Outlook Anywhere changes in Exchange Server 2007 SP1

In Exchange Server 2007 SP1, the configuration of Outlook Anywhere (formerly known as RPC over HTTP) has been changed to accommodate the different ways Exchange CAS servers are deployed on the Internet. This blog post provides an overview of these changes.

Exchange 2007 RTM

In Exchange 2007 RTM, enabling Outlook Anywhere (using either the Exchange Management Console or the Exchange Management Shell enable-OutlookAnywhere cmdlet) required a mandatory parameter called ExternalAuthenticationMethod. This parameter was used to update Outlook 2007 clients using the Autodiscover service. Changing this parameter, however, did not influence the authentication methods enabled on the /rpc virtual directory on IIS servers. As a result, both Basic and NTLM authentication methods were always enabled even though Outlook clients would connect using only 1 authentication method. Additionally, it was not possible to manually turn off an authentication method using the IISManager MMC snap-in, since every 15 minutes the Exchange Services Host Service would automatically re-enable both Basic and NTLM authentication methods in IIS.

Note that if you had already enabled Outlook Anywhere, the ExternalAuthenticationMethod parameter could also be specified through the set-outlookAnywhere task, and it had the same effect as described above.

For further details, you can refer to http://technet.microsoft.com/en-us/library/bb123513.aspx

Exchange 2007 SP1

For Exchange 2007 SP1, instead of always enabling Basic and NTLM, Outlook Anywhere now provides the ability to choose the authentication methods that will be enabled on the /rpc virtual directory in IIS.

To specify the authentication method, the following parameters have been added in place of the ExternalAuthenticationMethod parameter:

1. ClientAuthenticationMethod - This new parameter specifies the authentication method that the Autodiscover service will provide to the clients. This is the method that clients will use to authenticate against the Client Access server. In Exchange 2007 RTM, the ExternalAuthenticationMethod parameter was responsible for this setting.

2. IISAuthenticationMethods - This new parameter specifies the authentication methods that will be enabled the /rpc virtual directory in IIS. When using this parameter, all other authentication methods will be disabled. More than one value can be specified for this parameter by using a comma delimited list of authentication methods. For example: NTLM, Basic

The reason that both parameters exists is scenarios in which you have a firewall which is configured to provide authentication delegation. For example, Outlook clients use Basic authentication, but an ISA Server 2006 firewall delegates authentication to the /rpc virtual directory using NTLM authentication. In this scenario, you would set the ClientAuthenticationMethod to Basic and the IISAuthenticationMethod parameter to NTLM.

However, since many Outlook Anywhere deployments do not go through authentication delegation, a more common scenario would be that both of these parameters will use the same value. Because of this, the following additional parameter can be used:

3. DefaultAuthenticationMethod - This new parameter can be specified to set both the ClientAuthenticationMethod and IISAuthenticationMethod parameters to be the same value. When you use this parameter, only a single value can be specified.

Upgrading to Exchange 2007 SP1 from Exchange 2007 RTM

When you upgrade from an existing Exchange 2007 RTM Outlook Anywhere topology, both NTLM and Basic authentication methods will be enabled. However, we recommend that disable one of the authentication methods by running the set-OutlookAnywhere -IISAuthenticationMethods <Basic or NTLM> cmdlet.

For further details on how to use these parameters, please refer to the TechNet documentation here:


- Siddhartha Mathur

Share this post :

Comments (11)
  1. GoodThings2Life says:

    You know… this type of informative post really makes me appreciate the Exchange team, and it makes me wish that other Microsoft teams were as forthcoming with information for their respective products.


  2. Mike Crowley says:

    I agree.  The Exchange Server blog is way better than any other MS product blog.

  3. KB says:

    Speaking of SP1, any even loose further guidance on its estimated release?  Still Q407? Maybe even by the end of the month?  If anything further is known I think it would really help in planning updates around the holidays.

  4. Adam Jacobs says:

    You are absolutely right this is the best MS blog, even the best blog in the whole wide world.

    Now pretty please with a hotfix on top, when is SP1 out? :)

  5. Oguz says:

    Please release the SP1 I’m stuck with OCS 2007 > Exchange UM integeration. Staff goes wild :)

  6. Ronin says:

    Where is this SP1 release guys… come on… it’s driving us nuts having to check for it every couple of weeks…. At this rate we’ll be into Q1 2008!!

  7. paul says:

    They are teasing us with whats on the Technet Exchange Downloads page – "Exchange Server 2007 Service Pack 1 (SP1): This software is not yet available for download.  Check back here again soon and/or watch for the impending release announcement on the Exchange TechCenter homepage."

    Must be today (or at least this week maybe…..)

  8. Nathan Miller says:

    Very much looking forward to the release of SP1!

  9. jim says:

    Where is the service pack 1 release?

  10. Yongrak Cho says:

    Let me Know that the besta guide with [ ISA2006 & Form – CAS – Outlook Anywhere] in Exchange 2007

Comments are closed.

Skip to main content