Start Free Trial

asked on

outlook 2016 keeps asking to enter login credentials

Hello,

After setting up the new exchange server 2016 as a upgrade to the existing exchange server 2010 it looks as if it was success.

Using the owa web outlook I am able to send and receive emails internally and externally as well as work with all the other functions (this includes old user mailboxes as well as migrated and newly created mailboxes).

Unfortunately when I try to connect using outlook 2016 the process detects the logged in AD user correctly, but it will not accept the login credentials (I tried different users, different login options user@domain.com or domain\user with out any luck).

I check all the DNS configurations for autodiscover and MX records and restarted the server. Unfortunately that didn't help.
There is no AV installed on servers and no firewall or VLAN between the client computer.
I am able to configure the outlook 2016 if I am connecting externally or on local LAN if I disable MAPI in registry on the client computer.
The disabled MAPI in registry allows me to use the migrated user mailbox in outlook 2016, except not without requesting to enter user credentials which will fail. Outlook will continue to function normal if I cancel the login request.

Testing outlook connectivity on exchange server 2016 using "Test-OutlookConnectity" is successful after I adjusted LmcompatibilityLevel to 2 in registry and group policy.

Are there any other ideas on what else could be the problem?

Thank you!

here are some of the links I used to troubleshoot:
https://jhmeier.com/2016/03/14/exchange-2016-and-2010-coexistenceoutook-shows-login-promt/
https://technet.microsoft.com/en-us/library/cc960646.aspx?f=255&MSPPError=-2147217396
https://www.freeviewer.org/blog/how-to-enable-rpc-over-http-in-outlook-2016/
http://techgenix.com/migrating-small-organization-exchange-2010-exchange-2016-part1/

Hi,

Are you trying to connect with users migrated from Exchange 2010 to Exchange 2016?

Try to connect with a user from Exchange 2016.

Cheers

SOLUTION

Valentina Perez

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Hi Viktor,
thank you for responding,

I indicated in my original post that I only have a problem with migrated users to the new exchange server 2016 and with newly created users on the new exchange 2016 server.
Existing users on the exchange 2010 server are fine if I run the outlook 2016 connection wizard.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Hi Valentina,

thank you for responding,

I din't try different outlook version because I don't have one installed on test computers.
I can try it later but I need to be able to use outlook 2016 eventually. ( I tried outlook 2016 on different computers with all the updates installed)

ASKER

Hi Viktor,

yes DNS is configured to point to the new exchange server 2016 which is acting as a proxy server for the exchange 2010 server.
here is the reference I used: http://techgenix.com/migrating-small-organization-exchange-2010-exchange-2016-part1/

Hi,

Could you try to upgrade Outlook machine to the latest version?

https://support.office.com/en-us/article/Outlook-Updates-472c2322-23a4-4014-8f02-bbc09ad62213

https://support.office.com/en-us/article/Install-Office-updates-2ab296f3-7f03-43a2-8e50-46de917611c5

Cheers

ASKER

Hi Viktor,

Just verified and all patches are already installed.

Let's your existing virtual directories config in the environment:

et-OabVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-WebServicesVirtualDirectory | fl server, Name,ExternalURL, InternalURL, *auth*
Get-EcpVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-ActiveSyncVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*
Get-OwaVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-ClientAccessService | fl Name,OutlookAnywhereEnabled, AutodiscoverServiceInternalUri
Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*
Get-MapiVirtualDirectory | fl server, Name,ExternalURL,InternalURL, *auth*
Get-ClientAccessArray | fl
Get-OutlookProvider

Open in new window

Have you followed the Microsoft Exchange Server Deployment Assistant?

ASKER

Hi Ronin,

thank you for responding.
Here is the requested information (I replaced the domain and server names with a generic names):

[PS] C:\Windows\system32>Get-OabVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*

Server : oldexchange2010
Name : OAB (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalAuthenticationMethods : {WindowsIntegrated}

Server : newexchange16
Name : OAB (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/oab
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl server, Name,ExternalURL, InternalURL, *auth*

Server : oldexchange2010
Name : EWS (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/ews/exchange.asmx
CertificateAuthentication :
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
AdfsAuthentication : False

Server : newexchange16
Name : EWS (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
InternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
CertificateAuthentication :
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False

[PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*

Server : oldexchange2010
Name : ecp (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

Server : newexchange16
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*

Server : oldexchange2010
Name : Microsoft-Server-ActiveSync (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAuthorityURL :
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}

Server : newexchange16
Name : Microsoft-Server-ActiveSync (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAuthorityURL :
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}

[PS] C:\Windows\system32>Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*

Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname :
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Ntlm}

Server : newexchange16
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Ntlm}

[PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*

Server : oldexchange2010
Name : owa (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

Server : newexchange16
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

[PS] C:\Windows\system32>Get-ClientAccessService | fl Name,OutlookAnywhereEnabled, AutodiscoverServiceInternalUri

Name : oldexchange2010
OutlookAnywhereEnabled : True
AutoDiscoverServiceInternalUri : https://autodiscover.exchangedomain.com/autodiscover/autodiscover.xml

Name : newexchange16
OutlookAnywhereEnabled : True
AutoDiscoverServiceInternalUri : https://autodiscover.exchangedomain.com/Autodiscover/Autodiscover.xml

[PS] C:\Windows\system32>Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*

FriendlyName : Microsoft Exchange Server Auth Certificate
Subject : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
Thumbprint : 04B79D039EB22DC10D29EC62E4A388EE0BC1273D
Services : SMTP
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 10/21/2022 4:42:32 PM
NotBefore : 11/16/2017 3:42:32 PM

FriendlyName : Microsoft Exchange
Subject : CN=newexchange16
CertificateDomains : {newexchange16, newexchange16.lbs.lan}
Thumbprint : B60400957B0E81511342584A45A7BDA89E0C8DCF
Services : IIS, SMTP
Issuer : CN=newexchange16
NotAfter : 11/16/2022 3:40:35 PM
NotBefore : 11/16/2017 3:40:35 PM

FriendlyName : WMSVC-SHA2
Subject : CN=WMSvc-SHA2-newexchange16
CertificateDomains : {WMSvc-SHA2-newexchange16}
Thumbprint : 30E68C217E127F25F206A15D571845B6212BC156
Services : None
Issuer : CN=WMSvc-SHA2-newexchange16
NotAfter : 6/26/2027 4:52:06 PM
NotBefore : 6/28/2017 4:52:06 PM

FriendlyName : LBS2015-18
Subject : CN=email.exchangedomain.com, OU=Domain Control Validated
CertificateDomains : {email.exchangedomain.com, www.email.exchangedomain.com, newexchange16.exchangedomain.com, lbsdomsrv12.exchangedomain.com, lbsadm4.exchangedomain.com, autodiscover.exchangedomain.com,
lbsosxsrv1.exchangedomain.com, oldexchange2010.exchangedomain.com, lbscl4.exchangedomain.com, lbsts1.exchangedomain.com, lbsdom1.exchangedomain.com, lbsls5.exchangedomain.com,
lbsstweb1.exchangedomain.com, smtp.exchangedomain.com, moodle.exchangedomain.com}
Thumbprint : 7036FF3E472362105976F7A3FE087172067B9836
Services : IMAP, POP, IIS, SMTP
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 8/29/2018 1:39:50 PM
NotBefore : 8/24/2015 9:10:40 AM

[PS] C:\Windows\system32>Get-MapiVirtualDirectory | fl server, Name,ExternalURL,InternalURL, *auth*

Server : newexchange16
Name : mapi (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/mapi
InternalUrl : https://email.exchangedomain.com/mapi
IISAuthenticationMethods : {Ntlm, OAuth, Negotiate}
InternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}
ExternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}

[PS] C:\Windows\system32>Get-ClientAccessArray | fl
[PS] C:\Windows\system32>Get-OutlookProvider

Name Server CertPrincipalName TTL
---- ------ ----------------- ---
EXCH 1
EXPR msstd:exchangedomain.com 1
WEB 1

Can you please confirm email.exchangedomain.com as well as autodiscover.exchangedomain.com AD DNS records point to Exchange 2016 IP address?
In order for Exchange 2010 to coexist with 2016 it must be patched to SP3 + with RU9.
Let's see the current patch level:

Get-ExchangeServer | fl *version*

Open in new window

ASKER

Hi Ronin,

yes for the DNS and yes for the SP3 + RU9 I actually have 2010 SP3 RU17 14.3.352.0

Set-OutlookAnywhere -Identity "newexchange16\Rpc (Default Web Site)" -ExternalHostname webmail.remotedesk.be -ExternalClientAuthenticationMethod NTLM -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM,Negotiate
Set-OutlookAnywhere -Identity "oldexch2010\Rpc (Default Web Site)" -ExternalHostname webmail.remotedesk.be -ExternalClientAuthenticationMethod NTLM -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM

Open in new window

ASKER

Hi Ronin,

Thank you for the info.
I had to make some adjustments to the command and add -ExternalClientsRequireSsl:$true in order to execute it without error.
Then I restarted the exchange service using iisreset as well as restarted the server.
I tried running the outlook 2016 connection wizard on the client computer which requested the user credentials again which failed.

let me know if you have any other suggestions.
Thank you,

P.S. this is the adjusted command I executed:

Set-OutlookAnywhere -Identity "exchange16\Rpc (Default Web Site)" -ExternalHostname emai.exchangedomain.com -ExternalClientAuthenticationMethod NTLM -ExternalClientsRequireSsl:$true -InternalClientAuthenticationMethod NTLM -InternalClientsRequireSsl:$true –SSLOffloading:$false -IISAuthenticationMethods Basic,NTLM,Negotiate
Set-OutlookAnywhere -Identity "exchange10\Rpc (Default Web Site)" -ExternalHostname email.exchangedomain.com -ExternalClientAuthenticationMethod NTLM -ExternalClientsRequireSsl:$true -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic,NTLM

Set-OutlookAnywhere -Identity "exchange16\Rpc (Default Web Site)" -ExternalHostname emai.exchangedomain.com -ExternalClientAuthenticationMethod NTLM -ExternalClientsRequireSsl:$true -InternalClientAuthenticationMethod NTLM -InternalClientsRequireSsl:$true –SSLOffloading:$false -IISAuthenticationMethods Basic,NTLM,Negotiate\

Shouldn't it be email.exchangedomain.com and not emai.exchangedomain.com?

Every FQDN that you use, be it email, webmail, etc .... MUST appear in the certificate and resolvable to the internal IP of the Exchange 2016.
Please make sure that's the case.

ASKER

Hi Ronin,

that is a typo when I was removing the actual domain information.
Otherwise it is correct on the server and it is matching the ssl certificate.

Hm ...
Try setting WindowsAuthentication to TRUE on Exchange 2016 OWA and ECP, to match the setting on the Exchange 2010. For RPC set ExternalClientAuthenticationMethod on 2016 to NTLM to match the 2010 as well.
Perform IIS reset, allow 15-20 minutes to cache to flush on the workstation before testing.

ASKER

Hi Ronin,

I did as you suggested, unfortunately no change.

here is the output of the changes:

[PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Creating a new session for implicit remoting of "Get-OwaVirtualDirectory" command...

Server : oldexchange2010
Name : owa (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

Server : newexchange2016
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

[PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*

Server : oldexchange2010
Name : ecp (Default Web Site)
ExternalUrl :
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

Server : newexchange2016
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

[PS] C:\Windows\system32>Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*

Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname :
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}

Server : newexchange2016
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Hi Ronin,

I made the changes as you suggested.
I restarted the newexchange2016 server using IISRESET but I will have to wait to reset the oldexchange2010 server later tonight.
I will let you know if anything changes.
One question if you look at the MAPI configuration does it look correct?

thank you!

here is the updated output of the settings:

[PS] C:\Windows\system32>Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*

Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}

Server : newexchange2016
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

[PS] C:\Windows\system32>iisreset

Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
[PS] C:\Windows\system32>Get-OabVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Creating a new session for implicit remoting of "Get-OabVirtualDirectory" command...

Server : oldexchange2010
Name : OAB (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/oab
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalAuthenticationMethods : {WindowsIntegrated}

Server : newexchange2016
Name : OAB (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/oab
InternalUrl : https://email.exchangedomain.com/oab
BasicAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl server, Name,ExternalURL, InternalURL, *auth*

Server : oldexchange2010
Name : EWS (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ews/exchange.asmx
InternalUrl : https://email.exchangedomain.com/ews/exchange.asmx
CertificateAuthentication :
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : False
AdfsAuthentication : False

Server : newexchange2016
Name : EWS (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
InternalUrl : https://email.exchangedomain.com/EWS/Exchange.asmx
CertificateAuthentication :
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False

[PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*

Server : oldexchange2010
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

Server : newexchange2016
Name : ecp (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/ecp
InternalUrl : https://email.exchangedomain.com/ecp
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*

Server : oldexchange2010
Name : Microsoft-Server-ActiveSync (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAuthorityURL :
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}

Server : newexchange2016
Name : Microsoft-Server-ActiveSync (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
InternalUrl : https://email.exchangedomain.com/Microsoft-Server-ActiveSync
MobileClientCertificateAuthorityURL :
BasicAuthEnabled : True
WindowsAuthEnabled : False
ClientCertAuth : Ignore
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}

[PS] C:\Windows\system32>Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*

Server : oldexchange2010
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}

Server : newexchange2016
Name : Rpc (Default Web Site)
ExternalHostname : email.exchangedomain.com
InternalHostname : email.exchangedomain.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

[PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*

Server : oldexchange2010
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

Server : newexchange2016
Name : owa (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/owa
InternalUrl : https://email.exchangedomain.com/owa
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

[PS] C:\Windows\system32>Get-ClientAccessService | fl Name,OutlookAnywhereEnabled, AutodiscoverServiceInternalUri

Name : oldexchange2010
OutlookAnywhereEnabled : True
AutoDiscoverServiceInternalUri : https://autodiscover.exchangedomain.com/autodiscover/autodiscover.xml

Name : newexchange2016
OutlookAnywhereEnabled : True
AutoDiscoverServiceInternalUri : https://autodiscover.exchangedomain.com/Autodiscover/Autodiscover.xml

[PS] C:\Windows\system32>Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*

FriendlyName : Microsoft Exchange Server Auth Certificate
Subject : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
Thumbprint : 04B79D039EB22DC10D29EC62E4A388EE0BC1273D
Services : SMTP
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 10/21/2022 4:42:32 PM
NotBefore : 11/16/2017 3:42:32 PM

FriendlyName : Microsoft Exchange
Subject : CN=newexchange2016
CertificateDomains : {newexchange2016, newexchange2016.domain.local}
Thumbprint : B60400957B0E81511342584A45A7BDA89E0C8DCF
Services : IIS, SMTP
Issuer : CN=newexchange2016
NotAfter : 11/16/2022 3:40:35 PM
NotBefore : 11/16/2017 3:40:35 PM

FriendlyName : WMSVC-SHA2
Subject : CN=WMSvc-SHA2-newexchange2016
CertificateDomains : {WMSvc-SHA2-newexchange2016}
Thumbprint : 30E68C217E127F25F206A15D571845B6212BC156
Services : None
Issuer : CN=WMSvc-SHA2-newexchange2016
NotAfter : 6/26/2027 4:52:06 PM
NotBefore : 6/28/2017 4:52:06 PM

FriendlyName : LBS2015-18
Subject : CN=email.exchangedomain.com, OU=Domain Control Validated
CertificateDomains : {email.exchangedomain.com, www.email.exchangedomain.com, newexchange2016.exchangedomain.com, lbsdomsrv12.exchangedomain.com, lbsadm4.exchangedomain.com, autodiscover.exchangedomain.com,
lbsosxsrv1.exchangedomain.com, oldexchange2010.exchangedomain.com, lbscl4.exchangedomain.com, lbsts1.exchangedomain.com, lbsdom1.exchangedomain.com, lbsls5.exchangedomain.com,
lbsstweb1.exchangedomain.com, smtp.exchangedomain.com, moodle.exchangedomain.com}
Thumbprint : 7036FF3E472362105976F7A3FE087172067B9836
Services : IMAP, POP, IIS, SMTP
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 8/29/2018 1:39:50 PM
NotBefore : 8/24/2015 9:10:40 AM

[PS] C:\Windows\system32>Get-MapiVirtualDirectory | fl server, Name,ExternalURL,InternalURL, *auth*

Server : newexchange2016
Name : mapi (Default Web Site)
ExternalUrl : https://email.exchangedomain.com/mapi
InternalUrl : https://email.exchangedomain.com/mapi
IISAuthenticationMethods : {Ntlm, OAuth, Negotiate}
InternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}
ExternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}

[PS] C:\Windows\system32>Get-ClientAccessArray | fl
[PS] C:\Windows\system32>Get-OutlookProvider

Name Server CertPrincipalName TTL
---- ------ ----------------- ---
EXCH 1
EXPR msstd:exchangedomain.com 1
WEB 1

MAPI config is correct, validate it turned on:

Get-OrganizationConfig | fl *MapiHttpEnabled*

Open in new window

Also, try to remove the Outlook EXPR provider:

Set-OutlookProvider EXPR -CertPrincipalName $null

Open in new window

ASKER

Hi Ronin,

I had restarted the oldexchange2010 server after making all the URL changes and tried to connect outlook 2016, unfortunately the same problem continues.
the MAPI test returns as MapiHttpEnabled : True (I checked and the user has Mapi enabled as well)
I did apply the set-outlookProvider as you listed and restarted the newexchange2016 server.
Unfortunately no change.

Let me know if you have any other suggestions.
Thank you!

ASKER

I have additional information which I collected using "Microsoft Connectivity Analyzer Tool" downloaded from testconnectivity.microsoft.com under client/ more tools

this is the result:

User generated image

User generated image

If I run the same test on a user computer connected externally the connection test will pass just fine.

It's quite an interesting issue, really ...
Can you please post the results of: (as with every other Exchange-related command, run it on the highest Exchange version available, e.g Exchange 2016)

Get-OrganizationConfig | fl

Open in new window

ASKER

Yes it is quite a interesting issue,

At this point I am testing anything and everything.

here is the output:

[PS] C:\Windows\system32>Get-OrganizationConfig | fl
Creating a new session for implicit remoting of "Get-OrganizationConfig" command...


RunspaceId                                                : c7cfbd22-596d-4da1-a60e-98a1ae5c6cfa
OrganizationId                                            :
Name                                                      : ADdomain
Identity                                                  : ADdomain
Guid                                                      : ed3b6725-065c-4085-acd3-1564ba767c1e
ObjectVersion                                             : 16213
DefaultPublicFolderAgeLimit                               :
DefaultPublicFolderIssueWarningQuota                      : Unlimited
DefaultPublicFolderProhibitPostQuota                      : Unlimited
DefaultPublicFolderMaxItemSize                            : Unlimited
DefaultPublicFolderDeletedItemRetention                   : 30.00:00:00
DefaultPublicFolderMovedItemRetention                     : 7.00:00:00
PublicFoldersLockedForMigration                           : False
PublicFolderMigrationComplete                             : False
PublicFolderMailboxesLockedForNewConnections              : False
PublicFolderMailboxesMigrationComplete                    : False
PublicFoldersEnabled                                      : Local
ActivityBasedAuthenticationTimeoutEnabled                 : True
ActivityBasedAuthenticationTimeoutInterval                : 06:00:00
ActivityBasedAuthenticationTimeoutWithSingleSignOnEnabled : True
AppsForOfficeEnabled                                      : True
AVAuthenticationService                                   :
CustomerFeedbackEnabled                                   :
DistributionGroupDefaultOU                                :
DistributionGroupNameBlockedWordsList                     : {}
DistributionGroupNamingPolicy                             :
EwsAllowEntourage                                         :
EwsAllowList                                              :
EwsAllowMacOutlook                                        :
EwsAllowOutlook                                           :
EwsApplicationAccessPolicy                                :
EwsBlockList                                              :
EwsEnabled                                                :
ElcProcessingDisabled                                     : False
AutoExpandingArchiveEnabled                               : False
ExchangeNotificationEnabled                               : True
ExchangeNotificationRecipients                            : {}
HierarchicalAddressBookRoot                               :
Industry                                                  : NotSpecified
MailTipsAllTipsEnabled                                    : True
MailTipsExternalRecipientsTipsEnabled                     : False
MailTipsGroupMetricsEnabled                               : True
MailTipsLargeAudienceThreshold                            : 25
MailTipsMailboxSourcedTipsEnabled                         : True
ManagedFolderHomepage                                     :
MicrosoftExchangeRecipientEmailAddresses                  : {SMTP:MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@lag
                                                            unablanca.org, smtp:MicrosoftExchange329e71ec88ae4615bbc36a
                                                            b6ce41109e@addomain.local, X400:C=us;A= ;P=ADdomain;O=Exchange;S=Micros
                                                            oftExchange329e71ec88ae4615bbc36ab;}
MicrosoftExchangeRecipientEmailAddressPolicyEnabled       : True
MicrosoftExchangeRecipientPrimarySmtpAddress              : MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@lagunabla
                                                            nca.org
MicrosoftExchangeRecipientReplyRecipient                  :
ForwardSyncLiveIdBusinessInstance                         : False
OrganizationSummary                                       : {TotalRecipients,958,False,
                                                            TotalDistributionGroups,50,False,
                                                            TotalMailboxes,428,False, TotalOWAUser,428,False,
                                                            TotalActiveSyncUser,429,False, StandardCALs,428,False,
                                                            TotalMailUsers,459,False, TotalCALMailboxes,428,False,
                                                            TotalMAPIUser,429,False, TotalPOP3User,396,False,
                                                            TotalIMAP4User,396,False, UpdateDate,12/6/2010 9:05:26
                                                            PM,False, TotalDynamicDistributionGroups,0,False,
                                                            EnterpriseCALs,0,False, Total2003ExchangeServers,0,False,
                                                            TotalExchangeServers,1,False...}
ReadTrackingEnabled                                       : False
SCLJunkThreshold                                          : 5
SIPAccessService                                          :
SIPSessionBorderController                                :
MaxConcurrentMigrations                                   : Unlimited
MaxAddressBookPolicies                                    :
MaxOfflineAddressBooks                                    :
IsExcludedFromOnboardMigration                            : False
IsExcludedFromOffboardMigration                           : False
IsFfoMigrationInProgress                                  : False
IsProcessEhaMigratedMessagesEnabled                       : False
TenantRelocationsAllowed                                  : False
ACLableSyncedObjectEnabled                                : False
PreferredInternetCodePageForShiftJis                      : 0
RequiredCharsetCoverage                                   : 100
ByteEncoderTypeFor7BitCharsets                            : 0
PublicComputersDetectionEnabled                           : False
RmsoSubscriptionStatus                                    : Unknown
IntuneManagedStatus                                       : False
AzurePremiumSubscriptionStatus                            : False
HybridConfigurationStatus                                 : Unknown
ReleaseTrack                                              :
CompassEnabled                                            :
SharePointUrl                                             :
MapiHttpEnabled                                           : True
RealTimeLogServiceEnabled                                 : False
CustomerLockboxEnabled                                    : False
OAuth2ClientProfileEnabled                                : False
LinkPreviewEnabled                                        : True
ConnectorsEnabled                                         : True
ConnectorsActionableMessagesEnabled                       : True
SmtpActionableMessagesEnabled                             : True
OfficeGraphActivitySharingOrgOptout                       : False
UnblockUnsafeSenderPromptEnabled                          : True
AsyncSendEnabled                                          : True
RefreshSessionEnabled                                     : False
IsAgendaMailEnabled                                       : True
NetworkThrottlingConfiguration                            :
OrganizationConfigHash                                    :
LegacyExchangeDN                                          : /o=ADdomain
DisplayName                                               :
Heuristics                                                : None
ResourceAddressLists                                      : {\All Rooms}
IsMixedMode                                               : False
PreviousAdminDisplayVersion                               : 0.10 (14.0.100.0)
IsAddressListPagingEnabled                                : False
ForeignForestFQDN                                         : {}
ForeignForestOrgAdminUSGSid                               :
ForeignForestRecipientAdminUSGSid                         :
ForeignForestViewOnlyAdminUSGSid                          :
MimeTypes                                                 : {text/html;htm, text/html;html, text/plain;txt,
                                                            text/css;css, text/iuls;uls, text/scriptlet;wsc,
                                                            text/webviewhtml;htt, text/x-component;htc,
                                                            text/x-vcard;vcf, text/xml;xml, image/gif;gif,
                                                            image/jpeg;jpg, image/x-xbitmap;xbm, image/bmp;bmp,
                                                            image/pjpeg;jpg, image/png;png...}
IsLicensingEnforced                                       : False
IsTenantAccessBlocked                                     : False
IsTenantInGracePeriod                                     : False
IsDehydrated                                              : False
IsGuidPrefixedLegacyDnDisabled                            : False
IsMailboxForcedReplicationDisabled                        : False
RBACConfigurationVersion                                  : 0.1 (15.1.845.34)
RootPublicFolderMailbox                                   :
RemotePublicFolderMailboxes                               : {}
AdminDisplayVersion                                       : 0.20 (15.1.0.0)
IsUpgradingOrganization                                   : False
IsUpdatingServicePlan                                     : False
ServicePlan                                               :
TargetServicePlan                                         :
WACDiscoveryEndpoint                                      :
UMAvailableLanguages                                      : {}
AdfsAuthenticationConfiguration                           :
AdfsIssuer                                                :
AdfsAudienceUris                                          : {}
AdfsSignCertificateThumbprints                            : {}
AdfsEncryptCertificateThumbprint                          :
SiteMailboxCreationURL                                    :
DefaultDataEncryptionPolicy                               :
DefaultAuthenticationPolicy                               :
AllowedMailboxRegions                                     : {}
DefaultMailboxRegion                                      :
DefaultMailboxRegionLastUpdateTime                        :
AllowToAddGuests                                          : True
GuestsEnabled                                             : True
GroupsCreationEnabled                                     : True
HiddenMembershipGroupsCreationEnabled                     : False
GroupsCreationWhitelistedId                               :
GroupsUsageGuidelinesLink                                 :
DataClassifications                                       :
InPlaceHolds                                              : {}
ServiceInstanceMove                                       :
GuestsUsageGuidelinesLink                                 :
FocusedInboxOn                                            :
FocusedInboxOnLastUpdateTime                              : 1/1/0001 12:00:00 AM
IsValid                                                   : True
ExchangeVersion                                           : 0.0 (6.5.6500.0)
DistinguishedName                                         : CN=ADdomain,CN=Microsoft
                                                            Exchange,CN=Services,CN=Configuration,DC=lbs,DC=lan
ObjectCategory                                            : addomain.local/Configuration/Schema/ms-Exch-Organization-Container
ObjectClass                                               : {top, container, msExchOrganizationContainer}
WhenChanged                                               : 11/25/2017 4:26:11 PM
WhenCreated                                               : 11/21/2001 9:02:50 AM
WhenChangedUTC                                            : 11/26/2017 12:26:11 AM
WhenCreatedUTC                                            : 11/21/2001 5:02:50 PM
Id                                                        : ADdomain
OriginatingServer                                         : adsrv1.addomain.local
ObjectState                                               : Unchanged

Open in new window

I am considering to remove all the originally created certificates and only keep the purchased one from trusted authority.
any thoughts on that?

Thank you.

According to the output, you have issues with both Outlook Anywhere on Exchange 2016 as well as MAPI.
What's the status of the firewall on the server? Are you sure there's nothing on the way that MIGHT potentially filter and augment traffic to port 443?
From the internet, you saying it works, to which IP the firewalls forwards the 443 traffic destined to Exchange?

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Hi Ronin,
another update.
I decided to test the outlook configuration from behind the firewall with only NTLM provider enabled on the MAPI folder in IIS.
And I found out that the outlook wizard will complete successfully with only one extra step when I was prompted to enter user credentials in a format domain\user.
After that outlook was working as normal.
OK I think I can close this ticket.
Thank you again for your help.
I am not sure how to assign the points now since I was able to find a solution myself.
I would definitely like to give some points to Ronin for all the good suggestions for me to test.
thank you again!

In general, there's no need to perform any changes to the IIS, using the IIS manager snap-in, all the required adjustment should have been done using EMS. Highly likely those issues have been caused by performing it manually which conflicts with the settings in AD.

ASKER

Hi Ronin,
yes I agree I am not sure why I had to do that.
Unfortunately the problem seems to return.
The Microsoft test now passes and the outlook configuration wizard completes correctly.
Outlook will start and create cache as expected on the first run.
If I close outlook and re-open it the user credentials prompt returns and will never accept the correct credentials in any format.
I am not sure what to test next.
The only reliable option is to disable MAPI using registry key but I don't want to do that.

Thank you for any additional help.

Could you please provide more information for the regkey change?
Where have you done it?

ASKER

It is on the end user computer:
Key: HKEY_CURRENT_USER\Software\Microsoft\Exchange
DWORD: MapiHttpDisabled
Value: 1

I removed it after I verified that it would be a solution if I didn't want to use MAPI.
But I do need to be able to use MAPI so disabling it is not a real solution it is just a temporary fix.

In order to go back to the original state, you can remove and recreate virtual directories on Exchange 2016, it will reset everything to default state, like it was just after you completed the install.

ASKER

I performed the reset using EAC.
After the reset it automatically adds NTLM, Negotiate option in the authentication.
1. Using EAC I added the correct URL since it wasn't set after the reset. (Authentication left as default)
IISRESET
MS connection test and outlook setup wizard will fail.
2. with the correct URLs entered in step one I removed negotiate option in authentication.
IISRESET
MS connection test and outlook setup wizard are successful
Outlook will start and function as expected on the first run.
If I close outlook and reopen it I will get prompted to enter user credentials which will fail (tried domain\user and user@domain) no luck

Follow this process on how to reset VDirs on Exchange 2016 using PS.
https://technet.microsoft.com/en-us/library/ff629372(v=exchg.141).aspx

Use EMS from 2016.

You might need to do it for both servers.

ASKER

Hi Ronin,

I recreated the mapi virtual directory using EMS and set the permissions back.

Remove-MapiVirtualDirectory -Identity "newexchange2016\mapi (Default Web Site)"
New-MapiVirtualDirectory -InternalUrl https://email.exchangedomain.com/mapi -IISAuthenticationMethods NTLM
Set-MapiVirtualDirectory -Identity "newexchnage2016\mapi (Default Web site)" -InternalURL   “https://email.exchangedomain.com/mapi” -ExternalURL   https://email.exchangedomain.com/mapi -IISAuthenticationMethods NTLM

Open in new window

unfortunately no change.
with some additional testing I discovered that in outlook account profile if I turn off the "use Cached Exchange Mode" then outlook communication using mapi will work correctly.

Let me know if that would indicate something that can be corrected.

Thank you!

Can you try recreating and RPC vdir as well?
Have you done this on both servers?

ASKER

Hi Ronin,

I am not sure how would I do that.
there is no command to recreate the RPC directory in EMS or using EAC.
I had seen some discussion on uninstalling RPC over HTTP but it didn't seem to work.

Thank you!

oops, sorry about that.
Perhaps I should have asked if you tried to remove and recreate ALL vdirs on both servers?

ASKER

Hi Ronin,

As I was continuing with the reset of all the virtual directories on the new exchange 2016 I took a break and did some more search on google.
And I came across this link which had similar problem:
https://social.technet.microsoft.com/Forums/ie/en-US/e6b932b0-f5a5-4b22-914c-ca421f4b32fa/mapi-over-http-not-working-correctly-outlook-2013-clients-prompting-for-credentials-during-profile?forum=exchangesvrclients

The solution is in addition to the change I made to the MAPI folder to only have NTLM as the authentication method.
I had to remove negotiate provider on the Autodiscover and EWS folders under the Windows Authentication.
Outlook is now working using MAPI internally and externally as well as with or without cached mode.

Since I had to do this in IIS I will keep a documentation on the changes for the future since I have a feeling with the next CU release this will get reset.

Thank you again for your help!

Glad you got it resolved.

ASKER

I was able to find a solution by trial and error without direct recommendation from any other expert.