12 November 2012

EWS not working externally

The Problem
Lync password prompts when connecting over Edge server : “Lync needs your user name and password to connect for retrieving calendar data from Outlook”




No matter what credentials you type it wont accept. The effect is that your call history and voice mail is un-populated.

Testing this from internally works, looking at the configuration information you see that the EWS connection data is missing as below:



Why is this happening?

When the Lync client signs in, it also attempts to retrieve availability data via Exchange Web Services. It does so via the Autodiscover functionality built into Exchange.

Lync Communicator will issue SOAP requests (over HTTPS) to the published Autodiscover server, who returns the URLs for the Microsoft Exchange Client Access Server(s) that will feed the availability data back to Lync Communicator.

The additional prompt for authentication comes from Communicator being hard-wired to authenticate using NTLM. When IIS (on the Exchange CAS machines) returns it's WWW-Authenticate headers, it does so in the form of:

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM


When Communicator attempts to negotiate authentication using your cached credentials (over the Internet), it will fail with a "401.2 Unauthorized", and subsequently prompt you for authentication as above. 

If we force NTLM from either the client side or the server side, we eliminate these additional prompts for credentials.

How do we do that?

Client side
From Internet Explorer - Tools, Internet Options, Advanced, scroll down to the "Security" section, un-check "Enable Integrated Windows Authentication", you should no longer receive the additional authentication prompt from Lync

Server Side
I prefer the server side fix as it solves the problem for everyone in a single swoop
In this fix we are instructing IIS on the Exchange CAS server(s) to offer NTLM as the first authentication provider (with Negotiate as the fallback provider) in the WWW-Authenticate header.


On the CAS Server do the following:

  • Open the IISmanager
  • expand the Default Web site
  • Select EWS and Autodicover and click on authentication 
  • Select Windows Authentication
  • on the right hand pane select " providers"
  • Move the "NTLM" to the top
  • Click ok
  • Close IIS manager
  • open command prompt
  • type "iisreset /noforce"
  • make sure IIS admin service and WWW services are started.
That sorted it for me.
Just a side note about the TMG rules. I have changed the TMG rule for EWS from Basic authentication to "No authentication, but client can authenticate directly” and added “All users” to the users allowed to authenticate.

I did have one final prompt for credentials, probably cause the cache had been altered by my endless testing, but this time adding my credentials was successful.

3 comments:

  1. Hi,
    I was happy to find this article as I have exactly this problem. But after trying both solutions first client solution then server side solution nothing of this prevents the Credential pop-up. It just keeps popping up all the time. I somehow suspect that Internet Explorer 11 is causing the problem. Do you have already more information about that?
    Thank you!
    Robert

    ReplyDelete
  2. Did you also take a look at your Reverse Proxy rule for EWS traffic as I have found this to often be a cause as well. Lync does not support pre-authentication (currently) so the Reverse Proxy rule should not ask the user to authenticate but rather to allow the client to authenticate directly.

    ReplyDelete
  3. Hi Paul,
    yes I did. As I’m testing those things in our test environment I just bypassed my reverse proxy and directed external traffic to my CAS server directly just to exclude reverse proxy as problem source. I also have to say that this credential question comes only once. When I type my AD credentials and select save my credentials it does not ask anymore. But when users are changing passwords it asks for sure again. So I would like to prevent this at the first place.

    Cheers

    Robert

    ReplyDelete