Exchange Web Services Authentication Methods in MOC RRS feed

  • Question

  • Haven't run across this one before. Suggestions?

    Internal deployment works well. MOC signs in, no integration or address book errors. All is well. Remote access works great. Sign-in is ok, address book downloads. Cert trusts and names are all in line. Yadda yadda....

    I am seeing the "Communicator could not retrieve calendar or Out of Office information from Exchange Web services" error in the client, but externally only. The client gets prompted for authentication credentials... enter them and it fails after 3 tries. Seems to me there's an authentication method mismatch somewhere - somewhere being between the ISA 2006 publishing Outlook Anywhere / Autodiscover and the Communicator client.

    The unique part here is this site has ISA 2006 configured to accept NTLM from Outlook Anywhere clients and use Kerberos Constrained Delegation on the back side to authenticate to Exchange. This gets them the seamless experience of not being prompted for credentials using Outlook Anywhere, which I can't blame. Changing this experience is not an option.

    Ran across this posting which is almost to a T, exactly what's happening for me in this instance: http://www.freelists.org/post/isapros/Weird-KCDness-with-Exchange-2007OCS-2007,10

    My plan tomorrow is to do some tracing and logging to verify the authentication methods being passed, but maybe someone can save me the time and tell me what kind of auth MOC passes to EWS? Is in it fact, basic auth, no matter what as being suggested in that link? And if it actually is NTLM, any thoughts on why that's failing to get through the listener?

    Well, ____. I'll leave my post above for reference, but this just dawned on me -  Outlook Anywhere and Autodiscover are being published through a listener with NTLM, but their OWA and EWS URLs are being published through a FBA listener with basic auth. I wonder if the referral from Autodiscover over NTLM to go to EWS using Basic is the source of this... Hmmm.  Entirely too late so clarity might not be there. If anyone has a thought or suggestion I'd still appreciate it.

    Wednesday, January 14, 2009 8:38 AM