The title of this blog sounds familiar, right? Maybe. Well, when I went searching for a way to do this I hit dead end after dead end. I searched everywhere (ISAServer.org, MSExchange.org, TechNet, blogs, forums, etc) and came up empty. It sounded like an obvious thing to want in order to minimize the impact on the users and eliminate getting prompted for a password each time they took their laptop offsite.
After all, these machines were joined to the domain and were under corporate control so they should be trusted. Well all I could find was how to publish Outlook Anywhere using Basic Authentication. This was the defacto standard I have used in the past and never had any complaints about the login prompt per session. So I tried a few things on the ISA server rule to get this to work but I couldn’t get anything to work. I even called MS PSS and got the same answer, use Basic.
I was determined to figure out a way so I ran through several iterations in my lab and came up with a solution after watching ISA disconnect or repeatedly prompt for authentication on every iteration I tried. I ended up having to modify two of the Exchange 2007 rules, one for Outlook Anywhere and the one for Autodiscover.
Since ISA 2006 currently doesn’t support SAN certificates I had to use two listeners and two certs. I hear this is fixed in the upcoming service pack though. Finally! Anyway, so I used the standard Exchange 2007 publishing wizard in ISA to create my rules. To get NTLM authentication to work I had to first set the CAS server for NTLM authentication by modifying the Outlook Anywhere settings:
Then I modified the Outlook Anywhere and Autodiscover rules to match this. There were basically two things I had to do for both of these rules. First, I had to set the user set to ‘All Users’ and secondly I had to set the Authentication Delegation to ‘no delegation, but client may authenticate directly’. I did this for both rules, published it and I was able to take a domain joined machine with Outlook 2003/2007 configured for RPC/HTTP with NTLM authentication and connect remotely using my Windows (domain cached credentials) login ID and open Outlook and connect without getting prompted.