Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm

Hi Robert:

Thanks again.

1. Disabled firewall and AV, same problem.
2. Used Outlook in Safe Mode, same problem.
3. Not sure what you mean? For testing, client and server are on the same network, so no proxy server. Or do you mean something else?

Any more suggestions?

Thanks!

Simon



"Robert Li [MSFT]" <v-robeli@xxxxxxxxxxxxxxxxxxxx> wrote in message news:V1%23wnn3dHHA.6068@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Simon,

Thanks for updating.

Please first select "Integrated Windows Authentication" on the PRC virtual
directory and take the following steps to see if the problem can be
resolved:

1. Disable firewall or antivirus on PC, will the same issue occur?
2. Try to open Outlook in safe mode.

Click the Start, and then click Run. Type the "outlook /safe" in the name
box. (Without quotation mark) Does the problem occur?

Step 3: Disabled windows proxy, will the same issue occur?

Hope above information helps.

If you need further assistance, please don't hesitate to let me know.


Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<Reply-To: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<From: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<References: <1112CED8-E6AB-4C5F-91C8-975911A2EE5C@xxxxxxxxxxxxx>
<vILXk4pdHHA.4368@xxxxxxxxxxxxxxxxxxxxxx>
<In-Reply-To: <vILXk4pdHHA.4368@xxxxxxxxxxxxxxxxxxxxxx>
<Subject: Re: Outlook using RPC over HTTPS does not authenticate using the
Kerberos Realm
<Date: Wed, 4 Apr 2007 09:21:37 -0600
<Lines: 204
<Message-ID: <9383F3FD-5A63-40A0-BC0E-C6EB06AD2C86@xxxxxxxxxxxxx>
<MIME-Version: 1.0
<Content-Type: text/plain;
< format=flowed;
< charset="iso-8859-1";
< reply-type=original
<Content-Transfer-Encoding: 7bit
<X-Priority: 3
<X-MSMail-Priority: Normal
<X-Newsreader: Microsoft Windows Mail 6.0.6000.16386
<X-MS-CommunityGroup-PostID: {9383F3FD-5A63-40A0-BC0E-C6EB06AD2C86}
<X-MS-CommunityGroup-ThreadID: 1112CED8-E6AB-4C5F-91C8-975911A2EE5C
<X-MS-CommunityGroup-ParentID: 3051C774-3C77-4B75-A90F-9FAF08401090
<X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386
<Newsgroups: microsoft.public.exchange.admin
<Path: TK2MSFTNGHUB02.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.exchange.admin:21248
<NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
<X-Tomcat-NG: microsoft.public.exchange.admin
<
<Hi Robert:
<
<Thank you for your response, it's very encouraging to know someone is out
<there!
<
<Step 1: I followed the instructions you gave to enable NTLM
authentication,
<and I can confirm that it works as described for the DOMAIN\username
logon.
<However, it still does not work for the KERBREALM.CA\username logon (which
<is the credentials I logged onto the Windows box with).
<
<The reason I had unchecked the Integrated Windows Authentication is
because
<I was under the impression that authentication through a Kerberos Realm
must
<be done using Basic Authentication with SSL.
<
<Step 2: The only firewall between my test box and the Exchange server is
the
<Windows 2003 SP1 firewall. I assume this would not cause the problem you
<describe.
<
<RPC over HTTPS with DOMAIN\username credentials still works. However, the
<problem still exists (cannot authentication with KERBRELM.CA\username
using
<Outlook 2003 with RPC over HTTPS). Do you have any other suggestions of
<things I can try?
<
<Thanks!
<
<Simon
<
<
<"Robert Li [MSFT]" <v-robeli@xxxxxxxxxxxxxxxxxxxx> wrote in message
<news:vILXk4pdHHA.4368@xxxxxxxxxxxxxxxxxxxxxxxxx
<> Hi Simon,
<>
<> Thanks for posting in our newsgroup.
<>
<> From your description, I know that RPC over HTTPS only works when the
user
<> authenticates with DOMAIN\username and you cannot get it to work with
<> KERBREALM.CA\username credentials. If I am off-base, please don't
hesitate
<> to let me know.
<>
<> Please take the following steps to narrow down this issue:
<>
<> Step 1: Check IIS settings:
<>
<> 1. Open IIS Manager console.
<> 2. Right click RPC virtual directory and click Properties.
<> 3. Click Directory Security and click Edit in the "Authentication and
<> Access control" area.
<> 4. Click to select "Integrated Windows Authentication".
<>
<> Step 2: Do you have firewall installed? The problem may be caused by some
<> firewall.
<>
<> Based on my research, If you have a firewall that examines HTTP traffic
<> and
<> modifies it in any way, you may have to use Basic authentication, instead
<> of NTLM authentication. NTLM authentication fails if the RPC proxy server
<> does not trust the authentication information. For example, you may have
a
<> firewall that ends the session from the Internet and establishes a new
<> session to the RPC proxy server, instead of passing the HTTPS (SSL)
<> session
<> to the Exchange server without modification. This process is known as
<> reverse proxying or Web publishing. Certain firewalls, such as Microsoft
<> Internet Security and Acceleration (ISA) Server 2004, can successfully
<> reverse proxy or Web publish the session and still permit NTLM
<> authentication to succeed.
<>
<> For more information, please refer to the following article:
<>
<> RPC over HTTP Authentication and Security
<>
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/
<> 179dce5a-00d2-40d9-933d-d7b88e40c513.mspx
<>
<> Note
<> ISA Server 2000 cannot reverse proxy or Web publish the session and still
<> permit NTLM authentication to succeed.
<>
<> I'd like to provide you the following article for your reference:
<>
<> Outlook 2003 Performs Slowly or Stops Responding When Connected to
<> Exchange
<> Server 2003 Through HTTP
<> http://support.microsoft.com/?id=331320
<>
<> 827330 How to troubleshoot client RPC over HTTP connection issues in
<> Office
<> Outlook 2003
<> http://support.microsoft.com/?id=827330
<>
<> You must provide Windows account credentials when you connect to Exchange
<> Server 2003 by using the Outlook 2003 RPC over HTTP feature
<> http://support.microsoft.com/default.aspx?scid=KB;[LN];820281
<>
<> Hope above information helps.
<>
<> If you need further assistance, please don't hesitate to let me know.
<>
<> Best Regards,
<>
<> Robert Li(MSFT)
<>
<> Microsoft Online Support
<> Microsoft Global Technical Support Center
<>
<> Get Secure! - www.microsoft.com/security
<> =====================================================
<> When responding to posts, please "Reply to Group" via your newsreader so
<> that others may learn and benefit from your issue.
<> =====================================================
<> This posting is provided "AS IS" with no warranties, and confers no
<> rights.
<>
<> Best regards,
<>
<> Robert Li(MSFT)
<>
<> Microsoft CSS Online Newsgroup Support
<>
<> Get Secure! - www.microsoft.com/security
<>
<> =====================================================
<>
<> This newsgroup only focuses on SBS technical issues. If you have issues
<> regarding other Microsoft products, you'd better post in the
corresponding
<> newsgroups so that they can be resolved in an efficient and timely
manner.
<> You can locate the newsgroup here:
<> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<>
<> When opening a new thread via the web interface, we recommend you check
<> the
<> "Notify me of replies" box to receive e-mail notifications when there are
<> any updates in your thread. When responding to posts via your newsreader,
<> please "Reply to Group" so that others may learn and benefit from your
<> issue.
<>
<> Microsoft engineers can only focus on one issue per thread. Although we
<> provide other information for your reference, we recommend you post
<> different incidents in different threads to keep the thread clean. In
<> doing
<> so, it will ensure your issues are resolved in a timely manner.
<>
<> For urgent issues, you may want to contact Microsoft CSS directly. Please
<> check http://support.microsoft.com for regional support phone numbers.
<>
<> Any input or comments in this thread are highly appreciated.
<>
<> =====================================================
<>
<> This posting is provided "AS IS" with no warranties, and confers no
<> rights.
<>
<> --------------------
<> <Reply-To: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<> <From: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<> <Subject: Outlook using RPC over HTTPS does not authenticate using the
<> Kerberos Realm
<> <Date: Tue, 3 Apr 2007 14:27:02 -0600
<> <Lines: 18
<> <Message-ID: <1112CED8-E6AB-4C5F-91C8-975911A2EE5C@xxxxxxxxxxxxx>
<> <MIME-Version: 1.0
<> <Content-Type: text/plain;
<> < format=flowed;
<> < charset="iso-8859-1";
<> < reply-type=original
<> <Content-Transfer-Encoding: 7bit
<> <X-Priority: 3
<> <X-MSMail-Priority: Normal
<> <X-Newsreader: Microsoft Windows Mail 6.0.6000.16386
<> <X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386
<> <X-MS-CommunityGroup-MessageCategory:
<> {E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
<> <X-MS-CommunityGroup-PostID: {1112CED8-E6AB-4C5F-91C8-975911A2EE5C}
<> <Newsgroups: microsoft.public.exchange.admin
<> <Path: TK2MSFTNGHUB02.phx.gbl
<> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.exchange.admin:21125
<> <NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
<> <X-Tomcat-NG: microsoft.public.exchange.admin
<> <
<> <Outlook using RPC over HTTPS does not authenticate using the Kerberos
<> Realm.
<> <
<> <I have RPC over HTTPS working like a dream when the user authenticates
<> with
<> <DOMAIN\username. However, I cannot get it to work with
<> KERBREALM.CA\username
<> <credentials, even when that's what they logged onto the machine with.
<> <
<> <a. I have put KERBREALM.CA in the Domain Name and Realm Name fields in
<> IIS
<> <for the "RPC" virtual folder.
<> <b. I have Basic Authentication (clear text) set in IIS for that folder
<> also.
<> <c. I have webmail working with the KERBREALM.CA Kerberos Realm.
<> <d. I have users logged on to a Windows AD domain using their
KERBREALM.CA
<> <Kerberos Realm credentials.
<> <
<> <I'm baffled.
<> <
<> <If anyone is reading these issues and thinking "oh, he just needs to do
<> xyz",
<> <I'd be really glad to hear from you.
<> <
<> <
<>
<
<


.

Relevant Pages

  • Re: Single user issue; best troubleshooting
    ... COULD be cause by that intermediate 'network access' server ... you do know there is significant logging in Outlook ... form of Integrated Authentication and so all of the OUTLOOK ...
    (microsoft.public.windows.server.active_directory)
  • Re: Single user issue; best troubleshooting
    ... The user in this case is logging in to Outlook 2003 ... You still haven't indicated which EMAIL SERVER is used. ... Most email servers other than Exchange will not be using any ... Remote Desktops don't typically use INTEGRATED authentication ...
    (microsoft.public.windows.server.active_directory)
  • Re: Outlook could not logon to the outgoing mail server - Exchange server
    ... In the Exchange System Manager go to the SMTP Protocol --> Default ... Based on my experience,I think The root cause is your smtp server have been ... configured to require authentication,but your outlook 2003 and outlook ... express authentication are not being configured on the client. ...
    (microsoft.public.windows.server.sbs)
  • Re: Single user issue; best troubleshooting
    ... The user in this case is logging in to Outlook 2003 ... You still haven't indicated which EMAIL SERVER is used. ... Most email servers other than Exchange will not be using any ... Remote Desktops don't typically use INTEGRATED authentication ...
    (microsoft.public.windows.server.active_directory)
  • Re: Remote Management
    ... authentication. ... I manage a remote windows SBS 2003 server; I have enabled TS in admin ... My question is this secure. ... If you want to allow RD into the Terminal Server, setup your firewall to ...
    (microsoft.public.windows.terminal_services)