I just recently implemented EX2013 in an existing organization with EX2010. Client access has been repointed to the EX2013 server, and Outlook, ActiveSync, OWA, etc. for user mailboxes on both EX2013 and EX2010. I have a TMG proxying external connections to EX2013.
I am currently finishing up the implementation, and in testing the Apps for Office, I am running into authentication issues. In OWA, I can use the Apps without issue (such as Bing Maps) from both internal and external clients. But in Outlook 2013, I am receiving prompts for credentials when trying to open the Apps from within a message (both internally and externally).
When trying to use an App in a message, I am first prompted for credentials as in the screenshot below:
Image may be NSFW.
Clik here to view.
After entering in my credentials and clicking OK, I am then prompted again for credentials. This time I noticed the credential prompt indicates IE requesting them.
Image may be NSFW.
Clik here to view.
I get the prompt from IE about 10 times, but if I keep hitting OK, the App finally loads as you would expect. I have referenced the blog regarding publishing EX2013 through TMG and specifically addressing the authentication for Apps for Office (http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx), but still no luck. This actually happens both internally as well as externally, and when watching the TMG server, I can see the traffic to the Exchange Server pass through unhindered.
OWA is published using FBA on the TMG and delegating Basic back to EX2013.
OA is published using Basic on the TMG and delegating Basic back to EX2013.
On EX2013, running Get-OwaVirtualDirectory -Server EX2013 | fl *auth* I get the following:
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Running Get-WebServicesVirtualDirectory -Server EX2013 | fl *auth* I get the following:
CertificateAuthentication :
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
I have double and triple checked the TMG rule for Apps for Office, and the rule is configured correctly per the TechNet blog post referenced above. No other authentication issues are being experienced for any other access.
Any thoughts or ideas would be appreciated.