Overview
This Guide describes the configuration steps for NTLM authentication in an on-premise Exchange environment following the installation of Exchange Connector 6.3.1. For steps detailing the Exchange Connector installation process please review the Microsoft Exchange On-Prem or Online Connector Install.
Background
Microsoft support for Basic Authentication is set to end in the Fall of 2020. To prepare for this upcoming change a new Exchange Connector was created that utilizes an authentication mechanism called NTLM. This authentication mechanism authenticates with hashing as opposed to passing a username and password between the Connector and on-premise Exchange environment. For additional information please access the following link: https://docs.microsoft.com/en- us/windows/desktop/secauthn/microsoft-ntlm
NTLM Parameters
Administrator access to an on-premise Microsoft Exchange domain is required to complete the configuration for NTLM. The following configurations are needed, depending on the chosen option between Autodiscover or EWS.
Autodiscover Variables
The following fields are needed if Autodiscover is the chosen authentication method:
- Email: This is an email address within the domain that is used to test Autodiscover. This can be any valid email address within the Microsoft Exchange domain used for configuring NTLM. The find server URL based on email address should selected.
- Username: The username of a service account with the appropriate Impersonation Permissions.
- Password: The password of a service account with the appropriate Impersonation Permissions.
- Domain: The domain name of the Exchange environment.
EWS Variables
The following fields are needed if EWS is the chosen authentication method:
- Exchange Server URL: This is an EWS Exchange URL within the domain that is used to test authentication to EWS. This can be any valid URL within the on-premise Microsoft Exchange environment. The find server URL based on email address should be deselected.
- Username: The username of a service account with the appropriate Impersonation permissions.
- Password: The password of a service account with the appropriate Impersonation permissions.
- Domain: The domain name of the Exchange environment
NTLM Configuration
To begin the NTLM Configuration it needs to be decided whether Autodiscover or EWS will be used. Once a method is confirmed follow the steps for either Autodiscover or EWS shown below.
Autodiscover Option Instructions
Login to the Exchange Administrative Console. Select Servers from the left and highlight Virtual Directories. Choose Autodiscover and click to access configuration page.
Check Integrated Windows Authentication and disable all other options. Click Save.
Once complete repeat the process on all Exchange Servers if necessary.
Login to the new Exchange Connector. For Autodiscover the checkbox needs to be selected. Complete the appropriate fields and click Test Connection:
After success is confirmed the new Exchange Connector configuration can be downloaded to the following directory: C:\Sites\<Connector Installation Directory>\bin. Here, you will be required to overwrite the Site.config file with the one that is currently being downloaded.
EWS Option Instructions
Login to the Exchange Administrative Select Servers from the left and highlight Virtual Directories. Choose EWS and click to access configuration page.
Check Integrated Windows Authentication and disable all other options. Click
Once complete repeat the process on all Exchange Servers if necessary
Note: Before configuring the Exchange Connector with NTLM it is best to test against EWSEditor. This is a Microsoft tool and is useful in verifying NTLM functionality as well as verifying that Basic Authentication is disabled. To start load EWSEditor and under Tools select EWS POST as shown below.
Enter the necessary credentials, including the proper Autodiscover URL. Click Run in the top right corner.
Verify that the response returned is OK. This confirms that NTLM is configured.
Next verify that Basic Authentication is disabled.
Basic Authentication returns a 401 error and is disabled.
Once the new settings are saved the Website will display NTLM as the configuration. Be sure that the license key is obtained and configured along with the NTLM settings.