Outlook unable to connect via MAPI over HTTP with NTLM auth without VPN connection. with VPN, Outlook connects via MAPI over HTTP with nego* authentication

Hello Experts. In my staging env, i have Exchange 2013 CU18, with AD 2012R2, and Outlook 2016. I am testing enabling MAPI protocol, currently on-prem exchange is enabled to accept RPC over HTTP via NTLM. I have used the following powershell command to enable MAPI HTTP on a few mailboxes: Get-CasMailbox -identity "User name" -MapiHTTPEnable $true. The users Outlooks are able to connect to on-prem Exchange via MAPI over HTTP with nego* authentication. However, the users machines need to be connected to VPN. if VPN is not connected, then Outlook prompts the user for credentials, after which it connects successfully.

Obviously, I do not want the users to have to input any credentials. Outlook should automatically connect via MAPI over HTTP weather VPN is connected or not. I believe the issue is that MAPI over HTTP is unable to connect using auth NTLM. However, prior to this, we allowed connections using RPC over HTTP via NTLM, and Outlook was successfully able to connect via RPC over HTTP via NTLM without prompting for creds, even if VPN is connected or not. Why is MAPI not able to connect via NTLM auth without VPN. in between, we have a NLB, which has been configured to accept MAPI connections.

Also, what settings need to be enabled in IIS authentication for MAPI virtual directory?, currently i have Windows Authentication enabled for MAPI virtual directory in IIS authentication. Also i have set for MAPI virtual directory for its IISAuthenticationMethods the following: NTLM, OAuth, Negotiate.

Please let me know, and thanks in advance.
Newguy 123Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
If everything is working then it sounds like everything is setup correctly. In regards to prompting for passwords, if you are on VPN then it shouldn't have to prompt your for a password, but if you are no on VPN but completely external, then it will prompt for a password. The user will need to check the check box not to prompt for a password. NTLM is the correct auth method and NTLM will prompt for a password when off the network. even with RPC you need to enter a password when off the internal network, but once you enter the password, you can set it to no longer prompt and then you will not have to enter it again because the password is now saved in the credential manager. sounds like your setup is fine.
Newguy 123Author Commented:
Hello Timgreen7077. Thanks for the comment above. However, i have verified that when Outlook connects via RPC over HTTP using NTLM, it is not saving any credentials in windows credentials manager, credentials manager is in fact empty. does not matter if user is connecting via VPN or not. this is how its currently setup in production, and i've checked a few machines, they do not have any credentials stored in credentials manager for Outlook, or Windows. but MAPI over HTTP is not able to use NTLM, it is only connecting with nego* authentication.
Jason CrawfordTransport NinjaCommented:
This was a known bug.  Have you updated Office recently?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.