Jozef Woo
asked on
Credential pop-ups after moving mailbox from 2010 to 2016
Hi
Situation:
- Exchange 2010 & 2016 coexistence. Outlook Anywhere is enabled on both with NTLM
- webmail.domain.com is configured as the CAS namespace (for all virtual directories on 2016)
- https://autodiscover.domain.local/autodiscover.autodiscover.xml is configured as the SCP (external autodiscover is not used)
- DNS points for both of the above URLs to Exchange 2016
When moving mailboxes from 2010 to 2016 the following happens:
For an Outlook 2010 user:
- User gets a popup saying the administrator has made a change and Outlook needs to be restarted
- User restarts Outlook (and sometimes gets the same popup again and then restarts Outlook again)
- Users gets a credential popup. If you click cancel there is another popup which appears:
"Allow this website to configure test2010@domain.com server settings?"
https://autodiscover.domain.com/autodiscover/autodiscover.xml
As you can see, Outlook 2010 is looking for autodiscover.domain.com and that's probably because SCP lookup fails.
If I do an Outlook Autoconfiguration test, it fails. The SCP lookup keeps giving a 302 redirect.
This seems to be the issue described here:
https://support.microsoft.com/en-us/help/3097392/outlook-logon-fails-after-mailbox-moves-from-exchange-2010-to-exchange-2013-or-exchange-2016
I can do a recycle of those AppPools and then it does seem to work for some Outlook 2010 clients BUT almost every other Outlook 2010 client in the company (even from people who are not moved yet) will give a popup that the administrator has made a change and that Outlook needs to be restarted.
Then, for Outlook 2013 clients, recycling the AppPool doesn't work at all. They keep getting the credential popup. I can create a new profile for them and then Outlook connects but if I then restart Outlook again, there is again a popup for credentials.
Also, Test E-mail autoconfiguration works fine for them.
For those Outlook 2013 users, I tried adding the following registry key "MapiHttpDisabled" and then both their old and their new Outlook profile work without any popups! However, when I check the connection status, it still shows HTTP for the protocol, which means to me that they are still using MAPI over HTTP protocol, right?
Also, when I check the IIS Logs, I only see calls on MAPI protocol, even for those users where I added the registry key:
2017-06-08 09:27:25 10.132.33.12 POST /mapi/emsmdb/
For now we are adding the registry key for all the 2013 users as it seems to be a workaround but it doesn't feel like a good solution:
- MapiHttp is the protocol of the future so I don't want to disable it
- The registry doesn't seem to completely disable it because users still seem to be connected via MapiHttp (according to connection status and IIS logs)??? Does this key do something else as well?
- It doesn't solve the problem of having the restart the AppPools for 2010 users.
The following are things I tried already:
- Check OAB settings on the database: they are correctly configured
- In IIS change Windows Authentication providers of the Autodiscover, EWS and OAB virtual directory to only NTLM (I also simply tried moving NTLM to the top and leaving Negotiate). I tried this on both servers
- I enabled Kernel-mode authentication on Autodiscover virtual directory for Windows Authentication
- I added the Negotiate:Kerberos provider to the mapi virtual directory on Exchange 2016
- I added the autodiscover and webmail URL to the trusted sites in Internet Explorer
- There is no proxy server enabled
None of these seems to make a difference. Sometimes, changing these settings gave popups for users that didn't have problems.
Any other suggestions?
Situation:
- Exchange 2010 & 2016 coexistence. Outlook Anywhere is enabled on both with NTLM
- webmail.domain.com is configured as the CAS namespace (for all virtual directories on 2016)
- https://autodiscover.domain.local/autodiscover.autodiscover.xml is configured as the SCP (external autodiscover is not used)
- DNS points for both of the above URLs to Exchange 2016
When moving mailboxes from 2010 to 2016 the following happens:
For an Outlook 2010 user:
- User gets a popup saying the administrator has made a change and Outlook needs to be restarted
- User restarts Outlook (and sometimes gets the same popup again and then restarts Outlook again)
- Users gets a credential popup. If you click cancel there is another popup which appears:
"Allow this website to configure test2010@domain.com server settings?"
https://autodiscover.domain.com/autodiscover/autodiscover.xml
As you can see, Outlook 2010 is looking for autodiscover.domain.com and that's probably because SCP lookup fails.
If I do an Outlook Autoconfiguration test, it fails. The SCP lookup keeps giving a 302 redirect.
This seems to be the issue described here:
https://support.microsoft.com/en-us/help/3097392/outlook-logon-fails-after-mailbox-moves-from-exchange-2010-to-exchange-2013-or-exchange-2016
I can do a recycle of those AppPools and then it does seem to work for some Outlook 2010 clients BUT almost every other Outlook 2010 client in the company (even from people who are not moved yet) will give a popup that the administrator has made a change and that Outlook needs to be restarted.
Then, for Outlook 2013 clients, recycling the AppPool doesn't work at all. They keep getting the credential popup. I can create a new profile for them and then Outlook connects but if I then restart Outlook again, there is again a popup for credentials.
Also, Test E-mail autoconfiguration works fine for them.
For those Outlook 2013 users, I tried adding the following registry key "MapiHttpDisabled" and then both their old and their new Outlook profile work without any popups! However, when I check the connection status, it still shows HTTP for the protocol, which means to me that they are still using MAPI over HTTP protocol, right?
Also, when I check the IIS Logs, I only see calls on MAPI protocol, even for those users where I added the registry key:
2017-06-08 09:27:25 10.132.33.12 POST /mapi/emsmdb/
For now we are adding the registry key for all the 2013 users as it seems to be a workaround but it doesn't feel like a good solution:
- MapiHttp is the protocol of the future so I don't want to disable it
- The registry doesn't seem to completely disable it because users still seem to be connected via MapiHttp (according to connection status and IIS logs)??? Does this key do something else as well?
- It doesn't solve the problem of having the restart the AppPools for 2010 users.
The following are things I tried already:
- Check OAB settings on the database: they are correctly configured
- In IIS change Windows Authentication providers of the Autodiscover, EWS and OAB virtual directory to only NTLM (I also simply tried moving NTLM to the top and leaving Negotiate). I tried this on both servers
- I enabled Kernel-mode authentication on Autodiscover virtual directory for Windows Authentication
- I added the Negotiate:Kerberos provider to the mapi virtual directory on Exchange 2016
- I added the autodiscover and webmail URL to the trusted sites in Internet Explorer
- There is no proxy server enabled
None of these seems to make a difference. Sometimes, changing these settings gave popups for users that didn't have problems.
Any other suggestions?
ASKER
Hi, thanks for the suggestion. I also tried that unfortunately. Forgot to mention it.
ASKER
The output of Get-MapiVirtualDirectory is the following:
Get-MAPIVirtualDirectory | fl servername, *url*, *auth*
InternalUrl : https://webmail.domain.com/mapi
ExternalUrl : https://webmail.domain.com/mapi
IISAuthenticationMethods : {Ntlm}
InternalAuthenticationMeth ods : {Ntlm}
ExternalAuthenticationMeth ods : {Ntlm}
The latest patches have been deployed. The Outlook version is 15.0.4927.1001
Additional information: if I disable MAPI/HTTP for a user via Set-CasMailbox then the credential popups disappear after restarting outlook.
Get-MAPIVirtualDirectory | fl servername, *url*, *auth*
InternalUrl : https://webmail.domain.com/mapi
ExternalUrl : https://webmail.domain.com/mapi
IISAuthenticationMethods : {Ntlm}
InternalAuthenticationMeth
ExternalAuthenticationMeth
The latest patches have been deployed. The Outlook version is 15.0.4927.1001
Additional information: if I disable MAPI/HTTP for a user via Set-CasMailbox then the credential popups disappear after restarting outlook.
Disable MAPI over HTTP on Exchange 2016 server
Set-OrganizationConfig -MapiHttpEnabled $False
OR
Configure it correctly
https://technet.microsoft.com/en-us/library/mt634322(v=exchg.160).aspx
Set-OrganizationConfig -MapiHttpEnabled $False
OR
Configure it correctly
https://technet.microsoft.com/en-us/library/mt634322(v=exchg.160).aspx
I'm not a DNS expert but I had an on-prem to Office 365 Exchange and had a heck of a time getting the autodiscover to work, turns out the local DNS needed to be updated to autodiscover.outlook.com. Not sure if this will help or not.
ASKER
Hi Naveen, thanks for your input. Disabling is a good workaround indeed. But what do you mean by "configure it correctly"? I have configured it with the same CAS Namespace URL as the rest of the webservices and I have set it to NTLM (which should be the correct config?).
ASKER
Hi Lisa, thanks for your help. The autodiscover is currently configured with a CNAME to the 2016 server FQDN. That should be fine I think.
The below article will tell you all about Map over Http.. Please go through it.
https://blogs.technet.microsoft.com/exchange/2014/05/09/outlook-connectivity-with-mapi-over-http/
And also instead of CNAME create a HOST A record and point autodiscover to public IP of Exchange 2016 server. Pint all traffic for port 443 to Exchange 2016 server. The request will be proxied to Exchange 2010 mailbox.
https://blogs.technet.microsoft.com/exchange/2014/05/09/outlook-connectivity-with-mapi-over-http/
And also instead of CNAME create a HOST A record and point autodiscover to public IP of Exchange 2016 server. Pint all traffic for port 443 to Exchange 2016 server. The request will be proxied to Exchange 2010 mailbox.
And also instead of CNAME create a HOST A record and point autodiscover to public IP of Exchange 2016 server.
It should have these records in place.
A record mail.emaildomain.com in your internal DNS which points to internal IP of Exchange 2016.
A record autodiscover.emaildomain.c om in your internal DNS which points to internal IP of Exchange 2016.
A record mail.emaildomain.com in your external DNS which points to external/public IP..
A record autodiscover.emaildomain.c om in your external DNS which points to external/public IP.
Please check steps 1 to 3 in the below article to configure these.
https://www.experts-exchange.com/articles/29662/Exchange-2013-Fix-for-an-Invalid-certificate-and-related-issues.html
.
The request will be proxied to Exchange 2010 mailbox.
You Exchange 2010 users will connect to Exchange2010 server directly from internal network. Do not make confusion to Exchange2016 as Exchange2016 is unaware of MAPI/TCP. Your CAS array/CAS server records should be same as before and it should be different from commonname for Exchange 2010 users to work without issue.
It should have these records in place.
A record mail.emaildomain.com in your internal DNS which points to internal IP of Exchange 2016.
A record autodiscover.emaildomain.c
A record mail.emaildomain.com in your external DNS which points to external/public IP..
A record autodiscover.emaildomain.c
Please check steps 1 to 3 in the below article to configure these.
https://www.experts-exchange.com/articles/29662/Exchange-2013-Fix-for-an-Invalid-certificate-and-related-issues.html
.
The request will be proxied to Exchange 2010 mailbox.
You Exchange 2010 users will connect to Exchange2010 server directly from internal network. Do not make confusion to Exchange2016 as Exchange2016 is unaware of MAPI/TCP. Your CAS array/CAS server records should be same as before and it should be different from commonname for Exchange 2010 users to work without issue.
ASKER
Hi, thanks all for your responses. I see you all recommend an A record but what would be the difference? Internally I am using a CNAME that points to my server FQDN while I have an A record for my server FQDN that points to the IP address? CNAME should be supported for autodiscover as far as I know or am I wrong?
There is a valid A record for autodiscover in my public DNS.
Please note that Outlook Anywhere is not used externally. Outlook clients are only allowed to connect on the internal network.
There is a valid A record for autodiscover in my public DNS.
Please note that Outlook Anywhere is not used externally. Outlook clients are only allowed to connect on the internal network.
It works either way as long as name resolves to the exchange server IP.
You still have auth issue?
You still have auth issue?
ASKER
The name resolves correctly. It's weekend now so I don't get a lot of feedback from users but I'm suspecting that disabling MapiHttp on organization level has "solved" the problem for now.
Outlook keeps prompting for password could be caused by several reasons:
- Outlook is configured to prompt you for credentials
- Incorrect password cached in credential storage
- Required Authentication Settings for outgoing server and incoming server
- Outlook Anywhere is not configured to use NTLM Authentication
- Corrupt Outlook profile
- Slow or unstable network connection
- Antivirus programs
- Shared calendars
Reference: https://social.technet.microsoft.com/Forums/en-US/dff92319-5424-4e26-a1d9-c693b0e87567/microsoft-outlook-2016-keeps-asking-for-a-password?forum=outlook
Get help from below similar threads having suggested solutions by experts might helps you:
https://social.technet.microsoft.com/Forums/windows/en-US/ead5d052-83fd-4d35-8ed9-5ef81eed264f/credential-popups-after-moving-mailbox-from-2010-to-2016?forum=Exch2016SD
https://serverfault.com/questions/854631/credential-pop-ups-after-moving-mailbox-from-2010-to-2016
Hope this helps!
- Outlook is configured to prompt you for credentials
- Incorrect password cached in credential storage
- Required Authentication Settings for outgoing server and incoming server
- Outlook Anywhere is not configured to use NTLM Authentication
- Corrupt Outlook profile
- Slow or unstable network connection
- Antivirus programs
- Shared calendars
Reference: https://social.technet.microsoft.com/Forums/en-US/dff92319-5424-4e26-a1d9-c693b0e87567/microsoft-outlook-2016-keeps-asking-for-a-password?forum=outlook
Get help from below similar threads having suggested solutions by experts might helps you:
https://social.technet.microsoft.com/Forums/windows/en-US/ead5d052-83fd-4d35-8ed9-5ef81eed264f/credential-popups-after-moving-mailbox-from-2010-to-2016?forum=Exch2016SD
https://serverfault.com/questions/854631/credential-pop-ups-after-moving-mailbox-from-2010-to-2016
Hope this helps!
@Jozef Wu
Appreciate if you confirm the answer.
MAS
Appreciate if you confirm the answer.
MAS
ASKER
Hi,
The problem is not really resolved. As said, disabling the MapiHttp protocol does prevent popups from appearing but since MapiHttp is the default, more efficient and the protocol of the future for Exchange, it's really not recommended to disable it.
I have also contacted Microsoft Partner Support and they suggested the following resolution, which I can only try on the 19th of July (so please keep the question open for now thanks!!):
__________________________ _________
"Please use the following command to set the AuthenticationMethods of mapivirtualdirectory since I found that your authentication methods is NTLM.
Set-MapiVirtualDirectory -Identity “mapi (Default Web Site)” -IISAuthenticationMethods Negotiate,NTLM,OAuth
In addition, please check the mapi (Default Web Site) and make sure Windows Auth is enabled and mapi (Exchange Back End) and make sure the Anonymous authentication is enabled.
If the issue persist, please try to remove and recreate the Mapi Virtual Directoryaccording to the following command:
Remove-MapiVirtualDirector y -Identity "EXCH1\mapi (Default Web Site)”
New-MapiVirtualDirectory -Server exch1 -InternalUrl https://exch1.contoso.com -IISAuthenticationMethods Ntlm, OAuth, Negotiate
Remove-MapiVirtualDirector y
https://technet.microsoft.com/en-us/library/dn595083%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396
New-MapiVirtualDirectory
https://technet.microsoft.com/en-us/library/dn595081(v=exchg.160).aspx"
__________________________ __________ ______
The problem is not really resolved. As said, disabling the MapiHttp protocol does prevent popups from appearing but since MapiHttp is the default, more efficient and the protocol of the future for Exchange, it's really not recommended to disable it.
I have also contacted Microsoft Partner Support and they suggested the following resolution, which I can only try on the 19th of July (so please keep the question open for now thanks!!):
__________________________
"Please use the following command to set the AuthenticationMethods of mapivirtualdirectory since I found that your authentication methods is NTLM.
Set-MapiVirtualDirectory -Identity “mapi (Default Web Site)” -IISAuthenticationMethods Negotiate,NTLM,OAuth
In addition, please check the mapi (Default Web Site) and make sure Windows Auth is enabled and mapi (Exchange Back End) and make sure the Anonymous authentication is enabled.
If the issue persist, please try to remove and recreate the Mapi Virtual Directoryaccording to the following command:
Remove-MapiVirtualDirector
New-MapiVirtualDirectory -Server exch1 -InternalUrl https://exch1.contoso.com -IISAuthenticationMethods Ntlm, OAuth, Negotiate
Remove-MapiVirtualDirector
https://technet.microsoft.com/en-us/library/dn595083%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396
New-MapiVirtualDirectory
https://technet.microsoft.com/en-us/library/dn595081(v=exchg.160).aspx"
__________________________
Please post the screenshot if you still have issues.
If solved please share the solution.
If solved please share the solution.
ASKER
Hi Mas, thank you for the follow-up. I will provide feedback on the 19th of July as I have an appointment set to troubleshoot the issue further then.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's the only thing that helped.
1. Control Panel -> Credential Manager.
2. Locate the set of credentials that has Outlook in the name. Click the name to expand the set of credentials, and then click Remove from Vault.
3. Repeat step 2 for any additional sets of credentials that have the word Outlook in the name