Yes - it's only for testing; not as a permanent solution. If it makes the OCS client work, then you know the problem. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Tuesday, May 13, 2008 6:41 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Weird KCD-ness with Exchange 2007/OCS 2007 Ok, will give that a go...however, this will break my Outlook Anywhere access and re-introduce the prompt into Outlook - yes? -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 13 May 2008 14:06 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Weird KCD-ness with Exchange 2007/OCS 2007 Unless the client is able to communicate with a KDC, it can't use Kerberos; no client can. Outlook uses either NTLM or Basic for RPC/HTTP and Kerberos or NTLM for MAPI. There's no benefit in trying to compare the behavior of these clients; other than the fact that they both abuse HTTP (as does TSG), they're wildly different. Change the ISA web listener to use Basic auth and see if things improve for the OCS client. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Tuesday, May 13, 2008 12:44 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Weird KCD-ness with Exchange 2007/OCS 2007 Talking about the client... -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 13 May 2008 00:54 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Weird KCD-ness with Exchange 2007/OCS 2007 Are you describing the client or the server? When ISA is configured to delegate using <auth_protoocol>, it sends these credentials without being asked for them (no anonymous requests). When you configure ISA for KCD, it sends a Negotiate header, which includes a GssAPI blob that contains an OID representing "Kerberos". -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Monday, May 12, 2008 4:29 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Weird KCD-ness with Exchange 2007/OCS 2007 From what I have read, Office Communicator uses Kerberos first, then NTLM. I think this is often called "negotiate" and I think this is the default for Outlook 2007 too. OCS logs are pretty useless and don't even seem to cover the autodiscover bit, just the SIP stuff :( Yep, same domain (Exchange too). -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 13 May 2008 00:15 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Weird KCD-ness with Exchange 2007/OCS 2007 Since the delegation is KCD, the OCS server must use Windows Integrated auth; is this configured? What do you find in the OCS logs? Do the OCS and ISA reside in the same domain? Jim -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Monday, May 12, 2008 3:39 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Weird KCD-ness with Exchange 2007/OCS 2007 Hi, As per normal, I am a little stuck with a weird problem of reasonable complexity and wondering if anyone can help... We have Exchange 2007 published via ISA Server 2006, using a dedicated Windows Integrated listener which in turn uses KCD to provide a seamless authentication experience for Outlook Anywhere users in the field on domain member laptops (using cached credentials). Exchange autodiscovery is fully configured and all aspects of Outlook work (OOF, OAB etc.) are working just fine. Outlook Autodiscovery tests make all the right noises too... So, we recently deployed OCS 2007 which now uses the autodiscovery services of Exchange 2007 to find the Exchange 2007 web services (EWS) - this negates the need to run Outlook on the desktop but still have OCS/Exchange integration...here's the rub, although Outlook 2007 is totally happy and provides a seamless login, the Office Communicator client doesn't and just provides a password prompt which cannot be satisfied with any credential combination... As part of the testing, I disabled ISA pre-auth and allowed a connection direct to the back end using "no delegation, client may authenticate with backed" etc. AND THIS WORKS, so the problem must lie with authentication between the OCS client and ISA or somehow with KCD... The ISA logs show both Exchange/OCS client using the same ISA rule for autodiscovery and both logs show the correct 'domain\user' value...all OCS communications are SSL forced, so this makes netmon/wireshark stuff hard to do... At first I was guessing it most be an OCS client problem/bug, but disabling ISA pre-auth gets things working, so now I am not so sure :-( Ideas on troubleshooting or any pointers??? Cheers all... JJ ________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393. This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393. This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393. This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393.