Microsoft KB Archive/820281

= You must provide Windows account credentials when you connect to Exchange Server 2003 by using the Outlook 2003 RPC over HTTP feature =

Article ID: 820281

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Office Outlook 2003
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-





Notice


SYMPTOMS
When you try to connect to your Microsoft Exchange Server 2003 computer by using the Exchange RPC over HTTP feature of Microsoft Office Outlook 2003, you are prompted to provide your user account credentials even if you are logged on by using the Windows account that is mapped to your Exchange account.



CAUSE
This issue occurs if either of the following is true:
 * You are using Basic authentication to the proxy server for Exchange.
 * You are using NTLM authentication to the proxy server for Exchange, but Windows does not automatically send the NTLM challenge/response data. Windows does not do this because the older LANMAN challenge/response password is included in the authentication data.



Basic authentication
If you want to use Basic authentication, you must continue to type your user account credentials. There is no way for the client to submit your user name and password automatically. If you want to log on automatically, you must configure your Outlook profile to use NLTM authentication to your proxy server for Exchange.

Before you switch to using NTLM authentication, you must verify with your administrator that NTLM authentication is permitted or even possible in your environment. Many firewalls and proxy servers will prevent successful NLTM authentication, whereas Basic authentication will work successfully. See the More Information section for additional details.

Note The authentication mechanism that you configure in Outlook is used only for the HTTP session to your proxy server for Exchange. The actual authentication between Outlook and your Exchange server always uses NTLM. See the More Information section for additional details.

To change the authentication mechanism on the Outlook client to NTLM, follow these steps:
 * 1) Start Outlook 2003.
 * 2) On the Tools menu, click E-mail Accounts.
 * 3) Click View or change existing e-mail accounts, and then click Next.
 * 4) Under Outlook processes e-mail for these accounts in the following order, click Microsoft Exchange Server, and then click Change.
 * 5) On the Exchange Server Settings page, click More Settings.
 * 6) Click the Connection tab.
 * 7) Click Exchange Proxy Settings.
 * 8) Under Proxy authentication settings, click NTLM Authentication in the Use this authentication when connecting to my proxy server for Exchange list.
 * 9) Click OK two times.
 * 10) Click OK again in response to the prompt that you must restart Outlook for the changes to take effect.
 * 11) Click Next, and then click Finish.
 * 12) Restart Outlook.

NTLM authentication
If your account is configured to use NTLM authentication and you are still prompted for your user name and password when you are logged on as the Windows account that has access to your Exchange mailbox, you must set the LmCompatibilityLevel on your client to a value of 2 or 3. To do this, follow these steps.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.  Click Start, click Run, type regedit in the Open box, and then press ENTER. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

 In the right pane, double-click lmcompatibilitylevel. In the Value data box, type a value of 2 or 3 that is appropriate for your environment, and then click OK. Quit Registry Editor. Restart your computer.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
The authentication mechanism that is configured in your Outlook profile is used only for the HTTP session to the proxy server for Exchange. The actual authentication mechanism between Outlook and the Exchange server, when accessed by using remote procedure call (RPC) over HTTP, always uses NTLM. We strongly recommend that you use Secure Sockets Layer (SSL) encryption for the HTTP session to the proxy server for Exchange. This is especially true when you are using Basic authentication. If you use SSL encryption, this prevents your user name and password from being sent in clear text. Outlook will not let you use Basic authentication when connecting to your proxy server for Exchange without using SSL encryption.

You must sometimes use Basic authentication because NTLM authentication will fail if the proxy server for Exchange does not trust the authentication information. This issue can be caused by firewalls that examine the HTTP traffic and modify it in some way. For example, a firewall may end the session from the Internet and establish a new session to the proxy server for Exchange instead of passing the HTTPS (SSL) session straight through without modification. This process is sometimes known as reverse proxying or Web publishing. Certain firewalls such as Microsoft Internet Security and Acceleration (ISA) Server 2004 can successfully reverse proxy or Web publish the session and still permit NTLM authentication to succeed. Basic authentication is not affected by this process and will work regardless of firewalls. However, if you use Basic authentication, this means that you must type your user name and password every time that you start an Outlook session.

LmCompatibilityLevel settings
The LmCompatibilityLevel registry entry can be configured with the following values:
 * LmCompatibilityLevel value of 0: Send LAN Manager (LM) response and NTLM response; never use NTLM version 2 (NTLMv2) session security. Clients use LM and NTLM authentication, and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
 * LmCompatibilityLevel value of 1: Use NTLMv2 session security, if negotiated. Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
 * LmCompatibilityLevel value of 2: Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
 * LmCompatibilityLevel value of 3: Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
 * LmCompatibilityLevel value of 4: (Server Only) - Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers refuse LM authentication, and accept NTLM and NTLMv2 authentication.
 * LmCompatibilityLevel value of 5: (Server Only) - Domain controllers refuse LM and NTLM responses, and accept only NTLMv2 responses. Clients use NTLMv2 authentication, use NTLMv2 session security if the server supports it; domain controllers refuse NTLM and LM authentication, and accept only NTLMv2 authentication.

<div class="references_section">