At work, people were using VPN to access their email out of the office, but I have always thought that logging into a corporate network via VPN for most users is an extra hassle that they could probably do without. I had considered setting up RPC over HTTPS for Exchange 2003 but during a meeting regarding disaster recovery it became evident it was actually now a necessity. So, after configuring the server for RPC-HTTPS I had the small problem of deploying the settings to Outlook clients en masse.
I had already used a KiXtart logon script to configure 'Cached Mode' for my Outlook 2003/7 clients by modifying some HKCU registry keys for users - Regkey to enable & disable Outlook 2003 cached mode.
After setting up an Outlook client in VMware Workstation I configured RPC-HTTPS and exported the regkey from the post above (see below for the key.) A fresh install of Outlook with a clean profile and the above key imported revealed that the settings for RPC-HTTPS are stored in the same place as those in the post for enabling cached mode. A combination of changing the values in Outlook and using Regmon allowed me to narrow down exactly what each registry value is used for and the data that each value needs to contain (the data for each registry value is stored as type REG_BINARY which as hexadecimal is unreadable.)
Here is an outline of the registry key and each value with my own description:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\(profilename)\13dbb0c8aa05101a9bb000aa002fc45a
00036623 = Enables 'Connect to Microsoft Exchange using HTTP' as well as 'On fast/slow networks...'
00036627 = Sets the proxy server authentication type (data: 01000000 -> Basic, 02000000 -> NTLM)
001f6622 = Sets the 'proxy server for Exchange' (https://) text box
001f6625 = Sets the 'this principle name' text box
One other registry key I had to set (as per KB820281) to stop clients being prompted for a username/password was:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel = 3
I amended my KiXtart login script as follows with the new registry keys, values and their data. The next time users logged on they were connected using RPC over HTTPS:
WRITEVALUE("HKLM\SYSTEM\CurrentControlSet\Control\Lsa", "lmcompatibilitylevel", "3", "REG_DWORD")
WRITEVALUE("HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a", "00036623", "2b000000", "REG_BINARY")
WRITEVALUE("HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a", "00036627", "02000000", "REG_BINARY")
WRITEVALUE("HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a", "001f6622", "xxxx", "REG_BINARY")
WRITEVALUE("HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a", "001f6625", "xxxx", "REG_BINARY")
You can verify that users are connected using RPC over HTTPS by holding down CTRL and SHIFT on the keyboard and using the mouse to right-click the system tray icon. Click on the 'Connection Status...' option and you will see that the 'Conn' column displays multiple connections of type: HTTPS.
