RedWax Tech Remarks

Just another WordPress.com weblog

  • Home
  • About

Outlook: Remote Access Features. Can’t Save a Password for Automatic Logon. Exchange Role-Based Server Security. Solution

April 24, 2007

When I discussed the advances of such an approach to reach the maximal gain from the collaborative work as the remote access to corporate mail using RPC calls over HTTP protocol with Outlook and Exchange one of the most significant I mentioned was the ability to get the access from anywhere. But being remotely anywhere doesn’t means that you have to be in the corporate network. That’s what the VPN is mostly used for. We chose another way when we can access the mail by just using the virtual directory in the corporate site which we maintain using the IIS manager. But as some our our users work on the part-time basis, they need to access the mail from their home computers or any computers where they have no ability to log right into out domain using their logon credentials. That implies that the authentication would not be established automatically as user will access the Exchange OWA site. So as it is implemented by design the user gets the dialog box popping up each time he connects to the mail server. “Now what?”, one would ask. Yes, we have the option to save the password. As always. But the problem is this option doesn’t work! Why does this happen? Usually as it seems, it happens because of the Front-end Exchange server used in the chain within the network perimeter. When we were discussing the procedure of configuring the server side, remember I told you in the 9th step of that multistep procedure you need to implement while configuring authentication options within the site’s virtual directory properties: “You can also allow the NTLM Windows authentication and leave the Integrated Windows authentication checkbox checked”. You can and you should. The golden rule: if you have option checked by default don’t uncheck unless you have a straightforward intention for that. Thus, leave the option checked and… and let’s switch to the second part. And here will be the change. We will need to change the authentication method from the basic authentication mode we used above to NTLM. So make sure that the Use this authentication when connecting to my proxy server for Exchange drop-down list within the Proxy authentication settings section is set to NTLM Authentication. Now we need to force Outlook to get information about the password we use. We need use the Stored User Names and Passwords dialog box:
1. Click Start|Control Panel|User Accounts
2. On the Advanced tab click the Manage Passwords button to get the Stored User Name And Passwords dialog box
3. Enter the address of your Front-End server and specify your username and password exactly as it is specified in for the Default Web Site (see step 2) in the RPC virtual directory.

Now we need to patch the registry. While this can be done automatically, we need to do the following to do that on the user computer manually by tweaking the LmCompatibilityLevel registry parameters within the LSA (Local Security Authority) key in the registry. To do that.
1. Click Start|Run
2. Type regedit and press enter
3. In the left panel of the registry editor navigate the path HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
4. While you’re in the Lsa parameter folder, switch to the right panel of the editor and find the lmcompatibilitylevel DWORD parameter
5. Double-click on it and change its value to 3. This will enable the client to use the NTLMv2 response only. Check the Network security: LAN Manager authentication level security policy on your server located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ folder in the domain group policy

Note: setting the LmCompatibilityLevel parameter to 2 will force the LSA manager to use the standard NTLM authentication

Additional info on how to Provide Windows User Account Credentials When Connecting to Exchange Server Remotely using the RPC over HTTP Feature
Manage Stored User Names and Passwords
LAN Manager Authentication Level
Automatically Discover this Issue and Patch Registry on Remote Computer
Technical digression: How to Use Local Security Authority from a Logon Application
What is NonInteractive Authentication?
Role-Based Securing the Exchange Server: How to Setup OWA Front-End Server Policy

Technorati tag: NTLM authentication network perimeter RPC over HTTP private network remote mail logon credentials automatic login server policy outlook password exchange security security authority password management remote work exchange properties web access registry tweak Microsoft Office collaboration IIS remote access virtual directory corporate mail group policy back-end front-end VPN

Posted by redwax
Filed in IIS, Microsoft Office, NTLM authentication, RPC over HTTP, VPN, automatic login, back-end, collaboration, corporate mail, exchange properties, exchange security, front-end, group policy, logon credentials, network perimeter, outlook password, password management, private network, registry tweak, remote access, remote mail, remote work, security authority, server policy, virtual directory, web access
Leave a Comment »

Categories

  • active directory
  • Active Directory Schema
  • Active Sync
  • ActiveSync
  • AD properties
  • ADSI scripting
  • ASHX
  • ASP handler
  • automatic login
  • back-end
  • back-end server
  • basic authentication
  • batch
  • block sharing
  • C# classes
  • C# structure
  • client-server
  • collaboration
  • content management
  • corporate mail
  • corporate signature
  • CSS rendering
  • disable device
  • drawing image
  • dynamic signature
  • ecryption
  • exchange mailbox
  • exchange profiles
  • exchange properties
  • exchange security
  • Exchange Server 2007
  • Exchange Server 2007 SP1
  • export PST
  • firewall
  • folder level permissions
  • front-end
  • group policy
  • HTTPWebRequest class
  • HTTPWebResponse class
  • IIS
  • IIS certificate
  • image delivery
  • IMAP4
  • import PST
  • interface
  • internetworking
  • IPv6
  • logon credentials
  • mail configuration
  • mail signature
  • mailbox server
  • manage Exchange
  • MAPI
  • Microsoft Office
  • mobile access
  • mobile users
  • network perimeter
  • NTLM authentication
  • object model
  • object property
  • office 2007
  • open port
  • OpenXML
  • outlook object model
  • outlook password
  • outlook profiles
  • OWA
  • password management
  • PDA
  • personal distribution list
  • personal signature
  • personal storage table
  • POP3
  • port security
  • port table
  • prevent attack
  • private network
  • profile description file
  • prohibit internet
  • proxy
  • PST file
  • pubDate property
  • Public Folders
  • read property
  • reboot
  • registry
  • registry tweak
  • remote access
  • remote mail
  • remote work
  • Rich Site Summary
  • RPC over HTTP
  • RPC proxy
  • RSS feed
  • RSS syndication
  • scripting
  • scripting host
  • secure mail
  • security authority
  • server policy
  • setup mailbox
  • signature generate
  • slow link
  • smart-tag
  • standardization
  • synchronize mailbox
  • TimeSpan structure
  • topology
  • Updates
  • user class
  • user mail
  • VBScript
  • virtual directory
  • VPN
  • web access
  • Windows Server 2008
  • word object model
  • WSH

Archives

  • November 2007
  • April 2007
  • March 2007

Blogroll

  • WordPress.com
  • WordPress.org
Theme: Ambiru by Phu. Blog at WordPress.com.