RedWax Tech Remarks

When I discussed the advances of such an approach to reach the maximal gain from the collaborative work as the remote access to corporate mail using RPC calls over HTTP protocol with Outlook and Exchange one of the most significant I mentioned was the ability to get the access from anywhere. But being remotely anywhere doesn’t means that you have to be in the corporate network. That’s what the VPN is mostly used for. We chose another way when we can access the mail by just using the virtual directory in the corporate site which we maintain using the IIS manager. But as some our our users work on the part-time basis, they need to access the mail from their home computers or any computers where they have no ability to log right into out domain using their logon credentials. That implies that the authentication would not be established automatically as user will access the Exchange OWA site. So as it is implemented by design the user gets the dialog box popping up each time he connects to the mail server. “Now what?”, one would ask. Yes, we have the option to save the password. As always. But the problem is this option doesn’t work! Why does this happen? Usually as it seems, it happens because of the Front-end Exchange server used in the chain within the network perimeter. When we were discussing the procedure of configuring the server side, remember I told you in the 9th step of that multistep procedure you need to implement while configuring authentication options within the site’s virtual directory properties: “You can also allow the NTLM Windows authentication and leave the Integrated Windows authentication checkbox checked”. You can and you should. The golden rule: if you have option checked by default don’t uncheck unless you have a straightforward intention for that. Thus, leave the option checked and… and let’s switch to the second part. And here will be the change. We will need to change the authentication method from the basic authentication mode we used above to NTLM. So make sure that the Use this authentication when connecting to my proxy server for Exchange drop-down list within the Proxy authentication settings section is set to NTLM Authentication. Now we need to force Outlook to get information about the password we use. We need use the Stored User Names and Passwords dialog box:
1. Click Start|Control Panel|User Accounts
2. On the Advanced tab click the Manage Passwords button to get the Stored User Name And Passwords dialog box
3. Enter the address of your Front-End server and specify your username and password exactly as it is specified in for the Default Web Site (see step 2) in the RPC virtual directory.

Now we need to patch the registry. While this can be done automatically, we need to do the following to do that on the user computer manually by tweaking the LmCompatibilityLevel registry parameters within the LSA (Local Security Authority) key in the registry. To do that.
1. Click Start|Run
2. Type regedit and press enter
3. In the left panel of the registry editor navigate the path HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
4. While you’re in the Lsa parameter folder, switch to the right panel of the editor and find the lmcompatibilitylevel DWORD parameter
5. Double-click on it and change its value to 3. This will enable the client to use the NTLMv2 response only. Check the Network security: LAN Manager authentication level security policy on your server located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ folder in the domain group policy

Note: setting the LmCompatibilityLevel parameter to 2 will force the LSA manager to use the standard NTLM authentication

Additional info on how to Provide Windows User Account Credentials When Connecting to Exchange Server Remotely using the RPC over HTTP Feature
Manage Stored User Names and Passwords
LAN Manager Authentication Level
Automatically Discover this Issue and Patch Registry on Remote Computer
Technical digression: How to Use Local Security Authority from a Logon Application
What is NonInteractive Authentication?
Role-Based Securing the Exchange Server: How to Setup OWA Front-End Server Policy

Technorati tag: NTLM authentication network perimeter RPC over HTTP private network remote mail logon credentials automatic login server policy outlook password exchange security security authority password management remote work exchange properties web access registry tweak Microsoft Office collaboration IIS remote access virtual directory corporate mail group policy back-end front-end VPN