- You are using Basic authentication to the proxy server for Exchange.
- You are using NTLM authentication to the proxy server for Exchange, but Windows does not automatically send the NTLM challenge/response data. Windows does not do this because the older LANMAN challenge/response password is included in the authentication data.
Note Exchange Remote Connectivity Analyzer is a Web-based troubleshooting and diagnostic tool that will help identify the point of failure for Internet-based Exchange Server client connectivity scenarios. The tool simulates all the activities a client must be able to perform to connect, and then isolate the exact point of failure. Frequently, it will point out known configuration issues and provide suggested steps for resolution. The connectivity testing across the Internet (from outside your organization) is performed by a Web site hosted in a Microsoft datacenter.
Identifying a solution
Basic authenticationIf you want to use Basic authentication, you must continue to type your user account credentials. There is no way for the client to submit your user name and password automatically. If you want to log on automatically, you must configure your Outlook profile to use NLTM authentication to the proxy server for Exchange.
Before you switch to NTLM authentication, you must verify with your administrator that NTLM authentication is permitted or even possible in your environment. Many firewalls and proxy servers will prevent successful NLTM authentication, whereas Basic authentication will work successfully. See the More Information section for additional details.
Note The authentication mechanism that you configure in Outlook is used only for the HTTP session to the proxy server for Exchange. The actual authentication between Outlook and your Exchange server always uses NTLM. See the More Information section for additional details.
To change the authentication mechanism on the Outlook client to NTLM, follow these steps:
- Start Outlook 2003.
- On the Tools menu, click E-mail Accounts.
- Click View or change existing e-mail accounts, and then click Next.
- Under Outlook processes e-mail for these accounts in the following order, click Microsoft Exchange Server, and then click Change.
- On the Exchange Server Settings page, click More Settings.
- Click the Connection tab.
- Click Exchange Proxy Settings.
- Under Proxy authentication settings, click NTLM Authentication in the Use this authentication when connecting to my proxy server for Exchange list.
- Click OK two times.
- Click OK again in response to the prompt that you must restart Outlook for the changes to take effect.
- Click Next, and then click
- Restart Outlook.
NTLM authenticationYou notice that your account is configured to use NTLM authentication and that you are still prompted for your user name and password when you are logged on as the Windows account that has access to your Exchange mailbox. In this situation, you must set LmCompatibilityLevel on the client to a value of 2 or 3. To do this, follow these steps.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
- Click Start, click Run, type regedit in the Open box, and then press ENTER.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
- In the pane on the right side, double-click
- In the Value data box, type a value of 2 or 3 that is appropriate for your environment, and then click
- Exit Registry Editor.
- Restart your computer.
You must sometimes use Basic authentication because NTLM authentication will fail if the proxy server for Exchange does not trust the authentication information. This issue can be caused by firewalls that examine the HTTP traffic and change it in some way. For example, a firewall may end the session from the Internet and establish a new session to the proxy server for Exchange instead of passing the HTTPS (SSL) session straight through without modification. This process is sometimes known as reverse proxying or Web publishing. Certain firewalls such as Microsoft Internet Security and Acceleration (ISA) Server 2004 can successfully reverse proxy or Web publish the session and still enable NTLM authentication to succeed. Basic authentication is not affected by this process and will work regardless of firewalls. However, if you use Basic authentication, this means that you must type your user name and password every time that you start an Outlook session.
LmCompatibilityLevel settingsThe LmCompatibilityLevel registry entry can be configured by using the following values:
- LmCompatibilityLevel value of 0: Send LAN Manager (LM) response and NTLM response; never use NTLM version 2 (NTLMv2) session security. Clients use LM and NTLM authentication, and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
- LmCompatibilityLevel value of 1: Use NTLMv2 session security, if negotiated. Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
- LmCompatibilityLevel value of 2: Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
- LmCompatibilityLevel value of 3: Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
- LmCompatibilityLevel value of 4: (Server Only) - Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers refuse LM authentication, and accept NTLM and NTLMv2 authentication.
- LmCompatibilityLevel value of 5: (Server Only) - Domain controllers refuse LM and NTLM responses, and accept only NTLMv2 responses. Clients use NTLMv2 authentication, use NTLMv2 session security if the server supports it; domain controllers refuse NTLM and LM authentication, and accept only NTLMv2 authentication.