How to Enable Integrated Authentication for Outlook RPC/HTTP Clients to Prevent Authentication Prompts with 2006 ISA Firewalls

From Jim Harrison and confirmed by Jason Jones:

No; I’m saying that if CIO-JerkyBoy is intent on a no-prompt user experience, Amy will have to:

  1. configure his OL to use NTLM (you probably overlooked this one) and point it to the oa.domain.tld listener
  2. create two listeners for Exch; one for OA and another to support FBA / Basic
  3. create separate DNS records for the two listeners (yes; now they have to use “oa.domain.tld” and “EveryFreakinOtherExchServiceCuzTheCioIsAJerkyBoy.domain.tld”)
  4. configure the OA ISA listener for Integrated authentication
  5. configure the non-OA listener for FBA
  6. build two rules appropriate to the two listeners and point them both to the same Exchange CAS or farm

For detailed instructions on how to configure KCD with an Exchange 2003 in a FE/BE configuration:

You can use that information to configure your Exchange 2007 CAS configuration, the general principles are the same. Or maybe you can wait to the Exchange Team puts out guidance, but don’t hold your breath 🙂

For more information on how to set SPNs in an environment that differs from my example network in the KCD article I wrote, check out Stefaan Pouseele’s article at:



Thomas W Shinder, M.D.


Email: [email protected]

MVP — Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top