Avatar of L4d1k
L4d1kFlag for United States of America asked on

outlook 2016 keeps asking to enter login credentials

Hello,

After setting up the new exchange server 2016 as a upgrade to the existing exchange server 2010 it looks as if it was success.

Using the owa web outlook I am able to send and receive emails internally and externally as well as work with all the other functions (this includes old user mailboxes as well as migrated and newly created mailboxes).

Unfortunately when I try to connect using outlook 2016 the process detects the logged in AD user correctly, but it will not accept the login credentials (I tried different users, different login options user@domain.com or domain\user with out any luck).

I check all the DNS configurations for autodiscover and MX records and restarted the server. Unfortunately that didn't help.
There is no AV installed on servers and no firewall or VLAN between the client computer.
I am able to configure the outlook 2016 if I am connecting externally or on local LAN if I disable MAPI in registry on the client computer.
The disabled MAPI in registry allows me to use the migrated user mailbox in outlook 2016, except not without requesting to enter user credentials which will fail. Outlook will continue to function normal if I cancel the login request.

Testing outlook connectivity on exchange server 2016 using "Test-OutlookConnectity" is successful after I adjusted LmcompatibilityLevel to 2 in registry and group policy.


Are there any other ideas on what else could be the problem?

Thank you!

here are some of the links I used to troubleshoot:
https://jhmeier.com/2016/03/14/exchange-2016-and-2010-coexistenceoutook-shows-login-promt/
https://technet.microsoft.com/en-us/library/cc960646.aspx?f=255&MSPPError=-2147217396
https://www.freeviewer.org/blog/how-to-enable-rpc-over-http-in-outlook-2016/
http://techgenix.com/migrating-small-organization-exchange-2010-exchange-2016-part1/
ExchangeWindows OS

Avatar of undefined
Last Comment
L4d1k

8/22/2022 - Mon
viktor grant

Hi,

Are you trying to connect with users migrated from Exchange 2010 to Exchange 2016?

Try to connect with a user from Exchange 2016.

Cheers
SOLUTION
Valentina Perez

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
L4d1k

Hi Viktor,
thank you for responding,

I indicated in my original post that I only have a problem with migrated users to the new exchange server 2016 and with newly created users on the new exchange 2016 server.
Existing users on the exchange 2010 server are fine if I run the outlook 2016 connection wizard.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
L4d1k

Hi Valentina,

thank you for responding,

I din't try different outlook version because I don't have one installed on test computers.
I can try it later but I need to be able to use outlook 2016 eventually. ( I tried outlook 2016 on different computers with all the updates installed)
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
L4d1k

Hi Viktor,

yes DNS is configured to point to the new exchange server 2016 which is acting as a proxy server for the exchange 2010 server.
here is the reference I used: http://techgenix.com/migrating-small-organization-exchange-2010-exchange-2016-part1/
viktor grant

ASKER
L4d1k

Hi Viktor,

Just verified and all patches are already installed.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Vick Vega

Let's your existing virtual directories config in the environment:
et-OabVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-WebServicesVirtualDirectory | fl server, Name,ExternalURL, InternalURL, *auth*
Get-EcpVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-ActiveSyncVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*
Get-OwaVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-ClientAccessService | fl Name,OutlookAnywhereEnabled, AutodiscoverServiceInternalUri
Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*
Get-MapiVirtualDirectory | fl server, Name,ExternalURL,InternalURL, *auth*
Get-ClientAccessArray | fl
Get-OutlookProvider

Open in new window


Have you followed the Microsoft Exchange Server Deployment Assistant?
ASKER
L4d1k

Hi Ronin,

thank you for responding.
Here is the requested information (I replaced the domain and server names with a generic names):

[PS] C:\Windows\system32>Get-OabVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*


Server                        : oldexchange2010
Name                          : OAB (Default Web Site)
ExternalUrl                   :
InternalUrl                   : https://email.exchangedomain.com/oab
BasicAuthentication           : False
WindowsAuthentication         : True
OAuthAuthentication           : False
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalAuthenticationMethods : {WindowsIntegrated}

Server                        : newexchange16
Name                          : OAB (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/oab
InternalUrl                   : https://email.exchangedomain.com/oab
BasicAuthentication           : False
WindowsAuthentication         : True
OAuthAuthentication           : True
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}



[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl server, Name,ExternalURL, InternalURL, *auth*


Server                        : oldexchange2010
Name                          : EWS (Default Web Site)
ExternalUrl                   :
InternalUrl                   : https://email.exchangedomain.com/ews/exchange.asmx
CertificateAuthentication     :
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication      : True
LiveIdBasicAuthentication     : False
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
OAuthAuthentication           : False
AdfsAuthentication            : False

Server                        : newexchange16
Name                          : EWS (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/EWS/Exchange.asmx
InternalUrl                   : https://email.exchangedomain.com/EWS/Exchange.asmx
CertificateAuthentication     :
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication      : True
LiveIdBasicAuthentication     : False
BasicAuthentication           : False
DigestAuthentication          : False
WindowsAuthentication         : True
OAuthAuthentication           : True
AdfsAuthentication            : False



[PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*


Server                        : oldexchange2010
Name                          : ecp (Default Web Site)
ExternalUrl                   :
InternalUrl                   : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
WindowsAuthentication         : True
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}

Server                        : newexchange16
Name                          : ecp (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/ecp
InternalUrl                   : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication           : True
WindowsAuthentication         : False
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}



[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*


Server                              : oldexchange2010
Name                                : Microsoft-Server-ActiveSync (Default Web Site)
ExternalUrl                         :
InternalUrl                         : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAuthorityURL :
BasicAuthEnabled                    : True
WindowsAuthEnabled                  : False
ClientCertAuth                      : Ignore
InternalAuthenticationMethods       : {}
ExternalAuthenticationMethods       : {}

Server                              : newexchange16
Name                                : Microsoft-Server-ActiveSync (Default Web Site)
ExternalUrl                         : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl                         : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAuthorityURL :
BasicAuthEnabled                    : True
WindowsAuthEnabled                  : False
ClientCertAuth                      : Ignore
InternalAuthenticationMethods       : {}
ExternalAuthenticationMethods       : {}



[PS] C:\Windows\system32>Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*


Server                             : oldexchange2010
Name                               : Rpc (Default Web Site)
ExternalHostname                   : email.exchangedomain.com
InternalHostname                   :
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Ntlm}

Server                             : newexchange16
Name                               : Rpc (Default Web Site)
ExternalHostname                   : email.exchangedomain.com
InternalHostname                   : email.exchangedomain.com
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Ntlm}



[PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*


Server                        : oldexchange2010
Name                          : owa (Default Web Site)
ExternalUrl                   :
InternalUrl                   : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel        : High
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
WindowsAuthentication         : True
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}

Server                        : newexchange16
Name                          : owa (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/owa
InternalUrl                   : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel        : High
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication           : True
WindowsAuthentication         : False
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}



[PS] C:\Windows\system32>Get-ClientAccessService | fl Name,OutlookAnywhereEnabled, AutodiscoverServiceInternalUri


Name                           : oldexchange2010
OutlookAnywhereEnabled         : True
AutoDiscoverServiceInternalUri : https://autodiscover.exchangedomain.com/autodiscover/autodiscover.xml

Name                           : newexchange16
OutlookAnywhereEnabled         : True
AutoDiscoverServiceInternalUri : https://autodiscover.exchangedomain.com/Autodiscover/Autodiscover.xml



[PS] C:\Windows\system32>Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*


FriendlyName       : Microsoft Exchange Server Auth Certificate
Subject            : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
Thumbprint         : 04B79D039EB22DC10D29EC62E4A388EE0BC1273D
Services           : SMTP
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 10/21/2022 4:42:32 PM
NotBefore          : 11/16/2017 3:42:32 PM

FriendlyName       : Microsoft Exchange
Subject            : CN=newexchange16
CertificateDomains : {newexchange16, newexchange16.lbs.lan}
Thumbprint         : B60400957B0E81511342584A45A7BDA89E0C8DCF
Services           : IIS, SMTP
Issuer             : CN=newexchange16
NotAfter           : 11/16/2022 3:40:35 PM
NotBefore          : 11/16/2017 3:40:35 PM

FriendlyName       : WMSVC-SHA2
Subject            : CN=WMSvc-SHA2-newexchange16
CertificateDomains : {WMSvc-SHA2-newexchange16}
Thumbprint         : 30E68C217E127F25F206A15D571845B6212BC156
Services           : None
Issuer             : CN=WMSvc-SHA2-newexchange16
NotAfter           : 6/26/2027 4:52:06 PM
NotBefore          : 6/28/2017 4:52:06 PM

FriendlyName       : LBS2015-18
Subject            : CN=email.exchangedomain.com, OU=Domain Control Validated
CertificateDomains : {email.exchangedomain.com, www.email.exchangedomain.com, newexchange16.exchangedomain.com, lbsdomsrv12.exchangedomain.com, lbsadm4.exchangedomain.com, autodiscover.exchangedomain.com,
                     lbsosxsrv1.exchangedomain.com, oldexchange2010.exchangedomain.com, lbscl4.exchangedomain.com, lbsts1.exchangedomain.com, lbsdom1.exchangedomain.com, lbsls5.exchangedomain.com,
                     lbsstweb1.exchangedomain.com, smtp.exchangedomain.com, moodle.exchangedomain.com}
Thumbprint         : 7036FF3E472362105976F7A3FE087172067B9836
Services           : IMAP, POP, IIS, SMTP
Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 8/29/2018 1:39:50 PM
NotBefore          : 8/24/2015 9:10:40 AM



[PS] C:\Windows\system32>Get-MapiVirtualDirectory | fl server, Name,ExternalURL,InternalURL, *auth*


Server                        : newexchange16
Name                          : mapi (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/mapi
InternalUrl                   : https://email.exchangedomain.com/mapi
IISAuthenticationMethods      : {Ntlm, OAuth, Negotiate}
InternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}
ExternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}



[PS] C:\Windows\system32>Get-ClientAccessArray | fl
[PS] C:\Windows\system32>Get-OutlookProvider

Name Server CertPrincipalName      TTL
---- ------ -----------------      ---
EXCH                               1
EXPR        msstd:exchangedomain.com 1
WEB                                1
Vick Vega

Can you please confirm email.exchangedomain.com as well as autodiscover.exchangedomain.com AD DNS records point to Exchange 2016 IP address?
In order for Exchange 2010 to coexist with 2016 it must be patched to SP3 + with RU9.
Let's see the current patch level:
Get-ExchangeServer | fl *version*

Open in new window

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
L4d1k

Hi Ronin,

yes for the DNS and yes for the SP3 + RU9 I actually have 2010 SP3 RU17       14.3.352.0
Vick Vega

Set-OutlookAnywhere -Identity "newexchange16\Rpc (Default Web Site)" -ExternalHostname webmail.remotedesk.be -ExternalClientAuthenticationMethod NTLM -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM,Negotiate
Set-OutlookAnywhere -Identity "oldexch2010\Rpc (Default Web Site)" -ExternalHostname webmail.remotedesk.be -ExternalClientAuthenticationMethod NTLM -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM

Open in new window

ASKER
L4d1k

Hi Ronin,

Thank you for the info.
I had to make some adjustments to the command and add -ExternalClientsRequireSsl:$true in order to execute it without error.
Then I restarted the exchange service using iisreset as well as restarted the server.
I tried running the outlook 2016 connection wizard on the client computer which requested the user credentials again which failed.

let me know if you have any other suggestions.
Thank you,

P.S. this is the adjusted command I executed:

Set-OutlookAnywhere -Identity "exchange16\Rpc (Default Web Site)" -ExternalHostname emai.exchangedomain.com -ExternalClientAuthenticationMethod NTLM -ExternalClientsRequireSsl:$true -InternalClientAuthenticationMethod NTLM -InternalClientsRequireSsl:$true –SSLOffloading:$false -IISAuthenticationMethods Basic,NTLM,Negotiate
Set-OutlookAnywhere -Identity "exchange10\Rpc (Default Web Site)" -ExternalHostname email.exchangedomain.com -ExternalClientAuthenticationMethod NTLM -ExternalClientsRequireSsl:$true -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Vick Vega

Set-OutlookAnywhere -Identity "exchange16\Rpc (Default Web Site)" -ExternalHostname emai.exchangedomain.com -ExternalClientAuthenticationMethod NTLM -ExternalClientsRequireSsl:$true -InternalClientAuthenticationMethod NTLM -InternalClientsRequireSsl:$true –SSLOffloading:$false -IISAuthenticationMethods Basic,NTLM,Negotiate\


Shouldn't it be email.exchangedomain.com and not emai.exchangedomain.com?


Every FQDN that you use, be it email, webmail, etc .... MUST appear in the certificate and resolvable to the internal IP of the Exchange 2016.
Please make sure that's the case.
ASKER
L4d1k

Hi Ronin,

that is a typo when I was removing the actual domain information.
Otherwise it is correct on the server and it is matching the ssl certificate.
Vick Vega

Hm ...
Try setting WindowsAuthentication  to TRUE on Exchange 2016 OWA and ECP, to match the setting on the Exchange 2010. For RPC set ExternalClientAuthenticationMethod on 2016 to NTLM to match the 2010 as well.
Perform IIS reset, allow 15-20 minutes to cache to flush on the workstation before testing.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
L4d1k

Hi Ronin,

I did as you suggested, unfortunately no change.

here is the output of the changes:

[PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Creating a new session for implicit remoting of "Get-OwaVirtualDirectory" command...


Server                        : oldexchange2010
Name                          : owa (Default Web Site)
ExternalUrl                   :
InternalUrl                   : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel        : High
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
WindowsAuthentication         : True
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}

Server                        : newexchange2016
Name                          : owa (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/owa
InternalUrl                   : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel        : High
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
WindowsAuthentication         : True
DigestAuthentication          : False
FormsAuthentication           : False
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}

[PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*


Server                        : oldexchange2010
Name                          : ecp (Default Web Site)
ExternalUrl                   :
InternalUrl                   : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
WindowsAuthentication         : True
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}

Server                        : newexchange2016
Name                          : ecp (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/ecp
InternalUrl                   : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
WindowsAuthentication         : True
DigestAuthentication          : False
FormsAuthentication           : False
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}

[PS] C:\Windows\system32>Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*


Server                             : oldexchange2010
Name                               : Rpc (Default Web Site)
ExternalHostname                   : email.exchangedomain.com
InternalHostname                   :
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm}

Server                             : newexchange2016
Name                               : Rpc (Default Web Site)
ExternalHostname                   : email.exchangedomain.com
InternalHostname                   : email.exchangedomain.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
L4d1k

Hi Ronin,

I made the changes as you suggested.
I restarted the newexchange2016 server using IISRESET but I will have to wait to reset the oldexchange2010 server later tonight.
I will let you know if anything changes.
One question if you look at the MAPI configuration does it look correct?

thank you!

here is the updated output of the settings:

[PS] C:\Windows\system32>Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*


Server                             : oldexchange2010
Name                               : Rpc (Default Web Site)
ExternalHostname                   : email.exchangedomain.com
InternalHostname                   : email.exchangedomain.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm}

Server                             : newexchange2016
Name                               : Rpc (Default Web Site)
ExternalHostname                   : email.exchangedomain.com
InternalHostname                   : email.exchangedomain.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}



[PS] C:\Windows\system32>iisreset

Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
[PS] C:\Windows\system32>Get-OabVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Creating a new session for implicit remoting of "Get-OabVirtualDirectory" command...


Server                        : oldexchange2010
Name                          : OAB (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/oab
InternalUrl                   : https://email.exchangedomain.com/oab
BasicAuthentication           : False
WindowsAuthentication         : True
OAuthAuthentication           : False
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalAuthenticationMethods : {WindowsIntegrated}

Server                        : newexchange2016
Name                          : OAB (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/oab
InternalUrl                   : https://email.exchangedomain.com/oab
BasicAuthentication           : False
WindowsAuthentication         : True
OAuthAuthentication           : True
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}



[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl server, Name,ExternalURL, InternalURL, *auth*


Server                        : oldexchange2010
Name                          : EWS (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/ews/exchange.asmx
InternalUrl                   : https://email.exchangedomain.com/ews/exchange.asmx
CertificateAuthentication     :
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication      : True
LiveIdBasicAuthentication     : False
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
OAuthAuthentication           : False
AdfsAuthentication            : False

Server                        : newexchange2016
Name                          : EWS (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/EWS/Exchange.asmx
InternalUrl                   : https://email.exchangedomain.com/EWS/Exchange.asmx
CertificateAuthentication     :
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication      : True
LiveIdBasicAuthentication     : False
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
OAuthAuthentication           : True
AdfsAuthentication            : False



[PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*


Server                        : oldexchange2010
Name                          : ecp (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/ecp
InternalUrl                   : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
WindowsAuthentication         : True
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}

Server                        : newexchange2016
Name                          : ecp (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/ecp
InternalUrl                   : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
WindowsAuthentication         : True
DigestAuthentication          : False
FormsAuthentication           : False
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}



[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*


Server                              : oldexchange2010
Name                                : Microsoft-Server-ActiveSync (Default Web Site)
ExternalUrl                         : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl                         : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAuthorityURL :
BasicAuthEnabled                    : True
WindowsAuthEnabled                  : False
ClientCertAuth                      : Ignore
InternalAuthenticationMethods       : {}
ExternalAuthenticationMethods       : {}

Server                              : newexchange2016
Name                                : Microsoft-Server-ActiveSync (Default Web Site)
ExternalUrl                         : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl                         : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAuthorityURL :
BasicAuthEnabled                    : True
WindowsAuthEnabled                  : False
ClientCertAuth                      : Ignore
InternalAuthenticationMethods       : {}
ExternalAuthenticationMethods       : {}



[PS] C:\Windows\system32>Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*


Server                             : oldexchange2010
Name                               : Rpc (Default Web Site)
ExternalHostname                   : email.exchangedomain.com
InternalHostname                   : email.exchangedomain.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm}

Server                             : newexchange2016
Name                               : Rpc (Default Web Site)
ExternalHostname                   : email.exchangedomain.com
InternalHostname                   : email.exchangedomain.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}



[PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*


Server                        : oldexchange2010
Name                          : owa (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/owa
InternalUrl                   : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel        : High
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
WindowsAuthentication         : True
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}

Server                        : newexchange2016
Name                          : owa (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/owa
InternalUrl                   : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel        : High
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
WindowsAuthentication         : True
DigestAuthentication          : False
FormsAuthentication           : False
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Fba}



[PS] C:\Windows\system32>Get-ClientAccessService | fl Name,OutlookAnywhereEnabled, AutodiscoverServiceInternalUri


Name                           : oldexchange2010
OutlookAnywhereEnabled         : True
AutoDiscoverServiceInternalUri : https://autodiscover.exchangedomain.com/autodiscover/autodiscover.xml

Name                           : newexchange2016
OutlookAnywhereEnabled         : True
AutoDiscoverServiceInternalUri : https://autodiscover.exchangedomain.com/Autodiscover/Autodiscover.xml



[PS] C:\Windows\system32>Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*


FriendlyName       : Microsoft Exchange Server Auth Certificate
Subject            : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
Thumbprint         : 04B79D039EB22DC10D29EC62E4A388EE0BC1273D
Services           : SMTP
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 10/21/2022 4:42:32 PM
NotBefore          : 11/16/2017 3:42:32 PM

FriendlyName       : Microsoft Exchange
Subject            : CN=newexchange2016
CertificateDomains : {newexchange2016, newexchange2016.domain.local}
Thumbprint         : B60400957B0E81511342584A45A7BDA89E0C8DCF
Services           : IIS, SMTP
Issuer             : CN=newexchange2016
NotAfter           : 11/16/2022 3:40:35 PM
NotBefore          : 11/16/2017 3:40:35 PM

FriendlyName       : WMSVC-SHA2
Subject            : CN=WMSvc-SHA2-newexchange2016
CertificateDomains : {WMSvc-SHA2-newexchange2016}
Thumbprint         : 30E68C217E127F25F206A15D571845B6212BC156
Services           : None
Issuer             : CN=WMSvc-SHA2-newexchange2016
NotAfter           : 6/26/2027 4:52:06 PM
NotBefore          : 6/28/2017 4:52:06 PM

FriendlyName       : LBS2015-18
Subject            : CN=email.exchangedomain.com, OU=Domain Control Validated
CertificateDomains : {email.exchangedomain.com, www.email.exchangedomain.com, newexchange2016.exchangedomain.com, lbsdomsrv12.exchangedomain.com, lbsadm4.exchangedomain.com, autodiscover.exchangedomain.com,
                     lbsosxsrv1.exchangedomain.com, oldexchange2010.exchangedomain.com, lbscl4.exchangedomain.com, lbsts1.exchangedomain.com, lbsdom1.exchangedomain.com, lbsls5.exchangedomain.com,
                     lbsstweb1.exchangedomain.com, smtp.exchangedomain.com, moodle.exchangedomain.com}
Thumbprint         : 7036FF3E472362105976F7A3FE087172067B9836
Services           : IMAP, POP, IIS, SMTP
Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 8/29/2018 1:39:50 PM
NotBefore          : 8/24/2015 9:10:40 AM



[PS] C:\Windows\system32>Get-MapiVirtualDirectory | fl server, Name,ExternalURL,InternalURL, *auth*


Server                        : newexchange2016
Name                          : mapi (Default Web Site)
ExternalUrl                   : https://email.exchangedomain.com/mapi
InternalUrl                   : https://email.exchangedomain.com/mapi
IISAuthenticationMethods      : {Ntlm, OAuth, Negotiate}
InternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}
ExternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}



[PS] C:\Windows\system32>Get-ClientAccessArray | fl
[PS] C:\Windows\system32>Get-OutlookProvider

Name Server CertPrincipalName      TTL
---- ------ -----------------      ---
EXCH                               1
EXPR        msstd:exchangedomain.com 1
WEB                                1
Vick Vega

MAPI config is correct, validate it turned on:
Get-OrganizationConfig | fl *MapiHttpEnabled*

Open in new window

Also, try to remove the Outlook EXPR provider:
Set-OutlookProvider EXPR -CertPrincipalName $null

Open in new window

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
L4d1k

Hi Ronin,

I had restarted the oldexchange2010 server after making all the URL changes and tried to connect outlook 2016, unfortunately the same problem continues.
the MAPI test returns as MapiHttpEnabled : True (I checked and the user has Mapi enabled as well)
I did apply the set-outlookProvider as you listed and restarted the newexchange2016 server.
Unfortunately no change.

Let me know if you have any other suggestions.
Thank you!
ASKER
L4d1k

I have additional information which I collected using "Microsoft Connectivity Analyzer Tool" downloaded from testconnectivity.microsoft.com under client/ more tools

this is the result:

Screen-Shot-2017-11-28-at-10.34.26-A.pngScreen-Shot-2017-11-28-at-10.37.13-A.png
If I run the same test on a user computer connected externally the connection test will pass just fine.
Vick Vega

It's quite an interesting issue, really ...
Can you please post the results of: (as with every other Exchange-related command, run it on the highest Exchange version available, e.g Exchange 2016)
Get-OrganizationConfig | fl

Open in new window

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
L4d1k

Yes it is quite a interesting issue,

At this point I am testing anything and everything.

here is the output:

[PS] C:\Windows\system32>Get-OrganizationConfig | fl
Creating a new session for implicit remoting of "Get-OrganizationConfig" command...


RunspaceId                                                : c7cfbd22-596d-4da1-a60e-98a1ae5c6cfa
OrganizationId                                            :
Name                                                      : ADdomain
Identity                                                  : ADdomain
Guid                                                      : ed3b6725-065c-4085-acd3-1564ba767c1e
ObjectVersion                                             : 16213
DefaultPublicFolderAgeLimit                               :
DefaultPublicFolderIssueWarningQuota                      : Unlimited
DefaultPublicFolderProhibitPostQuota                      : Unlimited
DefaultPublicFolderMaxItemSize                            : Unlimited
DefaultPublicFolderDeletedItemRetention                   : 30.00:00:00
DefaultPublicFolderMovedItemRetention                     : 7.00:00:00
PublicFoldersLockedForMigration                           : False
PublicFolderMigrationComplete                             : False
PublicFolderMailboxesLockedForNewConnections              : False
PublicFolderMailboxesMigrationComplete                    : False
PublicFoldersEnabled                                      : Local
ActivityBasedAuthenticationTimeoutEnabled                 : True
ActivityBasedAuthenticationTimeoutInterval                : 06:00:00
ActivityBasedAuthenticationTimeoutWithSingleSignOnEnabled : True
AppsForOfficeEnabled                                      : True
AVAuthenticationService                                   :
CustomerFeedbackEnabled                                   :
DistributionGroupDefaultOU                                :
DistributionGroupNameBlockedWordsList                     : {}
DistributionGroupNamingPolicy                             :
EwsAllowEntourage                                         :
EwsAllowList                                              :
EwsAllowMacOutlook                                        :
EwsAllowOutlook                                           :
EwsApplicationAccessPolicy                                :
EwsBlockList                                              :
EwsEnabled                                                :
ElcProcessingDisabled                                     : False
AutoExpandingArchiveEnabled                               : False
ExchangeNotificationEnabled                               : True
ExchangeNotificationRecipients                            : {}
HierarchicalAddressBookRoot                               :
Industry                                                  : NotSpecified
MailTipsAllTipsEnabled                                    : True
MailTipsExternalRecipientsTipsEnabled                     : False
MailTipsGroupMetricsEnabled                               : True
MailTipsLargeAudienceThreshold                            : 25
MailTipsMailboxSourcedTipsEnabled                         : True
ManagedFolderHomepage                                     :
MicrosoftExchangeRecipientEmailAddresses                  : {SMTP:MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@lag
                                                            unablanca.org, smtp:MicrosoftExchange329e71ec88ae4615bbc36a
                                                            b6ce41109e@addomain.local, X400:C=us;A= ;P=ADdomain;O=Exchange;S=Micros
                                                            oftExchange329e71ec88ae4615bbc36ab;}
MicrosoftExchangeRecipientEmailAddressPolicyEnabled       : True
MicrosoftExchangeRecipientPrimarySmtpAddress              : MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@lagunabla
                                                            nca.org
MicrosoftExchangeRecipientReplyRecipient                  :
ForwardSyncLiveIdBusinessInstance                         : False
OrganizationSummary                                       : {TotalRecipients,958,False,
                                                            TotalDistributionGroups,50,False,
                                                            TotalMailboxes,428,False, TotalOWAUser,428,False,
                                                            TotalActiveSyncUser,429,False, StandardCALs,428,False,
                                                            TotalMailUsers,459,False, TotalCALMailboxes,428,False,
                                                            TotalMAPIUser,429,False, TotalPOP3User,396,False,
                                                            TotalIMAP4User,396,False, UpdateDate,12/6/2010 9:05:26
                                                            PM,False, TotalDynamicDistributionGroups,0,False,
                                                            EnterpriseCALs,0,False, Total2003ExchangeServers,0,False,
                                                            TotalExchangeServers,1,False...}
ReadTrackingEnabled                                       : False
SCLJunkThreshold                                          : 5
SIPAccessService                                          :
SIPSessionBorderController                                :
MaxConcurrentMigrations                                   : Unlimited
MaxAddressBookPolicies                                    :
MaxOfflineAddressBooks                                    :
IsExcludedFromOnboardMigration                            : False
IsExcludedFromOffboardMigration                           : False
IsFfoMigrationInProgress                                  : False
IsProcessEhaMigratedMessagesEnabled                       : False
TenantRelocationsAllowed                                  : False
ACLableSyncedObjectEnabled                                : False
PreferredInternetCodePageForShiftJis                      : 0
RequiredCharsetCoverage                                   : 100
ByteEncoderTypeFor7BitCharsets                            : 0
PublicComputersDetectionEnabled                           : False
RmsoSubscriptionStatus                                    : Unknown
IntuneManagedStatus                                       : False
AzurePremiumSubscriptionStatus                            : False
HybridConfigurationStatus                                 : Unknown
ReleaseTrack                                              :
CompassEnabled                                            :
SharePointUrl                                             :
MapiHttpEnabled                                           : True
RealTimeLogServiceEnabled                                 : False
CustomerLockboxEnabled                                    : False
OAuth2ClientProfileEnabled                                : False
LinkPreviewEnabled                                        : True
ConnectorsEnabled                                         : True
ConnectorsActionableMessagesEnabled                       : True
SmtpActionableMessagesEnabled                             : True
OfficeGraphActivitySharingOrgOptout                       : False
UnblockUnsafeSenderPromptEnabled                          : True
AsyncSendEnabled                                          : True
RefreshSessionEnabled                                     : False
IsAgendaMailEnabled                                       : True
NetworkThrottlingConfiguration                            :
OrganizationConfigHash                                    :
LegacyExchangeDN                                          : /o=ADdomain
DisplayName                                               :
Heuristics                                                : None
ResourceAddressLists                                      : {\All Rooms}
IsMixedMode                                               : False
PreviousAdminDisplayVersion                               : 0.10 (14.0.100.0)
IsAddressListPagingEnabled                                : False
ForeignForestFQDN                                         : {}
ForeignForestOrgAdminUSGSid                               :
ForeignForestRecipientAdminUSGSid                         :
ForeignForestViewOnlyAdminUSGSid                          :
MimeTypes                                                 : {text/html;htm, text/html;html, text/plain;txt,
                                                            text/css;css, text/iuls;uls, text/scriptlet;wsc,
                                                            text/webviewhtml;htt, text/x-component;htc,
                                                            text/x-vcard;vcf, text/xml;xml, image/gif;gif,
                                                            image/jpeg;jpg, image/x-xbitmap;xbm, image/bmp;bmp,
                                                            image/pjpeg;jpg, image/png;png...}
IsLicensingEnforced                                       : False
IsTenantAccessBlocked                                     : False
IsTenantInGracePeriod                                     : False
IsDehydrated                                              : False
IsGuidPrefixedLegacyDnDisabled                            : False
IsMailboxForcedReplicationDisabled                        : False
RBACConfigurationVersion                                  : 0.1 (15.1.845.34)
RootPublicFolderMailbox                                   :
RemotePublicFolderMailboxes                               : {}
AdminDisplayVersion                                       : 0.20 (15.1.0.0)
IsUpgradingOrganization                                   : False
IsUpdatingServicePlan                                     : False
ServicePlan                                               :
TargetServicePlan                                         :
WACDiscoveryEndpoint                                      :
UMAvailableLanguages                                      : {}
AdfsAuthenticationConfiguration                           :
AdfsIssuer                                                :
AdfsAudienceUris                                          : {}
AdfsSignCertificateThumbprints                            : {}
AdfsEncryptCertificateThumbprint                          :
SiteMailboxCreationURL                                    :
DefaultDataEncryptionPolicy                               :
DefaultAuthenticationPolicy                               :
AllowedMailboxRegions                                     : {}
DefaultMailboxRegion                                      :
DefaultMailboxRegionLastUpdateTime                        :
AllowToAddGuests                                          : True
GuestsEnabled                                             : True
GroupsCreationEnabled                                     : True
HiddenMembershipGroupsCreationEnabled                     : False
GroupsCreationWhitelistedId                               :
GroupsUsageGuidelinesLink                                 :
DataClassifications                                       :
InPlaceHolds                                              : {}
ServiceInstanceMove                                       :
GuestsUsageGuidelinesLink                                 :
FocusedInboxOn                                            :
FocusedInboxOnLastUpdateTime                              : 1/1/0001 12:00:00 AM
IsValid                                                   : True
ExchangeVersion                                           : 0.0 (6.5.6500.0)
DistinguishedName                                         : CN=ADdomain,CN=Microsoft
                                                            Exchange,CN=Services,CN=Configuration,DC=lbs,DC=lan
ObjectCategory                                            : addomain.local/Configuration/Schema/ms-Exch-Organization-Container
ObjectClass                                               : {top, container, msExchOrganizationContainer}
WhenChanged                                               : 11/25/2017 4:26:11 PM
WhenCreated                                               : 11/21/2001 9:02:50 AM
WhenChangedUTC                                            : 11/26/2017 12:26:11 AM
WhenCreatedUTC                                            : 11/21/2001 5:02:50 PM
Id                                                        : ADdomain
OriginatingServer                                         : adsrv1.addomain.local
ObjectState                                               : Unchanged

Open in new window


I am considering to remove all the originally created certificates and only keep the purchased one from trusted authority.
any thoughts on that?

Thank you.
Vick Vega

According to the output, you have issues with both Outlook Anywhere on Exchange 2016 as well as MAPI.
What's the status of the firewall on the server? Are you sure there's nothing on the way that MIGHT potentially filter and augment traffic to port 443?
From the internet, you saying it works, to which IP the firewalls forwards the 443 traffic destined to Exchange?
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
L4d1k

Hi Ronin,
another update.
I decided to test the outlook configuration from behind the firewall with only NTLM provider enabled on the MAPI folder in IIS.
And I found out that the outlook wizard will complete successfully with only one extra step when I was prompted to enter user credentials in a format domain\user.
After that outlook was working as normal.
OK I think I can close this ticket.
Thank you again for your help.
I am not sure how to assign the points now since I was able to find a solution myself.
I would definitely like to give some points to Ronin for all the good suggestions for me to test.
thank you again!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Vick Vega

In general, there's no need to perform any changes to the IIS, using the IIS manager snap-in, all the required adjustment should have been done using EMS. Highly likely those issues have been caused by performing it manually which conflicts with the settings in AD.
ASKER
L4d1k

Hi Ronin,
yes I agree I am not sure why I had to do that.
Unfortunately the problem seems to return.
The Microsoft test now passes and the outlook configuration wizard completes correctly.
Outlook will start and create cache as expected on the first run.
If I close outlook and re-open it the user credentials prompt returns and will never accept the correct credentials in any format.
I am not sure what to test next.
The only reliable option is to disable MAPI using registry key but I don't want to do that.

Thank you for any additional help.
Vick Vega

Could you please provide more information for the regkey change?
Where have you done it?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
L4d1k

It is on the end user computer:
Key: HKEY_CURRENT_USER\Software\Microsoft\Exchange
DWORD: MapiHttpDisabled
Value: 1

I removed it after I verified that it would be a solution if I didn't want to use MAPI.
But I do need to be able to use MAPI so disabling it is not a real solution it is just a temporary fix.
Vick Vega

In order to go back to the original state, you can remove and recreate virtual directories on Exchange 2016, it will reset everything to default state, like it was just after you completed the install.
ASKER
L4d1k

I performed the reset using EAC.
After the reset it automatically adds NTLM, Negotiate option in the authentication.
1. Using EAC I added the correct URL since it wasn't set after the reset. (Authentication left as default)
  IISRESET
   MS connection test and outlook setup wizard will fail.
2. with the correct URLs entered in step one I removed negotiate option in authentication.
   IISRESET
  MS connection test and outlook setup wizard are successful
  Outlook will start and function as expected on the first run.
  If I close outlook and reopen it I will get prompted to enter user credentials which will fail (tried domain\user and user@domain) no luck
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Vick Vega

Follow this process on how to reset VDirs on Exchange 2016 using PS.
https://technet.microsoft.com/en-us/library/ff629372(v=exchg.141).aspx

Use EMS from 2016.

You might need to do it for both servers.
ASKER
L4d1k

Hi Ronin,

I recreated the mapi virtual directory using EMS and set the permissions back.
Remove-MapiVirtualDirectory -Identity "newexchange2016\mapi (Default Web Site)"
New-MapiVirtualDirectory -InternalUrl https://email.exchangedomain.com/mapi -IISAuthenticationMethods NTLM
Set-MapiVirtualDirectory -Identity "newexchnage2016\mapi (Default Web site)" -InternalURL   “https://email.exchangedomain.com/mapi” -ExternalURL   https://email.exchangedomain.com/mapi -IISAuthenticationMethods NTLM

Open in new window

unfortunately no change.
with some additional testing I discovered that in outlook account profile if I turn off the "use Cached Exchange Mode" then outlook communication using mapi will work correctly.

Let me know if that would indicate something that can be corrected.

Thank you!
Vick Vega

Can you try recreating and RPC vdir as well?
Have you done this on both servers?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
L4d1k

Hi Ronin,

I am not sure how would I do that.
there is no command to recreate the RPC directory in EMS or using EAC.
I had seen some discussion on uninstalling RPC over HTTP but it didn't seem to work.

Thank you!
Vick Vega

oops, sorry about that.
Perhaps I should have asked if you tried to remove and recreate ALL vdirs on both servers?
ASKER
L4d1k

Hi Ronin,

As I was continuing with the reset of all the virtual directories on the new exchange 2016 I took a break and did some more search on google.
And I came across this link which had similar problem:
https://social.technet.microsoft.com/Forums/ie/en-US/e6b932b0-f5a5-4b22-914c-ca421f4b32fa/mapi-over-http-not-working-correctly-outlook-2013-clients-prompting-for-credentials-during-profile?forum=exchangesvrclients

The solution is in addition to the change I made to the MAPI folder to only have NTLM as the authentication method.
I had to remove negotiate provider on the Autodiscover and EWS folders under the Windows Authentication.
Outlook is now working using MAPI internally and externally as well as with or without cached mode.

Since I had to do this in IIS I will keep a documentation on the changes for the future since I have a feeling with the next CU release this will get reset.

Thank you again for your help!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Vick Vega

Glad you got it resolved.
ASKER
L4d1k

I was able to find a solution by trial and error without direct recommendation from any other expert.