I have an Exchange 2013 environment that I'm migrating to from Exchange 2007, and many of our Outlook clients are still 2007, which means they can't save passwords by default. We have OA published through TMG's for machines on 4 separate domains to connect into the mail servers, which all reside on one domain. We published this rule with Basic auth, and we've been happy, so we config'ed Exchange 2013 the same way.
Since all clients use OA to connect to Exchange 2013, our Outlook 2007 clients are now being prompted for creds every single time they open outlook. When I try to change the internalclientauthenticationmethod to NTLM, it fixes the cred challenge for domain members, but it breaks OA even though the externalclientauthenticationmethod is still Basic. The internal and external host names are the same. It's just the auth methods that differ, and both auth methods are set in IISAuthenticationMethods. Checking an Outlook client's proxy settings show NTLM. If manually switched to Basic, it'll work until Autodiscover switches it back to NTLM. The weird thing is that testconnectivity.microsoft.com tests come back no problem when using autodiscover and basic. Is Outlook just not smart enough to do that?
I'd attempt to use Negotiate on both, but I've read that's incompatible with Exchange 2007, and I'll users for a while trying to connect to resource mailboxes and public folders on Exchange 2007. Is there a way to get to this to work? If it can't work this way, why do they even bother having separate auth methods?
Thanks!
