Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
- From: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
- Date: Wed, 11 Apr 2007 15:00:38 -0600
Hi Robert:
Thanks for your reply.
1. To confirm, NTLM authentication works fine for domain authentication. However, I still cannot authenticate using a Kerberos Realm account, event if I logged into Windows using those credentials.
2. RPC directory was already set to ignore client certificates.
3. The SSL certificate was issued by Thwarte.
Do you have any more suggestions?
Thanks!
Simon
"Robert Li [MSFT]" <v-robeli@xxxxxxxxxxxxxxxxxxxx> wrote in message news:7EaAIy1eHHA.4368@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Simon,
Please also try the following way:
1. Follow 820281 to setup user to use NTLM.
For more information, please refer to:
You must provide Windows account credentials when you connect to Exchange
Server 2003 by using the Outlook 2003 RPC over HTTP feature
http://support.microsoft.com/kb/820281
2. changed Secure Communication on default website and rpc directory from
"Accept client certificates" to "Ignore client certificates"
3. Make sure Clients had the root certificate
Hope above information helps.
If you need further assistance, please don't hesitate to let me know.
Best regards,
Robert Li(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
<Reply-To: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<From: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<References: <1112CED8-E6AB-4C5F-91C8-975911A2EE5C@xxxxxxxxxxxxx>
<vILXk4pdHHA.4368@xxxxxxxxxxxxxxxxxxxxxx>
<9383F3FD-5A63-40A0-BC0E-C6EB06AD2C86@xxxxxxxxxxxxx>
<V1#wnn3dHHA.6068@xxxxxxxxxxxxxxxxxxxxxx>
<In-Reply-To: <V1#wnn3dHHA.6068@xxxxxxxxxxxxxxxxxxxxxx>
<Subject: Re: Outlook using RPC over HTTPS does not authenticate using the
Kerberos Realm
<Date: Thu, 5 Apr 2007 12:15:27 -0600
<Lines: 342
<Message-ID: <D4D31CF3-92EB-4FDF-9D74-4AE3DE12B18C@xxxxxxxxxxxxx>
<MIME-Version: 1.0
<Content-Type: text/plain;
< format=flowed;
< charset="iso-8859-1";
< reply-type=original
<Content-Transfer-Encoding: 7bit
<X-Priority: 3
<X-MSMail-Priority: Normal
<X-Newsreader: Microsoft Windows Mail 6.0.6000.16386
<X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386
<X-MS-CommunityGroup-PostID: {D4D31CF3-92EB-4FDF-9D74-4AE3DE12B18C}
<X-MS-CommunityGroup-ThreadID: 1112CED8-E6AB-4C5F-91C8-975911A2EE5C
<X-MS-CommunityGroup-ParentID: 7CA818CD-CDD5-4AAB-8880-9F502C87E0CB
<Newsgroups: microsoft.public.exchange.admin
<Path: TK2MSFTNGHUB02.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.exchange.admin:21541
<NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
<X-Tomcat-NG: microsoft.public.exchange.admin
<
<Hi Robert:
<
<Thanks again.
<
<1. Disabled firewall and AV, same problem.
<2. Used Outlook in Safe Mode, same problem.
<3. Not sure what you mean? For testing, client and server are on the same
<network, so no proxy server. Or do you mean something else?
<
<Any more suggestions?
<
<Thanks!
<
<Simon
<
<
<
<"Robert Li [MSFT]" <v-robeli@xxxxxxxxxxxxxxxxxxxx> wrote in message
<news:V1%23wnn3dHHA.6068@xxxxxxxxxxxxxxxxxxxxxxxxx
<> Hi Simon,
<>
<> Thanks for updating.
<>
<> Please first select "Integrated Windows Authentication" on the PRC
virtual
<> directory and take the following steps to see if the problem can be
<> resolved:
<>
<> 1. Disable firewall or antivirus on PC, will the same issue occur?
<> 2. Try to open Outlook in safe mode.
<>
<> Click the Start, and then click Run. Type the "outlook /safe" in the
name
<> box. (Without quotation mark) Does the problem occur?
<>
<> Step 3: Disabled windows proxy, will the same issue occur?
<>
<> Hope above information helps.
<>
<> If you need further assistance, please don't hesitate to let me know.
<>
<>
<> Best regards,
<>
<> Robert Li(MSFT)
<>
<> Microsoft CSS Online Newsgroup Support
<>
<> Get Secure! - www.microsoft.com/security
<>
<> =====================================================
<>
<> This newsgroup only focuses on SBS technical issues. If you have issues
<> regarding other Microsoft products, you'd better post in the
corresponding
<> newsgroups so that they can be resolved in an efficient and timely
manner.
<> You can locate the newsgroup here:
<> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<>
<> When opening a new thread via the web interface, we recommend you check
<> the
<> "Notify me of replies" box to receive e-mail notifications when there are
<> any updates in your thread. When responding to posts via your newsreader,
<> please "Reply to Group" so that others may learn and benefit from your
<> issue.
<>
<> Microsoft engineers can only focus on one issue per thread. Although we
<> provide other information for your reference, we recommend you post
<> different incidents in different threads to keep the thread clean. In
<> doing
<> so, it will ensure your issues are resolved in a timely manner.
<>
<> For urgent issues, you may want to contact Microsoft CSS directly. Please
<> check http://support.microsoft.com for regional support phone numbers.
<>
<> Any input or comments in this thread are highly appreciated.
<>
<> =====================================================
<>
<> This posting is provided "AS IS" with no warranties, and confers no
<> rights.
<>
<> --------------------
<> <Reply-To: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<> <From: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<> <References: <1112CED8-E6AB-4C5F-91C8-975911A2EE5C@xxxxxxxxxxxxx>
<> <vILXk4pdHHA.4368@xxxxxxxxxxxxxxxxxxxxxx>
<> <In-Reply-To: <vILXk4pdHHA.4368@xxxxxxxxxxxxxxxxxxxxxx>
<> <Subject: Re: Outlook using RPC over HTTPS does not authenticate using
the
<> Kerberos Realm
<> <Date: Wed, 4 Apr 2007 09:21:37 -0600
<> <Lines: 204
<> <Message-ID: <9383F3FD-5A63-40A0-BC0E-C6EB06AD2C86@xxxxxxxxxxxxx>
<> <MIME-Version: 1.0
<> <Content-Type: text/plain;
<> < format=flowed;
<> < charset="iso-8859-1";
<> < reply-type=original
<> <Content-Transfer-Encoding: 7bit
<> <X-Priority: 3
<> <X-MSMail-Priority: Normal
<> <X-Newsreader: Microsoft Windows Mail 6.0.6000.16386
<> <X-MS-CommunityGroup-PostID: {9383F3FD-5A63-40A0-BC0E-C6EB06AD2C86}
<> <X-MS-CommunityGroup-ThreadID: 1112CED8-E6AB-4C5F-91C8-975911A2EE5C
<> <X-MS-CommunityGroup-ParentID: 3051C774-3C77-4B75-A90F-9FAF08401090
<> <X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386
<> <Newsgroups: microsoft.public.exchange.admin
<> <Path: TK2MSFTNGHUB02.phx.gbl
<> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.exchange.admin:21248
<> <NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
<> <X-Tomcat-NG: microsoft.public.exchange.admin
<> <
<> <Hi Robert:
<> <
<> <Thank you for your response, it's very encouraging to know someone is
out
<> <there!
<> <
<> <Step 1: I followed the instructions you gave to enable NTLM
<> authentication,
<> <and I can confirm that it works as described for the DOMAIN\username
<> logon.
<> <However, it still does not work for the KERBREALM.CA\username logon
<> (which
<> <is the credentials I logged onto the Windows box with).
<> <
<> <The reason I had unchecked the Integrated Windows Authentication is
<> because
<> <I was under the impression that authentication through a Kerberos Realm
<> must
<> <be done using Basic Authentication with SSL.
<> <
<> <Step 2: The only firewall between my test box and the Exchange server is
<> the
<> <Windows 2003 SP1 firewall. I assume this would not cause the problem you
<> <describe.
<> <
<> <RPC over HTTPS with DOMAIN\username credentials still works. However,
the
<> <problem still exists (cannot authentication with KERBRELM.CA\username
<> using
<> <Outlook 2003 with RPC over HTTPS). Do you have any other suggestions of
<> <things I can try?
<> <
<> <Thanks!
<> <
<> <Simon
<> <
<> <
<> <"Robert Li [MSFT]" <v-robeli@xxxxxxxxxxxxxxxxxxxx> wrote in message
<> <news:vILXk4pdHHA.4368@xxxxxxxxxxxxxxxxxxxxxxxxx
<> <> Hi Simon,
<> <>
<> <> Thanks for posting in our newsgroup.
<> <>
<> <> From your description, I know that RPC over HTTPS only works when the
<> user
<> <> authenticates with DOMAIN\username and you cannot get it to work with
<> <> KERBREALM.CA\username credentials. If I am off-base, please don't
<> hesitate
<> <> to let me know.
<> <>
<> <> Please take the following steps to narrow down this issue:
<> <>
<> <> Step 1: Check IIS settings:
<> <>
<> <> 1. Open IIS Manager console.
<> <> 2. Right click RPC virtual directory and click Properties.
<> <> 3. Click Directory Security and click Edit in the "Authentication and
<> <> Access control" area.
<> <> 4. Click to select "Integrated Windows Authentication".
<> <>
<> <> Step 2: Do you have firewall installed? The problem may be caused by
<> some
<> <> firewall.
<> <>
<> <> Based on my research, If you have a firewall that examines HTTP
traffic
<> <> and
<> <> modifies it in any way, you may have to use Basic authentication,
<> instead
<> <> of NTLM authentication. NTLM authentication fails if the RPC proxy
<> server
<> <> does not trust the authentication information. For example, you may
<> have
<> a
<> <> firewall that ends the session from the Internet and establishes a new
<> <> session to the RPC proxy server, instead of passing the HTTPS (SSL)
<> <> session
<> <> to the Exchange server without modification. This process is known as
<> <> reverse proxying or Web publishing. Certain firewalls, such as
<> Microsoft
<> <> Internet Security and Acceleration (ISA) Server 2004, can successfully
<> <> reverse proxy or Web publish the session and still permit NTLM
<> <> authentication to succeed.
<> <>
<> <> For more information, please refer to the following article:
<> <>
<> <> RPC over HTTP Authentication and Security
<> <>
<>
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/
<> <> 179dce5a-00d2-40d9-933d-d7b88e40c513.mspx
<> <>
<> <> Note
<> <> ISA Server 2000 cannot reverse proxy or Web publish the session and
<> still
<> <> permit NTLM authentication to succeed.
<> <>
<> <> I'd like to provide you the following article for your reference:
<> <>
<> <> Outlook 2003 Performs Slowly or Stops Responding When Connected to
<> <> Exchange
<> <> Server 2003 Through HTTP
<> <> http://support.microsoft.com/?id=331320
<> <>
<> <> 827330 How to troubleshoot client RPC over HTTP connection issues in
<> <> Office
<> <> Outlook 2003
<> <> http://support.microsoft.com/?id=827330
<> <>
<> <> You must provide Windows account credentials when you connect to
<> Exchange
<> <> Server 2003 by using the Outlook 2003 RPC over HTTP feature
<> <> http://support.microsoft.com/default.aspx?scid=KB;[LN];820281
<> <>
<> <> Hope above information helps.
<> <>
<> <> If you need further assistance, please don't hesitate to let me know.
<> <>
<> <> Best Regards,
<> <>
<> <> Robert Li(MSFT)
<> <>
<> <> Microsoft Online Support
<> <> Microsoft Global Technical Support Center
<> <>
<> <> Get Secure! - www.microsoft.com/security
<> <> =====================================================
<> <> When responding to posts, please "Reply to Group" via your newsreader
<> so
<> <> that others may learn and benefit from your issue.
<> <> =====================================================
<> <> This posting is provided "AS IS" with no warranties, and confers no
<> <> rights.
<> <>
<> <> Best regards,
<> <>
<> <> Robert Li(MSFT)
<> <>
<> <> Microsoft CSS Online Newsgroup Support
<> <>
<> <> Get Secure! - www.microsoft.com/security
<> <>
<> <> =====================================================
<> <>
<> <> This newsgroup only focuses on SBS technical issues. If you have
issues
<> <> regarding other Microsoft products, you'd better post in the
<> corresponding
<> <> newsgroups so that they can be resolved in an efficient and timely
<> manner.
<> <> You can locate the newsgroup here:
<> <> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<> <>
<> <> When opening a new thread via the web interface, we recommend you
check
<> <> the
<> <> "Notify me of replies" box to receive e-mail notifications when there
<> are
<> <> any updates in your thread. When responding to posts via your
<> newsreader,
<> <> please "Reply to Group" so that others may learn and benefit from your
<> <> issue.
<> <>
<> <> Microsoft engineers can only focus on one issue per thread. Although
we
<> <> provide other information for your reference, we recommend you post
<> <> different incidents in different threads to keep the thread clean. In
<> <> doing
<> <> so, it will ensure your issues are resolved in a timely manner.
<> <>
<> <> For urgent issues, you may want to contact Microsoft CSS directly.
<> Please
<> <> check http://support.microsoft.com for regional support phone numbers.
<> <>
<> <> Any input or comments in this thread are highly appreciated.
<> <>
<> <> =====================================================
<> <>
<> <> This posting is provided "AS IS" with no warranties, and confers no
<> <> rights.
<> <>
<> <> --------------------
<> <> <Reply-To: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<> <> <From: "Simon Collier" <simon.collier@xxxxxxxxxxxxxxxx>
<> <> <Subject: Outlook using RPC over HTTPS does not authenticate using the
<> <> Kerberos Realm
<> <> <Date: Tue, 3 Apr 2007 14:27:02 -0600
<> <> <Lines: 18
<> <> <Message-ID: <1112CED8-E6AB-4C5F-91C8-975911A2EE5C@xxxxxxxxxxxxx>
<> <> <MIME-Version: 1.0
<> <> <Content-Type: text/plain;
<> <> < format=flowed;
<> <> < charset="iso-8859-1";
<> <> < reply-type=original
<> <> <Content-Transfer-Encoding: 7bit
<> <> <X-Priority: 3
<> <> <X-MSMail-Priority: Normal
<> <> <X-Newsreader: Microsoft Windows Mail 6.0.6000.16386
<> <> <X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386
<> <> <X-MS-CommunityGroup-MessageCategory:
<> <> {E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
<> <> <X-MS-CommunityGroup-PostID: {1112CED8-E6AB-4C5F-91C8-975911A2EE5C}
<> <> <Newsgroups: microsoft.public.exchange.admin
<> <> <Path: TK2MSFTNGHUB02.phx.gbl
<> <> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.exchange.admin:21125
<> <> <NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
<> <> <X-Tomcat-NG: microsoft.public.exchange.admin
<> <> <
<> <> <Outlook using RPC over HTTPS does not authenticate using the Kerberos
<> <> Realm.
<> <> <
<> <> <I have RPC over HTTPS working like a dream when the user
authenticates
<> <> with
<> <> <DOMAIN\username. However, I cannot get it to work with
<> <> KERBREALM.CA\username
<> <> <credentials, even when that's what they logged onto the machine with.
<> <> <
<> <> <a. I have put KERBREALM.CA in the Domain Name and Realm Name fields
in
<> <> IIS
<> <> <for the "RPC" virtual folder.
<> <> <b. I have Basic Authentication (clear text) set in IIS for that
folder
<> <> also.
<> <> <c. I have webmail working with the KERBREALM.CA Kerberos Realm.
<> <> <d. I have users logged on to a Windows AD domain using their
<> KERBREALM.CA
<> <> <Kerberos Realm credentials.
<> <> <
<> <> <I'm baffled.
<> <> <
<> <> <If anyone is reading these issues and thinking "oh, he just needs to
<> do
<> <> xyz",
<> <> <I'd be really glad to hear from you.
<> <> <
<> <> <
<> <>
<> <
<> <
<>
<
<
.
- Follow-Ups:
- Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
- From: Robert Li [MSFT]
- Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
- References:
- RE: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
- From: Robert Li [MSFT]
- Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
- From: Simon Collier
- Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
- From: Robert Li [MSFT]
- Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
- From: Simon Collier
- Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
- From: Robert Li [MSFT]
- RE: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
- Prev by Date: Re: Adding 2nd @emailaddress.com To Exchange
- Next by Date: Re: NDR Exchange 2007
- Previous by thread: Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
- Next by thread: Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
- Index(es):
Relevant Pages
|
