• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 85
  • Last Modified:

O365 not able to communicate with MRS Proxy (CAS server), after removing negotiate as a provider from windows Authentication, in IIS authentication, for EWS virtual directory.

Hello Experts, In my staging env, i have Exchange 2013 CU18, with AD 2012 R2. I have setup Exchange Hybrid configuration with centralized mailflow, and setup AAD synchronization. I am testing, allowing MAPI connection to our Exchange on-prem server. currently users Outlooks are able to connect via RPC over HTTP using NTLM auth successfully for staging environment. I have enabled MAPI over HTTP for a few users in my on-prem staging Exchange server using PS command: Set-CasMailbox -identity "user1@domain.com" -MapiHttpEnabled $true. for the users that have MAPIHttpEnabled set to true, their Outlook is able to connect via MAPI over HTTP using negotiate auth, but when domain joined machine is not connected to VPN, then Outlook prompts for creds when it is opened. I need outlook to use NTLM auth

I found these 2 articles:

https://social.technet.microsoft.com/Forums/office/en-US/5e0897b1-18a3-43ca-beed-2c1de0c07cca/exchange-2013-cu14-mapi-over-http-outlook-2016-prompts-for-password-is-this-normal?forum=exchangesvrclients

https://social.technet.microsoft.com/Forums/office/en-US/0dab81d0-a0b2-4483-a7bd-623179d25dc2/mapi-over-http-outlook-prompting-for-credentials?forum=exchangesvrclients

So, to have Outlook use NTLM auth for both internal and external connections, i had to remove Negotiate as one of the providers for Windows authentication under the Autodiscover, EWS, and MAPI virtual directories in IIS authentication, leaving only NTLM. Now, Outlook is able to connect via MAPI over HTTP using NTLM* auth, without prompting for password.

The issue now is, because i've removed negotiate as windows auth from EWS virtual directory, O365 is not able to make a successful connection to my MRS Proxy endpoint (CAS Server), so I cannot perform any migrations to O365.

Please let me know if there is another way of going about this... if i place 'negotiate' back for EWS virtual directory, in IIS authentication, and a windows authentication provider, then MAPI over http will not use NTLM, and instead use negotiate, which will result in cred prompt from Outlook, but if i leave it as i've set it, then I am not able to do O365 migrations.

Thanks in advance.
0
Newguy 123
Asked:
Newguy 123
1 Solution
 
Jian An LimSolutions ArchitectCommented:
i probably will not even bother trying to use MAPI over http in your existing environment.
just focus on your migration to office 365.
When you are on office 365, it will default to use MAPI over http.


Yes: you can fix it but I think it is lack of visibility of your whole environment in a short go, focus on things you can do rather to band-aid things you don't know.
0

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now