Hello Experts, In my staging env, i have Exchange 2013 CU18, with AD 2012 R2. I have setup Exchange Hybrid configuration with centralized mailflow, and setup AAD synchronization. I am testing, allowing MAPI connection to our Exchange on-prem server. currently users Outlooks are able to connect via RPC over HTTP using NTLM auth successfully for staging environment. I have enabled MAPI over HTTP for a few users in my on-prem staging Exchange server using PS command: Set-CasMailbox -identity "email@example.com" -MapiHttpEnabled $true. for the users that have MAPIHttpEnabled set to true, their Outlook is able to connect via MAPI over HTTP using negotiate auth, but when domain joined machine is not connected to VPN, then Outlook prompts for creds when it is opened. I need outlook to use NTLM auth
I found these 2 articles:
So, to have Outlook use NTLM auth for both internal and external connections, i had to remove Negotiate as one of the providers for Windows authentication under the Autodiscover, EWS, and MAPI virtual directories in IIS authentication, leaving only NTLM. Now, Outlook is able to connect via MAPI over HTTP using NTLM* auth, without prompting for password.
The issue now is, because i've removed negotiate as windows auth from EWS virtual directory, O365 is not able to make a successful connection to my MRS Proxy endpoint (CAS Server), so I cannot perform any migrations to O365.
Please let me know if there is another way of going about this... if i place 'negotiate' back for EWS virtual directory, in IIS authentication, and a windows authentication provider, then MAPI over http will not use NTLM, and instead use negotiate, which will result in cred prompt from Outlook, but if i leave it as i've set it, then I am not able to do O365 migrations.
Thanks in advance.