Newguy 123
asked on
O365 not able to communicate with MRS Proxy (CAS server), after removing negotiate as a provider from windows Authentication, in IIS authentication, for EWS virtual directory.
Hello Experts, In my staging env, i have Exchange 2013 CU18, with AD 2012 R2. I have setup Exchange Hybrid configuration with centralized mailflow, and setup AAD synchronization. I am testing, allowing MAPI connection to our Exchange on-prem server. currently users Outlooks are able to connect via RPC over HTTP using NTLM auth successfully for staging environment. I have enabled MAPI over HTTP for a few users in my on-prem staging Exchange server using PS command: Set-CasMailbox -identity "user1@domain.com" -MapiHttpEnabled $true. for the users that have MAPIHttpEnabled set to true, their Outlook is able to connect via MAPI over HTTP using negotiate auth, but when domain joined machine is not connected to VPN, then Outlook prompts for creds when it is opened. I need outlook to use NTLM auth
I found these 2 articles:
https://social.technet.microsoft.com/Forums/office/en-US/5e0897b1-18a3-43ca-beed-2c1de0c07cca/exchange-2013-cu14-mapi-over-http-outlook-2016-prompts-for-password-is-this-normal?forum=exchangesvrclients
https://social.technet.microsoft.com/Forums/office/en-US/0dab81d0-a0b2-4483-a7bd-623179d25dc2/mapi-over-http-outlook-prompting-for-credentials?forum=exchangesvrclients
So, to have Outlook use NTLM auth for both internal and external connections, i had to remove Negotiate as one of the providers for Windows authentication under the Autodiscover, EWS, and MAPI virtual directories in IIS authentication, leaving only NTLM. Now, Outlook is able to connect via MAPI over HTTP using NTLM* auth, without prompting for password.
The issue now is, because i've removed negotiate as windows auth from EWS virtual directory, O365 is not able to make a successful connection to my MRS Proxy endpoint (CAS Server), so I cannot perform any migrations to O365.
Please let me know if there is another way of going about this... if i place 'negotiate' back for EWS virtual directory, in IIS authentication, and a windows authentication provider, then MAPI over http will not use NTLM, and instead use negotiate, which will result in cred prompt from Outlook, but if i leave it as i've set it, then I am not able to do O365 migrations.
Thanks in advance.
I found these 2 articles:
https://social.technet.microsoft.com/Forums/office/en-US/5e0897b1-18a3-43ca-beed-2c1de0c07cca/exchange-2013-cu14-mapi-over-http-outlook-2016-prompts-for-password-is-this-normal?forum=exchangesvrclients
https://social.technet.microsoft.com/Forums/office/en-US/0dab81d0-a0b2-4483-a7bd-623179d25dc2/mapi-over-http-outlook-prompting-for-credentials?forum=exchangesvrclients
So, to have Outlook use NTLM auth for both internal and external connections, i had to remove Negotiate as one of the providers for Windows authentication under the Autodiscover, EWS, and MAPI virtual directories in IIS authentication, leaving only NTLM. Now, Outlook is able to connect via MAPI over HTTP using NTLM* auth, without prompting for password.
The issue now is, because i've removed negotiate as windows auth from EWS virtual directory, O365 is not able to make a successful connection to my MRS Proxy endpoint (CAS Server), so I cannot perform any migrations to O365.
Please let me know if there is another way of going about this... if i place 'negotiate' back for EWS virtual directory, in IIS authentication, and a windows authentication provider, then MAPI over http will not use NTLM, and instead use negotiate, which will result in cred prompt from Outlook, but if i leave it as i've set it, then I am not able to do O365 migrations.
Thanks in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.