyone is reading these issues and thinking "oh, he just needs to do
xyz",
<I'd be really glad to hear from you.
<
<

.

Relevant Pages

  • Re: HELP! SMTP for IMAP stopped working
    ... in for the initial setup to get the RPC over HTTPS ... computer using RPC over HTTP. ... If the authentication was unsuccessful wouldn't I get an error? ... outside of the company I get "unable to relay for joe@xxxxxxx" I ...
    (microsoft.public.exchange.setup)
  • RE: RPC over HTTPS and basic vs NTLM authentication
    ... I enabled ONLY basic authentication on the RPC ... Outlook will identify if it is running on a fast or slow ... Clear - 'On fast networks, connect using HTTP first, then connect using ...
    (microsoft.public.exchange.connectivity)
  • RE: RPC over HTTP security
    ... VPN provides authentication and encryption. ... Why is this better than RPC over HTTP? ...
    (Security-Basics)
  • RE: RPC over HTTP security
    ... RPC over HTTPS also provides authentication and encryption. ... If VPN works, why setup RPC over HTTPS with all the costs ... Subject: RPC over HTTP security ...
    (Security-Basics)
  • Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
    ... Please first select "Integrated Windows Authentication" on the PRC virtual ... Microsoft CSS Online Newsgroup Support ... <Subject: Re: Outlook using RPC over HTTPS does not authenticate using the ...
    (microsoft.public.exchange.admin)
Loading