AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of Newguy 123
Newguy 123
 asked on

Outlook unable to connect via MAPI over HTTP with NTLM auth without VPN connection. with VPN, Outlook connects via MAPI over HTTP with nego* authentication

Hello Experts. In my staging env, i have Exchange 2013 CU18, with AD 2012R2, and Outlook 2016. I am testing enabling MAPI protocol, currently on-prem exchange is enabled to accept RPC over HTTP via NTLM. I have used the following powershell command to enable MAPI HTTP on a few mailboxes: Get-CasMailbox -identity "User name" -MapiHTTPEnable $true. The users Outlooks are able to connect to on-prem Exchange via MAPI over HTTP with nego* authentication. However, the users machines need to be connected to VPN. if VPN is not connected, then Outlook prompts the user for credentials, after which it connects successfully.

Obviously, I do not want the users to have to input any credentials. Outlook should automatically connect via MAPI over HTTP weather VPN is connected or not. I believe the issue is that MAPI over HTTP is unable to connect using auth NTLM. However, prior to this, we allowed connections using RPC over HTTP via NTLM, and Outlook was successfully able to connect via RPC over HTTP via NTLM without prompting for creds, even if VPN is connected or not. Why is MAPI not able to connect via NTLM auth without VPN. in between, we have a NLB, which has been configured to accept MAPI connections.

Also, what settings need to be enabled in IIS authentication for MAPI virtual directory?, currently i have Windows Authentication enabled for MAPI virtual directory in IIS authentication. Also i have set for MAPI virtual directory for its IISAuthenticationMethods the following: NTLM, OAuth, Negotiate.

Please let me know, and thanks in advance.
PowershellExchangeOutlookVPN
Avatar of undefined
Last Comment
Jason Crawford
8/22/2022 - Mon
timgreen7077
If everything is working then it sounds like everything is setup correctly. In regards to prompting for passwords, if you are on VPN then it shouldn't have to prompt your for a password, but if you are no on VPN but completely external, then it will prompt for a password. The user will need to check the check box not to prompt for a password. NTLM is the correct auth method and NTLM will prompt for a password when off the network. even with RPC you need to enter a password when off the internal network, but once you enter the password, you can set it to no longer prompt and then you will not have to enter it again because the password is now saved in the credential manager. sounds like your setup is fine.
Newguy 123
ASKER
Hello Timgreen7077. Thanks for the comment above. However, i have verified that when Outlook connects via RPC over HTTP using NTLM, it is not saving any credentials in windows credentials manager, credentials manager is in fact empty. does not matter if user is connecting via VPN or not. this is how its currently setup in production, and i've checked a few machines, they do not have any credentials stored in credentials manager for Outlook, or Windows. but MAPI over HTTP is not able to use NTLM, it is only connecting with nego* authentication.
ASKER CERTIFIED SOLUTION
Jason Crawford
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent