Avatar of Jozef Woo
Jozef WooFlag for Belgium

asked on 

Credential pop-ups after moving mailbox from 2010 to 2016



- Exchange 2010 & 2016 coexistence. Outlook Anywhere is enabled on both with NTLM

- webmail.domain.com is configured as the CAS namespace (for all virtual directories on 2016)

- https://autodiscover.domain.local/autodiscover.autodiscover.xml  is configured as the SCP (external autodiscover is not used)

- DNS points for both of the above URLs to Exchange 2016

When moving mailboxes from 2010 to 2016 the following happens:

For an Outlook 2010 user:

- User gets a popup saying the administrator has made a change and Outlook needs to be restarted

- User restarts Outlook (and sometimes gets the same popup again and then restarts Outlook again)

- Users gets a credential popup. If you click cancel there is another popup which appears:

"Allow this website to configure test2010@domain.com server settings?"


As you can see, Outlook 2010 is looking for autodiscover.domain.com and that's probably because SCP lookup fails.

If I do an Outlook Autoconfiguration test, it fails. The SCP lookup keeps giving a 302 redirect.

This seems to be the issue described here:


I can do a recycle of those AppPools and then it does seem to work for some Outlook 2010 clients BUT almost every other Outlook 2010 client in the company (even from people who are not moved yet) will give a popup that the administrator has made a change and that Outlook needs to be restarted.

Then, for Outlook 2013 clients, recycling the AppPool doesn't work at all. They keep getting the credential popup. I can create a new profile for them and then Outlook connects but if I then restart Outlook again, there is again a popup for credentials.

Also, Test E-mail autoconfiguration works fine for them.

For those Outlook 2013 users, I tried adding the following registry key "MapiHttpDisabled" and then both their old and their new Outlook profile work without any popups! However, when I check the connection status, it still shows HTTP for the protocol, which means to me that they are still using MAPI over HTTP protocol, right?

Also, when I check the IIS Logs, I only see calls on MAPI protocol, even for those users where I added the registry key:

2017-06-08 09:27:25 POST /mapi/emsmdb/

For now we are adding the registry key for all the 2013 users as it seems to be a workaround but it doesn't feel like a good solution:

- MapiHttp is the protocol of the future so I don't want to disable it

- The registry doesn't seem to completely disable it because users still seem to be connected via MapiHttp (according to connection status and IIS logs)??? Does this key do something else as well?

- It doesn't solve the problem of having the restart the AppPools for 2010 users.

The following are things I tried already:

- Check OAB settings on the database: they are correctly configured

- In IIS change Windows Authentication providers of the Autodiscover, EWS and OAB virtual directory to only NTLM (I also simply tried moving NTLM to the top and leaving Negotiate). I tried this on both servers

-  I enabled Kernel-mode authentication on Autodiscover virtual directory for Windows Authentication

- I added the Negotiate:Kerberos provider to the mapi virtual directory on Exchange 2016

- I added the autodiscover and webmail URL to the trusted sites in Internet Explorer

- There is no proxy server enabled

None of these seems to make a difference. Sometimes, changing these settings gave popups for users that didn't have problems.

Any other suggestions?
ExchangeEmail ServersWindows Server 2012

Avatar of undefined
Last Comment
Jozef Woo
Avatar of Raheman M. Abdul
Raheman M. Abdul
Flag of United Kingdom of Great Britain and Northern Ireland image

have you tried to clear the local cached credentials from the Credential manager on user's PC?
1.      Control Panel -> Credential Manager.
2.      Locate the set of credentials that has Outlook in the name. Click the name to expand the set of credentials, and then click Remove from Vault.
3.      Repeat step 2 for any additional sets of credentials that have the word Outlook in the name
Avatar of Jozef Woo
Jozef Woo
Flag of Belgium image


Hi, thanks for the suggestion. I also tried that unfortunately. Forgot to mention it.
Avatar of Jozef Woo
Jozef Woo
Flag of Belgium image


The output of Get-MapiVirtualDirectory is the following:

Get-MAPIVirtualDirectory | fl servername, *url*, *auth*

InternalUrl                   : https://webmail.domain.com/mapi
ExternalUrl                   : https://webmail.domain.com/mapi
IISAuthenticationMethods      : {Ntlm}
InternalAuthenticationMethods : {Ntlm}
ExternalAuthenticationMethods : {Ntlm}

The latest patches have been deployed. The Outlook version is 15.0.4927.1001

Additional information: if I disable MAPI/HTTP for a user via Set-CasMailbox then the credential popups disappear after restarting outlook.
Disable MAPI over HTTP on Exchange 2016 server

Set-OrganizationConfig -MapiHttpEnabled $False


Configure it correctly

I'm not a DNS expert but I had an on-prem to Office 365 Exchange and had a heck of a time getting the autodiscover to work, turns out the local DNS needed to be updated to autodiscover.outlook.com. Not sure if this will help or not.
Avatar of Jozef Woo
Jozef Woo
Flag of Belgium image


Hi Naveen, thanks for your input. Disabling is a good workaround indeed. But what do you mean by "configure it correctly"? I have configured it with the same CAS Namespace URL as the rest of the webservices and I have set it to NTLM (which should be the correct config?).
Avatar of Jozef Woo
Jozef Woo
Flag of Belgium image


Hi Lisa, thanks for your help. The autodiscover is currently configured with a CNAME to the 2016 server FQDN. That should be fine I think.
The below article will tell you all about Map over Http.. Please go through it.


And also instead of CNAME create a HOST A record and point autodiscover to public IP of Exchange 2016 server. Pint all traffic for port 443 to Exchange 2016 server. The request will be proxied to Exchange 2010 mailbox.
Avatar of M A
Flag of United States of America image

And also instead of CNAME create a HOST A record and point autodiscover to public IP of Exchange 2016 server.
It should have these records in place.
A record mail.emaildomain.com in your internal DNS which points to internal IP of Exchange 2016.
A record autodiscover.emaildomain.com in your internal DNS which points to internal IP of Exchange 2016.
A record mail.emaildomain.com in your external DNS which points to external/public IP..
A record autodiscover.emaildomain.com in your external DNS which points to external/public IP.
Please check steps 1 to 3 in the below article to configure these.
The request will be proxied to Exchange 2010 mailbox.
You Exchange 2010 users will connect to Exchange2010 server directly from internal network. Do not make confusion to Exchange2016 as Exchange2016 is unaware of MAPI/TCP. Your CAS array/CAS server records should be same as before and it should be different from commonname for Exchange 2010 users to work without issue.
Avatar of Jozef Woo
Jozef Woo
Flag of Belgium image


Hi, thanks all for your responses. I see you all recommend an A record but what would be the difference? Internally I am using a CNAME that points to my server FQDN while I have an A record for my server FQDN that points to the IP address? CNAME should be supported for autodiscover as far as I know or am I wrong?

There is a valid A record for autodiscover in my public DNS.

Please note that Outlook Anywhere is not used externally. Outlook clients are only allowed to connect on the internal network.
Avatar of M A
Flag of United States of America image

It works either way as long as name resolves to the exchange server IP.
You still have auth issue?
Avatar of Jozef Woo
Jozef Woo
Flag of Belgium image


The name resolves correctly. It's weekend now so I don't get a lot of feedback from users but I'm suspecting that disabling MapiHttp on organization level has "solved" the problem for now.
Avatar of Ajit Singh
Ajit Singh
Flag of India image

Outlook keeps prompting for password could be caused by several reasons:

- Outlook is configured to prompt you for credentials
- Incorrect password cached in credential storage
- Required Authentication Settings for outgoing server and incoming server
- Outlook Anywhere is not configured to use NTLM Authentication
- Corrupt Outlook profile
- Slow or unstable network connection
- Antivirus programs
- Shared calendars

Reference: https://social.technet.microsoft.com/Forums/en-US/dff92319-5424-4e26-a1d9-c693b0e87567/microsoft-outlook-2016-keeps-asking-for-a-password?forum=outlook

Get help from below similar threads having suggested solutions by experts might helps you:



Hope this helps!
Avatar of M A
Flag of United States of America image

@Jozef Wu
Appreciate if you confirm the answer.

Avatar of Jozef Woo
Jozef Woo
Flag of Belgium image



The problem is not really resolved. As said, disabling the MapiHttp protocol does prevent popups from appearing but since MapiHttp is the default, more efficient and the protocol of the future for Exchange, it's really not recommended to disable it.

I have also contacted Microsoft Partner Support and they suggested the following resolution, which I can only try on the 19th of July (so please keep the question open for now thanks!!):


"Please use the following command to set the AuthenticationMethods of mapivirtualdirectory since I found that your authentication methods is NTLM.
Set-MapiVirtualDirectory -Identity “mapi (Default Web Site)” -IISAuthenticationMethods Negotiate,NTLM,OAuth
In addition, please check the mapi (Default Web Site) and make sure Windows Auth is enabled and mapi (Exchange Back End) and make sure the Anonymous authentication is enabled.
If the issue persist, please try to remove and recreate the Mapi Virtual Directoryaccording to the following command:
Remove-MapiVirtualDirectory -Identity "EXCH1\mapi (Default Web Site)”
New-MapiVirtualDirectory -Server exch1 -InternalUrl https://exch1.contoso.com -IISAuthenticationMethods Ntlm, OAuth, Negotiate

Avatar of M A
Flag of United States of America image

Please post the screenshot if you still have issues.
If solved please share the solution.
Avatar of Jozef Woo
Jozef Woo
Flag of Belgium image


Hi Mas, thank you for the follow-up. I will provide feedback on the 19th of July as I have an appointment set to troubleshoot the issue further then.
Avatar of Jozef Woo
Jozef Woo
Flag of Belgium image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Jozef Woo
Jozef Woo
Flag of Belgium image


It's the only thing that helped.

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo