Outlook unable to connect via MAPI over HTTP with NTLM auth without VPN connection. with VPN, Outlook connects via MAPI over HTTP with nego* authentication

Hello Experts. In my staging env, i have Exchange 2013 CU18, with AD 2012R2, and Outlook 2016. I am testing enabling MAPI protocol, currently on-prem exchange is enabled to accept RPC over HTTP via NTLM. I have used the following powershell command to enable MAPI HTTP on a few mailboxes: Get-CasMailbox -identity "User name" -MapiHTTPEnable $true. The users Outlooks are able to connect to on-prem Exchange via MAPI over HTTP with nego* authentication. However, the users machines need to be connected to VPN. if VPN is not connected, then Outlook prompts the user for credentials, after which it connects successfully.

Obviously, I do not want the users to have to input any credentials. Outlook should automatically connect via MAPI over HTTP weather VPN is connected or not. I believe the issue is that MAPI over HTTP is unable to connect using auth NTLM. However, prior to this, we allowed connections using RPC over HTTP via NTLM, and Outlook was successfully able to connect via RPC over HTTP via NTLM without prompting for creds, even if VPN is connected or not. Why is MAPI not able to connect via NTLM auth without VPN. in between, we have a NLB, which has been configured to accept MAPI connections.

Also, what settings need to be enabled in IIS authentication for MAPI virtual directory?, currently i have Windows Authentication enabled for MAPI virtual directory in IIS authentication. Also i have set for MAPI virtual directory for its IISAuthenticationMethods the following: NTLM, OAuth, Negotiate.

Please let me know, and thanks in advance.
Newguy 123Asked:
Who is Participating?
Jason CrawfordConnect With a Mentor Transport NinjaCommented:
This was a known bug.  Have you updated Office recently?

timgreen7077Exchange EngineerCommented:
If everything is working then it sounds like everything is setup correctly. In regards to prompting for passwords, if you are on VPN then it shouldn't have to prompt your for a password, but if you are no on VPN but completely external, then it will prompt for a password. The user will need to check the check box not to prompt for a password. NTLM is the correct auth method and NTLM will prompt for a password when off the network. even with RPC you need to enter a password when off the internal network, but once you enter the password, you can set it to no longer prompt and then you will not have to enter it again because the password is now saved in the credential manager. sounds like your setup is fine.
Newguy 123Author Commented:
Hello Timgreen7077. Thanks for the comment above. However, i have verified that when Outlook connects via RPC over HTTP using NTLM, it is not saving any credentials in windows credentials manager, credentials manager is in fact empty. does not matter if user is connecting via VPN or not. this is how its currently setup in production, and i've checked a few machines, they do not have any credentials stored in credentials manager for Outlook, or Windows. but MAPI over HTTP is not able to use NTLM, it is only connecting with nego* authentication.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.