XP clients unable to connect to Exchange 2013 Outlook Anywhere

I was working on a recent green field deployment of Exchange 2013 that ran into a client issue.  The default authentication configuration of the Client Access Server (CAS) did not allow XP clients with Outlook 2007 to connect from outside the organization.  Users on these machines would be prompted for credentials repeatedly even when the proper username/password was used, and a successful connection was never made.

We found there were three requirements in order for the XP clients to connect.

1. The Office 2007 clients had to have Service Pack 3 with the Outlook 2007 November 2012 update (12.0.6665.5000).  More information can be found here http://go.microsoft.com/fwlink/p/?linkid=3052&kbid=2687404

2.  The EXPR Outlook Provider had to have the CertPrincipalName configured.  In this case a wildcard existed in the common name of the certificate, so it was set to msstd:*.domain.com.  More information on the Set-OutlookProvider command can be found here http://technet.microsoft.com/en-us/library/bb123683(v=exchg.150).aspx

3. Finally the authentication allowed for Outlook Anywhere clients had to be changed.  The main issue seems to be a conflict between Exchange 2013 and XP clients on the understanding of Negotiate authentication.  A number of forum post suggest switching the Exchange virtual directories to Basic Authentication, but this is a little heavy handed.  In the end by just adding basic and NTLM authentication to the IIS section of Outlook Anywhere, XP clients were able to connect.  The best part is that Outlook Anywhere itself still required Negotiate authentication, and the XP cleints were connecting with it, so the security of the environment was not affected.

The command used is below.

Get-OUtlookAnywhere | set-Outlookanywhere -IISAuthenticationMethods Basic,NTLM,Negotiate

In order for the changes to take affect an IISReset must be run on each CAS server.

Advertisements

4 thoughts on “XP clients unable to connect to Exchange 2013 Outlook Anywhere

    1. Shawn Kirkpatrick Post author

      This is simply the patch that is required on all Office 2007 clients for them to connect successfully to Exchange 2013 Servers. It adds some basic understanding of the new version of Exchange to these clients.

      Reply
  1. Cesar

    I’m having similar problem but in a coexistence scenario. Only affecting XP users which mailboxes still reside on the 07 servers.

    Get-OutlookAnywhere | Select server*,iis*

    ServerName Server IISAuthenticationMethods
    ———- —— ————————
    WTSEXCH04 WTSEXCH04 {Basic, Ntlm}
    WTSEXCH13 WTSEXCH13 {Basic, Ntlm}
    WTSEXCH03 WTSEXCH03 {Basic, Ntlm}

    Get-OutlookProvider
    This is the same on all three servers.
    [PS] C:\Windows\system32>Get-OutlookProvider

    Name Server CertPrincipalName TTL
    —- —— —————– —
    EXCH msstd:owa.wrighttree.com 1
    EXPR msstd:owa.wrighttree.com 1
    WEB

    XP Clients are using Outlook 2007 SP3 or above.

    Here is one last snapshot of Outlook Anywhere

    [PS] C:\Windows\system32>Get-OutlookAnywhere | select server*,client*,Ext*,int*

    ServerName : WTSEXCH04
    Server : WTSEXCH04
    client* :
    ExternalHostname : legacy.wrighttree.com
    ExternalClientAuthenticationMethod : Basic
    ExternalClientsRequireSsl : True
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags : {}
    ExtendedProtectionSPNList : {}
    InternalHostname :
    InternalClientAuthenticationMethod : Ntlm
    InternalClientsRequireSsl : False

    ServerName : WTSEXCH13
    Server : WTSEXCH13
    client* :
    ExternalHostname : owa.wrighttree.com
    ExternalClientAuthenticationMethod : Basic
    ExternalClientsRequireSsl : True
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags : {}
    ExtendedProtectionSPNList : {}
    InternalHostname : owa.wrighttree.com
    InternalClientAuthenticationMethod : Ntlm
    InternalClientsRequireSsl : True

    ServerName : WTSEXCH03
    Server : WTSEXCH03
    client* :
    ExternalHostname : legacy.wrighttree.com
    ExternalClientAuthenticationMethod : Basic
    ExternalClientsRequireSsl : True
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags : {}
    ExtendedProtectionSPNList : {}
    InternalHostname :
    InternalClientAuthenticationMethod : Ntlm
    InternalClientsRequireSsl : False

    Any ideas what I might be missing?

    Thanks,

    Cesar

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s