CyrusBuilt dot Net

This is something I beat my head against the wall over for 2 weeks….. and I nearly gave up.

The Problem:

Ok, so I had client that recently migrated Active Directory for…… from one domain to other and from Microsoft Windows Server 2003 32bit (on the primary DC) to Microsoft Windows Server 2008 64bit.  This was not an easy task, to say the least.  Nonetheless, we completed our objective and then began takling the Exchange server migration.  The mail server was also migrated to Server 2008 and Exchange 2007.  This of course means that all the user workstations and such had to migrated to the new domain and be able to talk to the new mail server.  I’ll spare all the intricacies and details and focus on the main problem I just solved:

There is a mixture of both Outlook 2003 and Outlook 2007…. and we HAD to enable Outlook Anywhere (RPC over HTTPS) per the customer’s request.  Now at first, this doesn’t seem like too big of a deal.  And when it comes to Outlook 2007, it’s really fairly straight forward.  There is several articles, including Microsoft Knowledge Base articles about configuring Outlook Anywhere via GPO using the appropriate administrative template and the Office Administration Templates for Group Policy.  However, there IS NO administrative template for Outlook Anywhere (RPC over HTTPS) for Outlook 2003…… or at least not one that I could find anywhere.  Microsoft does not appear to have made one.  In short, you can configure all the necessary settings via GPO when dealing with Outlook 2007 clients, but not for Outlook 2003.

The Solution:

I set out to solve this problem via GPO but there just isn’t a way to do this via GPO, except to define a logon script.  After much research and digging I was able to find a few registry that pertained to  RPC over HTTPS.  Eventually I spent spent some time using Regmon to capture registry changes made by Outlook.  I discovered that all the values of interest are stored here:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a

You’ll notice the root is HKEY_CURRENT_USER, which means these settings are applied on a per-user basis.  If the user’s local Outlook profile has not yet been set up, then this key will not exist.  The idea here was to configure one user, then export the necessary registry values and create a script that could import them for everyone else.

This was a tricky task because all the values that needed changing were not given identifiable names like “AuthenticationType”.  They are given names like “00036627″ instead.  Almost all the values were of type REG_BINARY (hex) too, so everything is basically encoded.

So here are the keys that you will need to change:
00036623  (REG_BINARY) = Enables/Disables the “Connect using HTTP” box.
001f6622   (REG_BINARY) = Sets the address for the first text box labelled as https://
001f6625  (REG_BINARY) = Sets the address for the second text box labelled as “Principal name for proxy server”
00036627  (REG_BINARY) = Sets the the authentication type.  (01000000 = Basic, 02000000 = NTLM)
00036601 (REG_BINARY) = Sets cached Exchange mode.   (84010000 = Enabled.   84050000 = Enabled with public folders/favorites.  04000000 = Disabled.)
001e6608 (REG_SZ) = Stores the TCP/IP address, the NetBIOS computer name, or the DNS FQDN used to create the initial profile.
001e6602 (REG_SZ) = Stores the NetBIOS computer name where the mailbox is located.

I CANNOT STRESS THIS ENOUGH:
It is imperative to manually configure a client first…. then export the keys to get the correct values. Once you have the right values, you can import a .reg file using a script deployed via GPO or you can just code your script to write the values directly to the registry.  This way you only have to configure one client and then the rest of your clients can be configured automatically.

Hope this helps!