Let me describe our situation and environment:
We have Exchange 2013 running in a 2008r2 level domain and are using Outlook Anywhere / AutoDiscovery to configure non-domain joined clients (this situation will change later, but our current priority is getting the Exchange server running and worrying and joining machines to the domain afterwards). I had tried some configuration changes, which ultimately did not work, and I rolled back those changes. On the ECP under Servers -> Servers -> My Exchange Server -> Outlook AnyWhere, there is a box that lets you choose between NTLM, Basic, and Negotiate authentication. Exchange 2013 default is negotiate, which was working initially. After rolling back my changes, however, my clients get repeated password prompts, and their passwords are rejected, if I have Outlook Anywhere authentication set to negotiate. It works fine if I keep it set on NTLM.
Under Servers -> Virtual Directories -> AutoDiscover (Default Website) -> Authentication, the boxes for Basic Authentication and Integrated Windows Authentication are checked. These are the default values if I remember correctly.
Even when I have my Outlook Anywhere authentication set to Negotiate, I have a section of code in the AutoDiscover XML file that Outlook pulls that looks like this:
<Type>EXPR</Type><Server>exchange.mycompany.com</Server><SSL>On</SSL><AuthPackage>Ntlm</AuthPackage>
My research tells me that EXPR controls Outlook Anywhere (RPC over HTTP). The AuthPackage seems to be incorrect here. It's still giving me NTLM instead of Negotiate. When I change Outlook Anywhere's authentication back to NTLM, everything works (after giving the server about fifteen minutes or so to update).
What is the problem here? Why does the autodiscover return the wrong auth package for Outlook Anywhere? Is there a time delay between changing the authentication for Outlook Anywhere and Exchange updating my Outlook clients so that their settings
match? I know that if I go into an Outlook client that is getting prompted for a password after Outlook Anywhere authentication has been changed to Negotiate, I can manually adjust their Exchange Proxy Server settings and get it to work, but I really
want the AutoDiscover to simply deliver the correct auth package to begin with.
I don't mind using NTLM authentication; it works. But I really need to know WHY this is happening and what to do to fix it. Today, it may not matter, but it may matter in the future as network topology changes, and I will be expected to have the answer.
To further clarify:
When I run Get-OutlookAnywhere | fl name, *, my internal and external Client Authentication Methods are set to Negotiate, but I still get the entry I showed above in the AutoDiscover XML file that specifies NTLM.