If you are using basic authentication only, and the EWS endpoint is configured to allow NTLM authentication, ensure the SEG version is 2.9.0.1 and validate the remove.unsupported.auth configuration in SEG using the following procedure:

Procedure

  1. Navigate to SEG > Configuration folder using file explorer.
  2. Select the application.properties file and edit the file.
  3. Check if the remove.unsupported.auth.for.ews value is true if NTLM authentication is enabled on Exchange, as SEG does not support NTLM connection persistence. If you do not see an entry for remove.unsupported.auth.for.ews then the SEG version is not 2.9.0.1. Ensure the SEG version is 2.9.0.1.
  4. Verify the SEG version and save the file.

Results

In the SEG application.properties, flag the remove.unsupported.auth.for.ews=true value to remove the unsupported www-authentication header from the EWS response to the ENS through SEG. The NTLM and the Negotiate headers are removed from the EWS response. The NTLM header as a persistent connection is not supported by SEG. The Negotiate www-authenticate header is removed in the absence of a valid client certificate, that is, when the userPrincipalname (UPN) is null. In the absence of Kerberos authentication, the Negotiate header can be considered as NTLM authentication.
Note: If you enable both basic and Kerberos authentication and the client fails to present a valid client certificate, then the SEG removes the Negotiate header and requests you to authenticate using basic authentictaion. In such scenarios, the client is enforced to use basic authentication only. If the client does not have the basic authentication configured then the client fails to receive a successful response. When the client presents a valid certificate, the SEG generates a Kerberos token and proceeds with the Negotiate authentication.