L4d1k
asked on
outlook 2016 keeps asking to enter login credentials
Hello,
After setting up the new exchange server 2016 as a upgrade to the existing exchange server 2010 it looks as if it was success.
Using the owa web outlook I am able to send and receive emails internally and externally as well as work with all the other functions (this includes old user mailboxes as well as migrated and newly created mailboxes).
Unfortunately when I try to connect using outlook 2016 the process detects the logged in AD user correctly, but it will not accept the login credentials (I tried different users, different login options user@domain.com or domain\user with out any luck).
I check all the DNS configurations for autodiscover and MX records and restarted the server. Unfortunately that didn't help.
There is no AV installed on servers and no firewall or VLAN between the client computer.
I am able to configure the outlook 2016 if I am connecting externally or on local LAN if I disable MAPI in registry on the client computer.
The disabled MAPI in registry allows me to use the migrated user mailbox in outlook 2016, except not without requesting to enter user credentials which will fail. Outlook will continue to function normal if I cancel the login request.
Testing outlook connectivity on exchange server 2016 using "Test-OutlookConnectity" is successful after I adjusted LmcompatibilityLevel to 2 in registry and group policy.
Are there any other ideas on what else could be the problem?
Thank you!
here are some of the links I used to troubleshoot:
https://jhmeier.com/2016/03/14/exchange-2016-and-2010-coexistenceoutook-shows-login-promt/
https://technet.microsoft.com/en-us/library/cc960646.aspx?f=255&MSPPError=-2147217396
https://www.freeviewer.org/blog/how-to-enable-rpc-over-http-in-outlook-2016/
http://techgenix.com/migrating-small-organization-exchange-2010-exchange-2016-part1/
After setting up the new exchange server 2016 as a upgrade to the existing exchange server 2010 it looks as if it was success.
Using the owa web outlook I am able to send and receive emails internally and externally as well as work with all the other functions (this includes old user mailboxes as well as migrated and newly created mailboxes).
Unfortunately when I try to connect using outlook 2016 the process detects the logged in AD user correctly, but it will not accept the login credentials (I tried different users, different login options user@domain.com or domain\user with out any luck).
I check all the DNS configurations for autodiscover and MX records and restarted the server. Unfortunately that didn't help.
There is no AV installed on servers and no firewall or VLAN between the client computer.
I am able to configure the outlook 2016 if I am connecting externally or on local LAN if I disable MAPI in registry on the client computer.
The disabled MAPI in registry allows me to use the migrated user mailbox in outlook 2016, except not without requesting to enter user credentials which will fail. Outlook will continue to function normal if I cancel the login request.
Testing outlook connectivity on exchange server 2016 using "Test-OutlookConnectity" is successful after I adjusted LmcompatibilityLevel to 2 in registry and group policy.
Are there any other ideas on what else could be the problem?
Thank you!
here are some of the links I used to troubleshoot:
https://jhmeier.com/2016/03/14/exchange-2016-and-2010-coexistenceoutook-shows-login-promt/
https://technet.microsoft.com/en-us/library/cc960646.aspx?f=255&MSPPError=-2147217396
https://www.freeviewer.org/blog/how-to-enable-rpc-over-http-in-outlook-2016/
http://techgenix.com/migrating-small-organization-exchange-2010-exchange-2016-part1/
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hi Viktor,
thank you for responding,
I indicated in my original post that I only have a problem with migrated users to the new exchange server 2016 and with newly created users on the new exchange 2016 server.
Existing users on the exchange 2010 server are fine if I run the outlook 2016 connection wizard.
thank you for responding,
I indicated in my original post that I only have a problem with migrated users to the new exchange server 2016 and with newly created users on the new exchange 2016 server.
Existing users on the exchange 2010 server are fine if I run the outlook 2016 connection wizard.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hi Valentina,
thank you for responding,
I din't try different outlook version because I don't have one installed on test computers.
I can try it later but I need to be able to use outlook 2016 eventually. ( I tried outlook 2016 on different computers with all the updates installed)
thank you for responding,
I din't try different outlook version because I don't have one installed on test computers.
I can try it later but I need to be able to use outlook 2016 eventually. ( I tried outlook 2016 on different computers with all the updates installed)
ASKER
Hi Viktor,
yes DNS is configured to point to the new exchange server 2016 which is acting as a proxy server for the exchange 2010 server.
here is the reference I used: http://techgenix.com/migrating-small-organization-exchange-2010-exchange-2016-part1/
yes DNS is configured to point to the new exchange server 2016 which is acting as a proxy server for the exchange 2010 server.
here is the reference I used: http://techgenix.com/migrating-small-organization-exchange-2010-exchange-2016-part1/
Hi,
Could you try to upgrade Outlook machine to the latest version?
https://support.office.com/en-us/article/Outlook-Updates-472c2322-23a4-4014-8f02-bbc09ad62213
https://support.office.com/en-us/article/Install-Office-updates-2ab296f3-7f03-43a2-8e50-46de917611c5
Cheers
Could you try to upgrade Outlook machine to the latest version?
https://support.office.com/en-us/article/Outlook-Updates-472c2322-23a4-4014-8f02-bbc09ad62213
https://support.office.com/en-us/article/Install-Office-updates-2ab296f3-7f03-43a2-8e50-46de917611c5
Cheers
ASKER
Hi Viktor,
Just verified and all patches are already installed.
Just verified and all patches are already installed.
Let's your existing virtual directories config in the environment:
Have you followed the Microsoft Exchange Server Deployment Assistant?
et-OabVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-WebServicesVirtualDirectory | fl server, Name,ExternalURL, InternalURL, *auth*
Get-EcpVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-ActiveSyncVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*
Get-OwaVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-ClientAccessService | fl Name,OutlookAnywhereEnabled, AutodiscoverServiceInternalUri
Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*
Get-MapiVirtualDirectory | fl server, Name,ExternalURL,InternalURL, *auth*
Get-ClientAccessArray | fl
Get-OutlookProvider
Have you followed the Microsoft Exchange Server Deployment Assistant?
ASKER
Hi Ronin,
thank you for responding.
Here is the requested information (I replaced the domain and server names with a generic names):
[PS] C:\Windows\system32>Get-Oa bVirtualDi rectory | fl server, Name, ExternalURL, InternalURL, *auth*
Server : oldexchange2010
Name : OAB (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
InternalAuthenticationMeth ods : {WindowsIntegrated}
ExternalAuthenticationMeth ods : {WindowsIntegrated}
Server : newexchange16
Name : OAB (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/oab
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
InternalAuthenticationMeth ods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMeth ods : {WindowsIntegrated, OAuth}
[PS] C:\Windows\system32>Get-We bServicesV irtualDire ctory | fl server, Name,ExternalURL, InternalURL, *auth*
Server : oldexchange2010
Name : EWS (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/ews/exchange.asmx
CertificateAuthentication :
InternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdNegotiateAuthenticat ion :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
AdfsAuthentication : False
Server : newexchange16
Name : EWS (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
InternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
CertificateAuthentication :
InternalAuthenticationMeth ods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMeth ods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthenticat ion :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
[PS] C:\Windows\system32>Get-Ec pVirtualDi rectory | fl server, Name, ExternalURL, InternalURL, *auth*
Server : oldexchange2010
Name : ecp (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth ods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
Server : newexchange16
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth ods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
[PS] C:\Windows\system32>Get-Ac tiveSyncVi rtualDirec tory | fl server, Name, ExternalURL, InternalURL, *auth*
Server : oldexchange2010
Name : Microsoft-Server-ActiveSyn c (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAut horityURL :
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMeth ods : {}
ExternalAuthenticationMeth ods : {}
Server : newexchange16
Name : Microsoft-Server-ActiveSyn c (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAut horityURL :
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMeth ods : {}
ExternalAuthenticationMeth ods : {}
[PS] C:\Windows\system32>Get-Ou tlookAnywh ere | fl server, Name, *hostname*, *auth*
Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname :
ExternalClientAuthenticati onMethod : Ntlm
InternalClientAuthenticati onMethod : Ntlm
IISAuthenticationMethods : {Ntlm}
Server : newexchange16
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati onMethod : Negotiate
InternalClientAuthenticati onMethod : Ntlm
IISAuthenticationMethods : {Ntlm}
[PS] C:\Windows\system32>Get-Ow aVirtualDi rectory | fl server, Name, ExternalURL, InternalURL, *auth*
Server : oldexchange2010
Name : owa (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth ods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
Server : newexchange16
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth ods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
[PS] C:\Windows\system32>Get-Cl ientAccess Service | fl Name,OutlookAnywhereEnable d, AutodiscoverServiceInterna lUri
Name : oldexchange2010
OutlookAnywhereEnabled : True
AutoDiscoverServiceInterna lUri : https://autodiscover.exchangedomain.com/autodiscover/autodiscover.xml
Name : newexchange16
OutlookAnywhereEnabled : True
AutoDiscoverServiceInterna lUri : https://autodiscover.exchangedomain.com/Autodiscover/Autodiscover.xml
[PS] C:\Windows\system32>Get-Ex changeCert ificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*
FriendlyName : Microsoft Exchange Server Auth Certificate
Subject : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
Thumbprint : 04B79D039EB22DC10D29EC62E4 A388EE0BC1 273D
Services : SMTP
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 10/21/2022 4:42:32 PM
NotBefore : 11/16/2017 3:42:32 PM
FriendlyName : Microsoft Exchange
Subject : CN=newexchange16
CertificateDomains : {newexchange16, newexchange16.lbs.lan}
Thumbprint : B60400957B0E81511342584A45 A7BDA89E0C 8DCF
Services : IIS, SMTP
Issuer : CN=newexchange16
NotAfter : 11/16/2022 3:40:35 PM
NotBefore : 11/16/2017 3:40:35 PM
FriendlyName : WMSVC-SHA2
Subject : CN=WMSvc-SHA2-newexchange1 6
CertificateDomains : {WMSvc-SHA2-newexchange16}
Thumbprint : 30E68C217E127F25F206A15D57 1845B6212B C156
Services : None
Issuer : CN=WMSvc-SHA2-newexchange1 6
NotAfter : 6/26/2027 4:52:06 PM
NotBefore : 6/28/2017 4:52:06 PM
FriendlyName : LBS2015-18
Subject : CN=email.exchangedomain.co m, OU=Domain Control Validated
CertificateDomains : {email.exchangedomain.com, www.email.exchangedomain.com, newexchange16.exchangedoma in.com, lbsdomsrv12.exchangedomain .com, lbsadm4.exchangedomain.com , autodiscover.exchangedomai n.com,
lbsosxsrv1.exchangedomain. com, oldexchange2010.exchangedo main.com, lbscl4.exchangedomain.com, lbsts1.exchangedomain.com, lbsdom1.exchangedomain.com , lbsls5.exchangedomain.com,
lbsstweb1.exchangedomain.c om, smtp.exchangedomain.com, moodle.exchangedomain.com}
Thumbprint : 7036FF3E472362105976F7A3FE 087172067B 9836
Services : IMAP, POP, IIS, SMTP
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 8/29/2018 1:39:50 PM
NotBefore : 8/24/2015 9:10:40 AM
[PS] C:\Windows\system32>Get-Ma piVirtualD irectory | fl server, Name,ExternalURL,InternalU RL, *auth*
Server : newexchange16
Name : mapi (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/mapi
InternalUrl : https://email.exchangedomain.com/mapi
IISAuthenticationMethods : {Ntlm, OAuth, Negotiate}
InternalAuthenticationMeth ods : {Ntlm, OAuth, Negotiate}
ExternalAuthenticationMeth ods : {Ntlm, OAuth, Negotiate}
[PS] C:\Windows\system32>Get-Cl ientAccess Array | fl
[PS] C:\Windows\system32>Get-Ou tlookProvi der
Name Server CertPrincipalName TTL
---- ------ ----------------- ---
EXCH 1
EXPR msstd:exchangedomain.com 1
WEB 1
thank you for responding.
Here is the requested information (I replaced the domain and server names with a generic names):
[PS] C:\Windows\system32>Get-Oa
Server : oldexchange2010
Name : OAB (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
InternalAuthenticationMeth
ExternalAuthenticationMeth
Server : newexchange16
Name : OAB (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/oab
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
InternalAuthenticationMeth
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-We
Server : oldexchange2010
Name : EWS (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/ews/exchange.asmx
CertificateAuthentication :
InternalAuthenticationMeth
ExternalAuthenticationMeth
LiveIdNegotiateAuthenticat
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
AdfsAuthentication : False
Server : newexchange16
Name : EWS (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
InternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
CertificateAuthentication :
InternalAuthenticationMeth
ExternalAuthenticationMeth
LiveIdNegotiateAuthenticat
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
[PS] C:\Windows\system32>Get-Ec
Server : oldexchange2010
Name : ecp (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
Server : newexchange16
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-Ac
Server : oldexchange2010
Name : Microsoft-Server-ActiveSyn
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAut
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMeth
ExternalAuthenticationMeth
Server : newexchange16
Name : Microsoft-Server-ActiveSyn
ExternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAut
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMeth
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-Ou
Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname :
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Ntlm}
Server : newexchange16
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Ntlm}
[PS] C:\Windows\system32>Get-Ow
Server : oldexchange2010
Name : owa (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
Server : newexchange16
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-Cl
Name : oldexchange2010
OutlookAnywhereEnabled : True
AutoDiscoverServiceInterna
Name : newexchange16
OutlookAnywhereEnabled : True
AutoDiscoverServiceInterna
[PS] C:\Windows\system32>Get-Ex
FriendlyName : Microsoft Exchange Server Auth Certificate
Subject : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
Thumbprint : 04B79D039EB22DC10D29EC62E4
Services : SMTP
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 10/21/2022 4:42:32 PM
NotBefore : 11/16/2017 3:42:32 PM
FriendlyName : Microsoft Exchange
Subject : CN=newexchange16
CertificateDomains : {newexchange16, newexchange16.lbs.lan}
Thumbprint : B60400957B0E81511342584A45
Services : IIS, SMTP
Issuer : CN=newexchange16
NotAfter : 11/16/2022 3:40:35 PM
NotBefore : 11/16/2017 3:40:35 PM
FriendlyName : WMSVC-SHA2
Subject : CN=WMSvc-SHA2-newexchange1
CertificateDomains : {WMSvc-SHA2-newexchange16}
Thumbprint : 30E68C217E127F25F206A15D57
Services : None
Issuer : CN=WMSvc-SHA2-newexchange1
NotAfter : 6/26/2027 4:52:06 PM
NotBefore : 6/28/2017 4:52:06 PM
FriendlyName : LBS2015-18
Subject : CN=email.exchangedomain.co
CertificateDomains : {email.exchangedomain.com,
lbsosxsrv1.exchangedomain.
lbsstweb1.exchangedomain.c
Thumbprint : 7036FF3E472362105976F7A3FE
Services : IMAP, POP, IIS, SMTP
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 8/29/2018 1:39:50 PM
NotBefore : 8/24/2015 9:10:40 AM
[PS] C:\Windows\system32>Get-Ma
Server : newexchange16
Name : mapi (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/mapi
InternalUrl : https://email.exchangedomain.com/mapi
IISAuthenticationMethods : {Ntlm, OAuth, Negotiate}
InternalAuthenticationMeth
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-Cl
[PS] C:\Windows\system32>Get-Ou
Name Server CertPrincipalName TTL
---- ------ ----------------- ---
EXCH 1
EXPR msstd:exchangedomain.com 1
WEB 1
Can you please confirm email.exchangedomain.com as well as autodiscover.exchangedomai n.com AD DNS records point to Exchange 2016 IP address?
In order for Exchange 2010 to coexist with 2016 it must be patched to SP3 + with RU9.
Let's see the current patch level:
In order for Exchange 2010 to coexist with 2016 it must be patched to SP3 + with RU9.
Let's see the current patch level:
Get-ExchangeServer | fl *version*
ASKER
Hi Ronin,
yes for the DNS and yes for the SP3 + RU9 I actually have 2010 SP3 RU17 14.3.352.0
yes for the DNS and yes for the SP3 + RU9 I actually have 2010 SP3 RU17 14.3.352.0
Set-OutlookAnywhere -Identity "newexchange16\Rpc (Default Web Site)" -ExternalHostname webmail.remotedesk.be -ExternalClientAuthenticationMethod NTLM -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM,Negotiate
Set-OutlookAnywhere -Identity "oldexch2010\Rpc (Default Web Site)" -ExternalHostname webmail.remotedesk.be -ExternalClientAuthenticationMethod NTLM -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM
ASKER
Hi Ronin,
Thank you for the info.
I had to make some adjustments to the command and add -ExternalClientsRequireSsl :$true in order to execute it without error.
Then I restarted the exchange service using iisreset as well as restarted the server.
I tried running the outlook 2016 connection wizard on the client computer which requested the user credentials again which failed.
let me know if you have any other suggestions.
Thank you,
P.S. this is the adjusted command I executed:
Set-OutlookAnywhere -Identity "exchange16\Rpc (Default Web Site)" -ExternalHostname emai.exchangedomain.com -ExternalClientAuthenticat ionMethod NTLM -ExternalClientsRequireSsl :$true -InternalClientAuthenticat ionMethod NTLM -InternalClientsRequireSsl :$true –SSLOffloading:$false -IISAuthenticationMethods Basic,NTLM,Negotiate
Set-OutlookAnywhere -Identity "exchange10\Rpc (Default Web Site)" -ExternalHostname email.exchangedomain.com -ExternalClientAuthenticat ionMethod NTLM -ExternalClientsRequireSsl :$true -InternalClientAuthenticat ionMethod NTLM -IISAuthenticationMethods Basic,NTLM
Thank you for the info.
I had to make some adjustments to the command and add -ExternalClientsRequireSsl
Then I restarted the exchange service using iisreset as well as restarted the server.
I tried running the outlook 2016 connection wizard on the client computer which requested the user credentials again which failed.
let me know if you have any other suggestions.
Thank you,
P.S. this is the adjusted command I executed:
Set-OutlookAnywhere -Identity "exchange16\Rpc (Default Web Site)" -ExternalHostname emai.exchangedomain.com -ExternalClientAuthenticat
Set-OutlookAnywhere -Identity "exchange10\Rpc (Default Web Site)" -ExternalHostname email.exchangedomain.com -ExternalClientAuthenticat
Set-OutlookAnywhere -Identity "exchange16\Rpc (Default Web Site)" -ExternalHostname emai.exchangedomain.com -ExternalClientAuthenticat ionMethod NTLM -ExternalClientsRequireSsl :$true -InternalClientAuthenticat ionMethod NTLM -InternalClientsRequireSsl :$true –SSLOffloading:$false -IISAuthenticationMethods Basic,NTLM,Negotiate\
Shouldn't it be email.exchangedomain.com and not emai.exchangedomain.com?
Every FQDN that you use, be it email, webmail, etc .... MUST appear in the certificate and resolvable to the internal IP of the Exchange 2016.
Please make sure that's the case.
Shouldn't it be email.exchangedomain.com and not emai.exchangedomain.com?
Every FQDN that you use, be it email, webmail, etc .... MUST appear in the certificate and resolvable to the internal IP of the Exchange 2016.
Please make sure that's the case.
ASKER
Hi Ronin,
that is a typo when I was removing the actual domain information.
Otherwise it is correct on the server and it is matching the ssl certificate.
that is a typo when I was removing the actual domain information.
Otherwise it is correct on the server and it is matching the ssl certificate.
Hm ...
Try setting WindowsAuthentication to TRUE on Exchange 2016 OWA and ECP, to match the setting on the Exchange 2010. For RPC set ExternalClientAuthenticati onMethod on 2016 to NTLM to match the 2010 as well.
Perform IIS reset, allow 15-20 minutes to cache to flush on the workstation before testing.
Try setting WindowsAuthentication to TRUE on Exchange 2016 OWA and ECP, to match the setting on the Exchange 2010. For RPC set ExternalClientAuthenticati
Perform IIS reset, allow 15-20 minutes to cache to flush on the workstation before testing.
ASKER
Hi Ronin,
I did as you suggested, unfortunately no change.
here is the output of the changes:
[PS] C:\Windows\system32>Get-Ow aVirtualDi rectory | fl server, Name, ExternalURL, InternalURL, *auth*
Creating a new session for implicit remoting of "Get-OwaVirtualDirectory" command...
Server : oldexchange2010
Name : owa (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth ods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
Server : newexchange2016
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
[PS] C:\Windows\system32>Get-Ec pVirtualDi rectory | fl server, Name, ExternalURL, InternalURL, *auth*
Server : oldexchange2010
Name : ecp (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth ods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
Server : newexchange2016
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
[PS] C:\Windows\system32>Get-Ou tlookAnywh ere | fl server, Name, *hostname*, *auth*
Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname :
ExternalClientAuthenticati onMethod : Ntlm
InternalClientAuthenticati onMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}
Server : newexchange2016
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati onMethod : Ntlm
InternalClientAuthenticati onMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
I did as you suggested, unfortunately no change.
here is the output of the changes:
[PS] C:\Windows\system32>Get-Ow
Creating a new session for implicit remoting of "Get-OwaVirtualDirectory" command...
Server : oldexchange2010
Name : owa (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
Server : newexchange2016
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-Ec
Server : oldexchange2010
Name : ecp (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
Server : newexchange2016
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-Ou
Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname :
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Basic, Ntlm}
Server : newexchange2016
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hi Ronin,
I made the changes as you suggested.
I restarted the newexchange2016 server using IISRESET but I will have to wait to reset the oldexchange2010 server later tonight.
I will let you know if anything changes.
One question if you look at the MAPI configuration does it look correct?
thank you!
here is the updated output of the settings:
[PS] C:\Windows\system32>Get-Ou tlookAnywh ere | fl server, Name, *hostname*, *auth*
Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati onMethod : Ntlm
InternalClientAuthenticati onMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}
Server : newexchange2016
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati onMethod : Ntlm
InternalClientAuthenticati onMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
[PS] C:\Windows\system32>iisres et
Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
[PS] C:\Windows\system32>Get-Oa bVirtualDi rectory | fl server, Name, ExternalURL, InternalURL, *auth*
Creating a new session for implicit remoting of "Get-OabVirtualDirectory" command...
Server : oldexchange2010
Name : OAB (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/oab
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
InternalAuthenticationMeth ods : {WindowsIntegrated}
ExternalAuthenticationMeth ods : {WindowsIntegrated}
Server : newexchange2016
Name : OAB (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/oab
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
InternalAuthenticationMeth ods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMeth ods : {WindowsIntegrated, OAuth}
[PS] C:\Windows\system32>Get-We bServicesV irtualDire ctory | fl server, Name,ExternalURL, InternalURL, *auth*
Server : oldexchange2010
Name : EWS (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ews/exchange.asmx
InternalUrl : https://email.exchangedomain.com/ews/exchange.asmx
CertificateAuthentication :
InternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdNegotiateAuthenticat ion :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
AdfsAuthentication : False
Server : newexchange2016
Name : EWS (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
InternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
CertificateAuthentication :
InternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthenticat ion :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
[PS] C:\Windows\system32>Get-Ec pVirtualDi rectory | fl server, Name, ExternalURL, InternalURL, *auth*
Server : oldexchange2010
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth ods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
Server : newexchange2016
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
[PS] C:\Windows\system32>Get-Ac tiveSyncVi rtualDirec tory | fl server, Name, ExternalURL, InternalURL, *auth*
Server : oldexchange2010
Name : Microsoft-Server-ActiveSyn c (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAut horityURL :
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMeth ods : {}
ExternalAuthenticationMeth ods : {}
Server : newexchange2016
Name : Microsoft-Server-ActiveSyn c (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAut horityURL :
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMeth ods : {}
ExternalAuthenticationMeth ods : {}
[PS] C:\Windows\system32>Get-Ou tlookAnywh ere | fl server, Name, *hostname*, *auth*
Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati onMethod : Ntlm
InternalClientAuthenticati onMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}
Server : newexchange2016
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati onMethod : Ntlm
InternalClientAuthenticati onMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
[PS] C:\Windows\system32>Get-Ow aVirtualDi rectory | fl server, Name, ExternalURL, InternalURL, *auth*
Server : oldexchange2010
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth ods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
Server : newexchange2016
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth ods : {Fba}
[PS] C:\Windows\system32>Get-Cl ientAccess Service | fl Name,OutlookAnywhereEnable d, AutodiscoverServiceInterna lUri
Name : oldexchange2010
OutlookAnywhereEnabled : True
AutoDiscoverServiceInterna lUri : https://autodiscover.exchangedomain.com/autodiscover/autodiscover.xml
Name : newexchange2016
OutlookAnywhereEnabled : True
AutoDiscoverServiceInterna lUri : https://autodiscover.exchangedomain.com/Autodiscover/Autodiscover.xml
[PS] C:\Windows\system32>Get-Ex changeCert ificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*
FriendlyName : Microsoft Exchange Server Auth Certificate
Subject : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
Thumbprint : 04B79D039EB22DC10D29EC62E4 A388EE0BC1 273D
Services : SMTP
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 10/21/2022 4:42:32 PM
NotBefore : 11/16/2017 3:42:32 PM
FriendlyName : Microsoft Exchange
Subject : CN=newexchange2016
CertificateDomains : {newexchange2016, newexchange2016.domain.loc al}
Thumbprint : B60400957B0E81511342584A45 A7BDA89E0C 8DCF
Services : IIS, SMTP
Issuer : CN=newexchange2016
NotAfter : 11/16/2022 3:40:35 PM
NotBefore : 11/16/2017 3:40:35 PM
FriendlyName : WMSVC-SHA2
Subject : CN=WMSvc-SHA2-newexchange2 016
CertificateDomains : {WMSvc-SHA2-newexchange201 6}
Thumbprint : 30E68C217E127F25F206A15D57 1845B6212B C156
Services : None
Issuer : CN=WMSvc-SHA2-newexchange2 016
NotAfter : 6/26/2027 4:52:06 PM
NotBefore : 6/28/2017 4:52:06 PM
FriendlyName : LBS2015-18
Subject : CN=email.exchangedomain.co m, OU=Domain Control Validated
CertificateDomains : {email.exchangedomain.com, www.email.exchangedomain.com, newexchange2016.exchangedo main.com, lbsdomsrv12.exchangedomain .com, lbsadm4.exchangedomain.com , autodiscover.exchangedomai n.com,
lbsosxsrv1.exchangedomain. com, oldexchange2010.exchangedo main.com, lbscl4.exchangedomain.com, lbsts1.exchangedomain.com, lbsdom1.exchangedomain.com , lbsls5.exchangedomain.com,
lbsstweb1.exchangedomain.c om, smtp.exchangedomain.com, moodle.exchangedomain.com}
Thumbprint : 7036FF3E472362105976F7A3FE 087172067B 9836
Services : IMAP, POP, IIS, SMTP
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 8/29/2018 1:39:50 PM
NotBefore : 8/24/2015 9:10:40 AM
[PS] C:\Windows\system32>Get-Ma piVirtualD irectory | fl server, Name,ExternalURL,InternalU RL, *auth*
Server : newexchange2016
Name : mapi (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/mapi
InternalUrl : https://email.exchangedomain.com/mapi
IISAuthenticationMethods : {Ntlm, OAuth, Negotiate}
InternalAuthenticationMeth ods : {Ntlm, OAuth, Negotiate}
ExternalAuthenticationMeth ods : {Ntlm, OAuth, Negotiate}
[PS] C:\Windows\system32>Get-Cl ientAccess Array | fl
[PS] C:\Windows\system32>Get-Ou tlookProvi der
Name Server CertPrincipalName TTL
---- ------ ----------------- ---
EXCH 1
EXPR msstd:exchangedomain.com 1
WEB 1
I made the changes as you suggested.
I restarted the newexchange2016 server using IISRESET but I will have to wait to reset the oldexchange2010 server later tonight.
I will let you know if anything changes.
One question if you look at the MAPI configuration does it look correct?
thank you!
here is the updated output of the settings:
[PS] C:\Windows\system32>Get-Ou
Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Basic, Ntlm}
Server : newexchange2016
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
[PS] C:\Windows\system32>iisres
Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
[PS] C:\Windows\system32>Get-Oa
Creating a new session for implicit remoting of "Get-OabVirtualDirectory" command...
Server : oldexchange2010
Name : OAB (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/oab
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
InternalAuthenticationMeth
ExternalAuthenticationMeth
Server : newexchange2016
Name : OAB (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/oab
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
InternalAuthenticationMeth
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-We
Server : oldexchange2010
Name : EWS (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ews/exchange.asmx
InternalUrl : https://email.exchangedomain.com/ews/exchange.asmx
CertificateAuthentication :
InternalAuthenticationMeth
ExternalAuthenticationMeth
LiveIdNegotiateAuthenticat
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
AdfsAuthentication : False
Server : newexchange2016
Name : EWS (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
InternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
CertificateAuthentication :
InternalAuthenticationMeth
ExternalAuthenticationMeth
LiveIdNegotiateAuthenticat
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
[PS] C:\Windows\system32>Get-Ec
Server : oldexchange2010
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
Server : newexchange2016
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-Ac
Server : oldexchange2010
Name : Microsoft-Server-ActiveSyn
ExternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAut
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMeth
ExternalAuthenticationMeth
Server : newexchange2016
Name : Microsoft-Server-ActiveSyn
ExternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAut
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMeth
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-Ou
Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Basic, Ntlm}
Server : newexchange2016
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
[PS] C:\Windows\system32>Get-Ow
Server : oldexchange2010
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
Server : newexchange2016
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMeth
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-Cl
Name : oldexchange2010
OutlookAnywhereEnabled : True
AutoDiscoverServiceInterna
Name : newexchange2016
OutlookAnywhereEnabled : True
AutoDiscoverServiceInterna
[PS] C:\Windows\system32>Get-Ex
FriendlyName : Microsoft Exchange Server Auth Certificate
Subject : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
Thumbprint : 04B79D039EB22DC10D29EC62E4
Services : SMTP
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 10/21/2022 4:42:32 PM
NotBefore : 11/16/2017 3:42:32 PM
FriendlyName : Microsoft Exchange
Subject : CN=newexchange2016
CertificateDomains : {newexchange2016, newexchange2016.domain.loc
Thumbprint : B60400957B0E81511342584A45
Services : IIS, SMTP
Issuer : CN=newexchange2016
NotAfter : 11/16/2022 3:40:35 PM
NotBefore : 11/16/2017 3:40:35 PM
FriendlyName : WMSVC-SHA2
Subject : CN=WMSvc-SHA2-newexchange2
CertificateDomains : {WMSvc-SHA2-newexchange201
Thumbprint : 30E68C217E127F25F206A15D57
Services : None
Issuer : CN=WMSvc-SHA2-newexchange2
NotAfter : 6/26/2027 4:52:06 PM
NotBefore : 6/28/2017 4:52:06 PM
FriendlyName : LBS2015-18
Subject : CN=email.exchangedomain.co
CertificateDomains : {email.exchangedomain.com,
lbsosxsrv1.exchangedomain.
lbsstweb1.exchangedomain.c
Thumbprint : 7036FF3E472362105976F7A3FE
Services : IMAP, POP, IIS, SMTP
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 8/29/2018 1:39:50 PM
NotBefore : 8/24/2015 9:10:40 AM
[PS] C:\Windows\system32>Get-Ma
Server : newexchange2016
Name : mapi (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/mapi
InternalUrl : https://email.exchangedomain.com/mapi
IISAuthenticationMethods : {Ntlm, OAuth, Negotiate}
InternalAuthenticationMeth
ExternalAuthenticationMeth
[PS] C:\Windows\system32>Get-Cl
[PS] C:\Windows\system32>Get-Ou
Name Server CertPrincipalName TTL
---- ------ ----------------- ---
EXCH 1
EXPR msstd:exchangedomain.com 1
WEB 1
MAPI config is correct, validate it turned on:
Get-OrganizationConfig | fl *MapiHttpEnabled*
Also, try to remove the Outlook EXPR provider:Set-OutlookProvider EXPR -CertPrincipalName $null
ASKER
Hi Ronin,
I had restarted the oldexchange2010 server after making all the URL changes and tried to connect outlook 2016, unfortunately the same problem continues.
the MAPI test returns as MapiHttpEnabled : True (I checked and the user has Mapi enabled as well)
I did apply the set-outlookProvider as you listed and restarted the newexchange2016 server.
Unfortunately no change.
Let me know if you have any other suggestions.
Thank you!
I had restarted the oldexchange2010 server after making all the URL changes and tried to connect outlook 2016, unfortunately the same problem continues.
the MAPI test returns as MapiHttpEnabled : True (I checked and the user has Mapi enabled as well)
I did apply the set-outlookProvider as you listed and restarted the newexchange2016 server.
Unfortunately no change.
Let me know if you have any other suggestions.
Thank you!
ASKER
It's quite an interesting issue, really ...
Can you please post the results of: (as with every other Exchange-related command, run it on the highest Exchange version available, e.g Exchange 2016)
Can you please post the results of: (as with every other Exchange-related command, run it on the highest Exchange version available, e.g Exchange 2016)
Get-OrganizationConfig | fl
ASKER
Yes it is quite a interesting issue,
At this point I am testing anything and everything.
here is the output:
I am considering to remove all the originally created certificates and only keep the purchased one from trusted authority.
any thoughts on that?
Thank you.
At this point I am testing anything and everything.
here is the output:
[PS] C:\Windows\system32>Get-OrganizationConfig | fl
Creating a new session for implicit remoting of "Get-OrganizationConfig" command...
RunspaceId : c7cfbd22-596d-4da1-a60e-98a1ae5c6cfa
OrganizationId :
Name : ADdomain
Identity : ADdomain
Guid : ed3b6725-065c-4085-acd3-1564ba767c1e
ObjectVersion : 16213
DefaultPublicFolderAgeLimit :
DefaultPublicFolderIssueWarningQuota : Unlimited
DefaultPublicFolderProhibitPostQuota : Unlimited
DefaultPublicFolderMaxItemSize : Unlimited
DefaultPublicFolderDeletedItemRetention : 30.00:00:00
DefaultPublicFolderMovedItemRetention : 7.00:00:00
PublicFoldersLockedForMigration : False
PublicFolderMigrationComplete : False
PublicFolderMailboxesLockedForNewConnections : False
PublicFolderMailboxesMigrationComplete : False
PublicFoldersEnabled : Local
ActivityBasedAuthenticationTimeoutEnabled : True
ActivityBasedAuthenticationTimeoutInterval : 06:00:00
ActivityBasedAuthenticationTimeoutWithSingleSignOnEnabled : True
AppsForOfficeEnabled : True
AVAuthenticationService :
CustomerFeedbackEnabled :
DistributionGroupDefaultOU :
DistributionGroupNameBlockedWordsList : {}
DistributionGroupNamingPolicy :
EwsAllowEntourage :
EwsAllowList :
EwsAllowMacOutlook :
EwsAllowOutlook :
EwsApplicationAccessPolicy :
EwsBlockList :
EwsEnabled :
ElcProcessingDisabled : False
AutoExpandingArchiveEnabled : False
ExchangeNotificationEnabled : True
ExchangeNotificationRecipients : {}
HierarchicalAddressBookRoot :
Industry : NotSpecified
MailTipsAllTipsEnabled : True
MailTipsExternalRecipientsTipsEnabled : False
MailTipsGroupMetricsEnabled : True
MailTipsLargeAudienceThreshold : 25
MailTipsMailboxSourcedTipsEnabled : True
ManagedFolderHomepage :
MicrosoftExchangeRecipientEmailAddresses : {SMTP:MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@lag
unablanca.org, smtp:MicrosoftExchange329e71ec88ae4615bbc36a
b6ce41109e@addomain.local, X400:C=us;A= ;P=ADdomain;O=Exchange;S=Micros
oftExchange329e71ec88ae4615bbc36ab;}
MicrosoftExchangeRecipientEmailAddressPolicyEnabled : True
MicrosoftExchangeRecipientPrimarySmtpAddress : MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@lagunabla
nca.org
MicrosoftExchangeRecipientReplyRecipient :
ForwardSyncLiveIdBusinessInstance : False
OrganizationSummary : {TotalRecipients,958,False,
TotalDistributionGroups,50,False,
TotalMailboxes,428,False, TotalOWAUser,428,False,
TotalActiveSyncUser,429,False, StandardCALs,428,False,
TotalMailUsers,459,False, TotalCALMailboxes,428,False,
TotalMAPIUser,429,False, TotalPOP3User,396,False,
TotalIMAP4User,396,False, UpdateDate,12/6/2010 9:05:26
PM,False, TotalDynamicDistributionGroups,0,False,
EnterpriseCALs,0,False, Total2003ExchangeServers,0,False,
TotalExchangeServers,1,False...}
ReadTrackingEnabled : False
SCLJunkThreshold : 5
SIPAccessService :
SIPSessionBorderController :
MaxConcurrentMigrations : Unlimited
MaxAddressBookPolicies :
MaxOfflineAddressBooks :
IsExcludedFromOnboardMigration : False
IsExcludedFromOffboardMigration : False
IsFfoMigrationInProgress : False
IsProcessEhaMigratedMessagesEnabled : False
TenantRelocationsAllowed : False
ACLableSyncedObjectEnabled : False
PreferredInternetCodePageForShiftJis : 0
RequiredCharsetCoverage : 100
ByteEncoderTypeFor7BitCharsets : 0
PublicComputersDetectionEnabled : False
RmsoSubscriptionStatus : Unknown
IntuneManagedStatus : False
AzurePremiumSubscriptionStatus : False
HybridConfigurationStatus : Unknown
ReleaseTrack :
CompassEnabled :
SharePointUrl :
MapiHttpEnabled : True
RealTimeLogServiceEnabled : False
CustomerLockboxEnabled : False
OAuth2ClientProfileEnabled : False
LinkPreviewEnabled : True
ConnectorsEnabled : True
ConnectorsActionableMessagesEnabled : True
SmtpActionableMessagesEnabled : True
OfficeGraphActivitySharingOrgOptout : False
UnblockUnsafeSenderPromptEnabled : True
AsyncSendEnabled : True
RefreshSessionEnabled : False
IsAgendaMailEnabled : True
NetworkThrottlingConfiguration :
OrganizationConfigHash :
LegacyExchangeDN : /o=ADdomain
DisplayName :
Heuristics : None
ResourceAddressLists : {\All Rooms}
IsMixedMode : False
PreviousAdminDisplayVersion : 0.10 (14.0.100.0)
IsAddressListPagingEnabled : False
ForeignForestFQDN : {}
ForeignForestOrgAdminUSGSid :
ForeignForestRecipientAdminUSGSid :
ForeignForestViewOnlyAdminUSGSid :
MimeTypes : {text/html;htm, text/html;html, text/plain;txt,
text/css;css, text/iuls;uls, text/scriptlet;wsc,
text/webviewhtml;htt, text/x-component;htc,
text/x-vcard;vcf, text/xml;xml, image/gif;gif,
image/jpeg;jpg, image/x-xbitmap;xbm, image/bmp;bmp,
image/pjpeg;jpg, image/png;png...}
IsLicensingEnforced : False
IsTenantAccessBlocked : False
IsTenantInGracePeriod : False
IsDehydrated : False
IsGuidPrefixedLegacyDnDisabled : False
IsMailboxForcedReplicationDisabled : False
RBACConfigurationVersion : 0.1 (15.1.845.34)
RootPublicFolderMailbox :
RemotePublicFolderMailboxes : {}
AdminDisplayVersion : 0.20 (15.1.0.0)
IsUpgradingOrganization : False
IsUpdatingServicePlan : False
ServicePlan :
TargetServicePlan :
WACDiscoveryEndpoint :
UMAvailableLanguages : {}
AdfsAuthenticationConfiguration :
AdfsIssuer :
AdfsAudienceUris : {}
AdfsSignCertificateThumbprints : {}
AdfsEncryptCertificateThumbprint :
SiteMailboxCreationURL :
DefaultDataEncryptionPolicy :
DefaultAuthenticationPolicy :
AllowedMailboxRegions : {}
DefaultMailboxRegion :
DefaultMailboxRegionLastUpdateTime :
AllowToAddGuests : True
GuestsEnabled : True
GroupsCreationEnabled : True
HiddenMembershipGroupsCreationEnabled : False
GroupsCreationWhitelistedId :
GroupsUsageGuidelinesLink :
DataClassifications :
InPlaceHolds : {}
ServiceInstanceMove :
GuestsUsageGuidelinesLink :
FocusedInboxOn :
FocusedInboxOnLastUpdateTime : 1/1/0001 12:00:00 AM
IsValid : True
ExchangeVersion : 0.0 (6.5.6500.0)
DistinguishedName : CN=ADdomain,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=lbs,DC=lan
ObjectCategory : addomain.local/Configuration/Schema/ms-Exch-Organization-Container
ObjectClass : {top, container, msExchOrganizationContainer}
WhenChanged : 11/25/2017 4:26:11 PM
WhenCreated : 11/21/2001 9:02:50 AM
WhenChangedUTC : 11/26/2017 12:26:11 AM
WhenCreatedUTC : 11/21/2001 5:02:50 PM
Id : ADdomain
OriginatingServer : adsrv1.addomain.local
ObjectState : Unchanged
I am considering to remove all the originally created certificates and only keep the purchased one from trusted authority.
any thoughts on that?
Thank you.
According to the output, you have issues with both Outlook Anywhere on Exchange 2016 as well as MAPI.
What's the status of the firewall on the server? Are you sure there's nothing on the way that MIGHT potentially filter and augment traffic to port 443?
From the internet, you saying it works, to which IP the firewalls forwards the 443 traffic destined to Exchange?
What's the status of the firewall on the server? Are you sure there's nothing on the way that MIGHT potentially filter and augment traffic to port 443?
From the internet, you saying it works, to which IP the firewalls forwards the 443 traffic destined to Exchange?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hi Ronin,
another update.
I decided to test the outlook configuration from behind the firewall with only NTLM provider enabled on the MAPI folder in IIS.
And I found out that the outlook wizard will complete successfully with only one extra step when I was prompted to enter user credentials in a format domain\user.
After that outlook was working as normal.
OK I think I can close this ticket.
Thank you again for your help.
I am not sure how to assign the points now since I was able to find a solution myself.
I would definitely like to give some points to Ronin for all the good suggestions for me to test.
thank you again!
another update.
I decided to test the outlook configuration from behind the firewall with only NTLM provider enabled on the MAPI folder in IIS.
And I found out that the outlook wizard will complete successfully with only one extra step when I was prompted to enter user credentials in a format domain\user.
After that outlook was working as normal.
OK I think I can close this ticket.
Thank you again for your help.
I am not sure how to assign the points now since I was able to find a solution myself.
I would definitely like to give some points to Ronin for all the good suggestions for me to test.
thank you again!
In general, there's no need to perform any changes to the IIS, using the IIS manager snap-in, all the required adjustment should have been done using EMS. Highly likely those issues have been caused by performing it manually which conflicts with the settings in AD.
ASKER
Hi Ronin,
yes I agree I am not sure why I had to do that.
Unfortunately the problem seems to return.
The Microsoft test now passes and the outlook configuration wizard completes correctly.
Outlook will start and create cache as expected on the first run.
If I close outlook and re-open it the user credentials prompt returns and will never accept the correct credentials in any format.
I am not sure what to test next.
The only reliable option is to disable MAPI using registry key but I don't want to do that.
Thank you for any additional help.
yes I agree I am not sure why I had to do that.
Unfortunately the problem seems to return.
The Microsoft test now passes and the outlook configuration wizard completes correctly.
Outlook will start and create cache as expected on the first run.
If I close outlook and re-open it the user credentials prompt returns and will never accept the correct credentials in any format.
I am not sure what to test next.
The only reliable option is to disable MAPI using registry key but I don't want to do that.
Thank you for any additional help.
Could you please provide more information for the regkey change?
Where have you done it?
Where have you done it?
ASKER
It is on the end user computer:
Key: HKEY_CURRENT_USER\Software \Microsoft \Exchange
DWORD: MapiHttpDisabled
Value: 1
I removed it after I verified that it would be a solution if I didn't want to use MAPI.
But I do need to be able to use MAPI so disabling it is not a real solution it is just a temporary fix.
Key: HKEY_CURRENT_USER\Software
DWORD: MapiHttpDisabled
Value: 1
I removed it after I verified that it would be a solution if I didn't want to use MAPI.
But I do need to be able to use MAPI so disabling it is not a real solution it is just a temporary fix.
In order to go back to the original state, you can remove and recreate virtual directories on Exchange 2016, it will reset everything to default state, like it was just after you completed the install.
ASKER
I performed the reset using EAC.
After the reset it automatically adds NTLM, Negotiate option in the authentication.
1. Using EAC I added the correct URL since it wasn't set after the reset. (Authentication left as default)
IISRESET
MS connection test and outlook setup wizard will fail.
2. with the correct URLs entered in step one I removed negotiate option in authentication.
IISRESET
MS connection test and outlook setup wizard are successful
Outlook will start and function as expected on the first run.
If I close outlook and reopen it I will get prompted to enter user credentials which will fail (tried domain\user and user@domain) no luck
After the reset it automatically adds NTLM, Negotiate option in the authentication.
1. Using EAC I added the correct URL since it wasn't set after the reset. (Authentication left as default)
IISRESET
MS connection test and outlook setup wizard will fail.
2. with the correct URLs entered in step one I removed negotiate option in authentication.
IISRESET
MS connection test and outlook setup wizard are successful
Outlook will start and function as expected on the first run.
If I close outlook and reopen it I will get prompted to enter user credentials which will fail (tried domain\user and user@domain) no luck
Follow this process on how to reset VDirs on Exchange 2016 using PS.
https://technet.microsoft.com/en-us/library/ff629372(v=exchg.141).aspx
Use EMS from 2016.
You might need to do it for both servers.
https://technet.microsoft.com/en-us/library/ff629372(v=exchg.141).aspx
Use EMS from 2016.
You might need to do it for both servers.
ASKER
Hi Ronin,
I recreated the mapi virtual directory using EMS and set the permissions back.
with some additional testing I discovered that in outlook account profile if I turn off the "use Cached Exchange Mode" then outlook communication using mapi will work correctly.
Let me know if that would indicate something that can be corrected.
Thank you!
I recreated the mapi virtual directory using EMS and set the permissions back.
Remove-MapiVirtualDirectory -Identity "newexchange2016\mapi (Default Web Site)"
New-MapiVirtualDirectory -InternalUrl https://email.exchangedomain.com/mapi -IISAuthenticationMethods NTLM
Set-MapiVirtualDirectory -Identity "newexchnage2016\mapi (Default Web site)" -InternalURL “https://email.exchangedomain.com/mapi” -ExternalURL https://email.exchangedomain.com/mapi -IISAuthenticationMethods NTLM
unfortunately no change.with some additional testing I discovered that in outlook account profile if I turn off the "use Cached Exchange Mode" then outlook communication using mapi will work correctly.
Let me know if that would indicate something that can be corrected.
Thank you!
Can you try recreating and RPC vdir as well?
Have you done this on both servers?
Have you done this on both servers?
ASKER
Hi Ronin,
I am not sure how would I do that.
there is no command to recreate the RPC directory in EMS or using EAC.
I had seen some discussion on uninstalling RPC over HTTP but it didn't seem to work.
Thank you!
I am not sure how would I do that.
there is no command to recreate the RPC directory in EMS or using EAC.
I had seen some discussion on uninstalling RPC over HTTP but it didn't seem to work.
Thank you!
oops, sorry about that.
Perhaps I should have asked if you tried to remove and recreate ALL vdirs on both servers?
Perhaps I should have asked if you tried to remove and recreate ALL vdirs on both servers?
ASKER
Hi Ronin,
As I was continuing with the reset of all the virtual directories on the new exchange 2016 I took a break and did some more search on google.
And I came across this link which had similar problem:
https://social.technet.microsoft.com/Forums/ie/en-US/e6b932b0-f5a5-4b22-914c-ca421f4b32fa/mapi-over-http-not-working-correctly-outlook-2013-clients-prompting-for-credentials-during-profile?forum=exchangesvrclients
The solution is in addition to the change I made to the MAPI folder to only have NTLM as the authentication method.
I had to remove negotiate provider on the Autodiscover and EWS folders under the Windows Authentication.
Outlook is now working using MAPI internally and externally as well as with or without cached mode.
Since I had to do this in IIS I will keep a documentation on the changes for the future since I have a feeling with the next CU release this will get reset.
Thank you again for your help!
As I was continuing with the reset of all the virtual directories on the new exchange 2016 I took a break and did some more search on google.
And I came across this link which had similar problem:
https://social.technet.microsoft.com/Forums/ie/en-US/e6b932b0-f5a5-4b22-914c-ca421f4b32fa/mapi-over-http-not-working-correctly-outlook-2013-clients-prompting-for-credentials-during-profile?forum=exchangesvrclients
The solution is in addition to the change I made to the MAPI folder to only have NTLM as the authentication method.
I had to remove negotiate provider on the Autodiscover and EWS folders under the Windows Authentication.
Outlook is now working using MAPI internally and externally as well as with or without cached mode.
Since I had to do this in IIS I will keep a documentation on the changes for the future since I have a feeling with the next CU release this will get reset.
Thank you again for your help!
Glad you got it resolved.
ASKER
I was able to find a solution by trial and error without direct recommendation from any other expert.
Are you trying to connect with users migrated from Exchange 2010 to Exchange 2016?
Try to connect with a user from Exchange 2016.
Cheers