troubleshooting Question

Credential pop-ups after moving mailbox from 2010 to 2016

Avatar of Jozef Woo
Jozef WooFlag for Belgium asked on
ExchangeEmail ServersWindows Server 2012
19 Comments1 Solution837 ViewsLast Modified:
Hi

Situation:

- Exchange 2010 & 2016 coexistence. Outlook Anywhere is enabled on both with NTLM

- webmail.domain.com is configured as the CAS namespace (for all virtual directories on 2016)

- https://autodiscover.domain.local/autodiscover.autodiscover.xml  is configured as the SCP (external autodiscover is not used)

- DNS points for both of the above URLs to Exchange 2016

When moving mailboxes from 2010 to 2016 the following happens:

For an Outlook 2010 user:

- User gets a popup saying the administrator has made a change and Outlook needs to be restarted

- User restarts Outlook (and sometimes gets the same popup again and then restarts Outlook again)

- Users gets a credential popup. If you click cancel there is another popup which appears:

"Allow this website to configure test2010@domain.com server settings?"

https://autodiscover.domain.com/autodiscover/autodiscover.xml

As you can see, Outlook 2010 is looking for autodiscover.domain.com and that's probably because SCP lookup fails.

If I do an Outlook Autoconfiguration test, it fails. The SCP lookup keeps giving a 302 redirect.

This seems to be the issue described here:

https://support.microsoft.com/en-us/help/3097392/outlook-logon-fails-after-mailbox-moves-from-exchange-2010-to-exchange-2013-or-exchange-2016

I can do a recycle of those AppPools and then it does seem to work for some Outlook 2010 clients BUT almost every other Outlook 2010 client in the company (even from people who are not moved yet) will give a popup that the administrator has made a change and that Outlook needs to be restarted.

Then, for Outlook 2013 clients, recycling the AppPool doesn't work at all. They keep getting the credential popup. I can create a new profile for them and then Outlook connects but if I then restart Outlook again, there is again a popup for credentials.

Also, Test E-mail autoconfiguration works fine for them.

For those Outlook 2013 users, I tried adding the following registry key "MapiHttpDisabled" and then both their old and their new Outlook profile work without any popups! However, when I check the connection status, it still shows HTTP for the protocol, which means to me that they are still using MAPI over HTTP protocol, right?

Also, when I check the IIS Logs, I only see calls on MAPI protocol, even for those users where I added the registry key:

2017-06-08 09:27:25 10.132.33.12 POST /mapi/emsmdb/

For now we are adding the registry key for all the 2013 users as it seems to be a workaround but it doesn't feel like a good solution:

- MapiHttp is the protocol of the future so I don't want to disable it

- The registry doesn't seem to completely disable it because users still seem to be connected via MapiHttp (according to connection status and IIS logs)??? Does this key do something else as well?

- It doesn't solve the problem of having the restart the AppPools for 2010 users.

The following are things I tried already:

- Check OAB settings on the database: they are correctly configured


- In IIS change Windows Authentication providers of the Autodiscover, EWS and OAB virtual directory to only NTLM (I also simply tried moving NTLM to the top and leaving Negotiate). I tried this on both servers

-  I enabled Kernel-mode authentication on Autodiscover virtual directory for Windows Authentication

- I added the Negotiate:Kerberos provider to the mapi virtual directory on Exchange 2016

- I added the autodiscover and webmail URL to the trusted sites in Internet Explorer

- There is no proxy server enabled

None of these seems to make a difference. Sometimes, changing these settings gave popups for users that didn't have problems.

Any other suggestions?
ASKER CERTIFIED SOLUTION
Jozef Woo
System Engineer

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Log in to continue reading
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform for $9.99/mo
View membership options
Unlock 1 Answer and 19 Comments.
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
The Value of Experts Exchange in My Daily IT Life

Experts Exchange (EE) has become my company's go-to resource to get answers. I've used EE to make decisions, solve problems and even save customers. OutagesIO has been a challenging project and... Keep reading >>

Mike

Owner of Outages.IO
Phoenix, Arizona, United States
Member Since 2016
Join a full scale community that combines the best parts of other tools into one platform.
Unlock 1 Answer and 19 Comments.
View membership options
“All of life is about relationships, and EE has made a virtual community a real community. It lifts everyone's boat.”
William Peck

Member since 2004