O365 not able to communicate with MRS Proxy (CAS server), after removing negotiate as a provider from windows Authentication, in IIS authentication, for EWS virtual directory.

Hello Experts, In my staging env, i have Exchange 2013 CU18, with AD 2012 R2. I have setup Exchange Hybrid configuration with centralized mailflow, and setup AAD synchronization. I am testing, allowing MAPI connection to our Exchange on-prem server. currently users Outlooks are able to connect via RPC over HTTP using NTLM auth successfully for staging environment. I have enabled MAPI over HTTP for a few users in my on-prem staging Exchange server using PS command: Set-CasMailbox -identity "user1@domain.com" -MapiHttpEnabled $true. for the users that have MAPIHttpEnabled set to true, their Outlook is able to connect via MAPI over HTTP using negotiate auth, but when domain joined machine is not connected to VPN, then Outlook prompts for creds when it is opened. I need outlook to use NTLM auth

I found these 2 articles:

https://social.technet.microsoft.com/Forums/office/en-US/5e0897b1-18a3-43ca-beed-2c1de0c07cca/exchange-2013-cu14-mapi-over-http-outlook-2016-prompts-for-password-is-this-normal?forum=exchangesvrclients

https://social.technet.microsoft.com/Forums/office/en-US/0dab81d0-a0b2-4483-a7bd-623179d25dc2/mapi-over-http-outlook-prompting-for-credentials?forum=exchangesvrclients

So, to have Outlook use NTLM auth for both internal and external connections, i had to remove Negotiate as one of the providers for Windows authentication under the Autodiscover, EWS, and MAPI virtual directories in IIS authentication, leaving only NTLM. Now, Outlook is able to connect via MAPI over HTTP using NTLM* auth, without prompting for password.

The issue now is, because i've removed negotiate as windows auth from EWS virtual directory, O365 is not able to make a successful connection to my MRS Proxy endpoint (CAS Server), so I cannot perform any migrations to O365.

Please let me know if there is another way of going about this... if i place 'negotiate' back for EWS virtual directory, in IIS authentication, and a windows authentication provider, then MAPI over http will not use NTLM, and instead use negotiate, which will result in cred prompt from Outlook, but if i leave it as i've set it, then I am not able to do O365 migrations.

Thanks in advance.
Newguy 123Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
i probably will not even bother trying to use MAPI over http in your existing environment.
just focus on your migration to office 365.
When you are on office 365, it will default to use MAPI over http.


Yes: you can fix it but I think it is lack of visibility of your whole environment in a short go, focus on things you can do rather to band-aid things you don't know.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.