Exchange 2013. Outlook Anywhere. NTLM. Basic. Login Loop.

I found I was having issues with Outlook Anywhere authentication with Exchange 2013.

Two Exchange 2013 Servers, CAS / MBX in a DAG.
TMG Publishing.

With the configuration below, I found that internally Outlook prompted for authentication using basic mode.

  • Host Names
    ExternalHostname                   : myname.domain.com
    InternalHostname                   : myname.domain.com
  • DNS.
    Internal: Round Robin DNS to each server
    External: TMG Server Public IP
  • Authentication Methods
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Basic
    IISAuthenticationMethods           : {Basic, Ntlm}
  • TMG Rule
    Basic Delegation
    Authenticated Users

To get this working seamlessly internally, updated to

  • InternalClientAuthenticationMethod : NTLM

However, this breaks authentication through TMG externally and unless manually configured without auto discover this won’t work. Users will be able to set up the profile, but the login message with loop.

How do I get this to work so that it will authenticate using NTLM internally and Basic externally? Other’s were asking the same questions. http://social.technet.microsoft.com/Forums/en-US/3277343c-c782-4a4b-a5aa-83c7c89088df/correct-configure-outlook-anywhere-in-exchange-2013-to-work-with-internalexternal-autodiscover?forum=exchangesvrclients

The Fix?

  • Authentication Methods
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : NTLM
    IISAuthenticationMethods           : {Basic, Ntlm}
  • TMG Rule
    No delegation but can authenticate directly
    All Users

Autodiscover still returns NTLM as the authentication method, but with this it allows for a Basic fall back with authentication.

Users from standalone external machines can now use basic authentication and not get the login loop.