Outlook Password Prompt after cross forest migration

I have windows and MAC user facing password prompt when they open outlook after cross forest migration.

Scenarios / Problem description

Pre - Migration :

Domain A : Account forest / user account is located here and user laptop is domain joined to this forest / domain.
Domain B : Resource forest Exchange 2013 and users has mailbox linked to their account in Domain A and below is setting in outlook anywhere.

ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm}

Post Migration :

Forest C: Exchange 2013 Resources forest ( Here mailboxes are migrated from resources forest B and liked to account forest D user account)

ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm}

Forest D : Users are now using this forest user account to access their linked migrated mailbox instead of forest A user accounts which was earlier.

Twist is here that user laptop is joined to account  Forest A, Using account / credential of Forest D for accessing their linked mailbox.

My Queries is that is it good to have ExternalClientAuthenticationMethod : Ntlm in Forest C or we need change to ExternalClientAuthenticationMethod : Basic.

Why i am doubting : Here users are using machine domain joined to forest A and using account (credential) of forest D to access linked mailbox in Forest C.

So it should be considered as external client where windows logon will not carry anything for NTLM authentication. Because machine is not belongs to forest C or D.

 Correct me if i am wrong anywhere.... learning exchange :)
Samimbadshah ShaikhAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason CrawfordTransport NinjaCommented:
Do the mailboxes in question still have a mailbox in the source?  Where are the clients physically connecting from on the network in relation to the source and target servers?
AmitIT ArchitectCommented:
Do you have trust between all these forest. Microsoft, best practice is to keep one forest and one domain. I have worked on similar environment, where we have ID in different forest, computer object in different forest.  But your situation is way more complex. I advise you to open case with Microsoft.
Samimbadshah ShaikhAuthor Commented:
mailbox are migrated to forest c and those mailbox are linked with forest d account.

now outlook client is connected (domain joined machine) on forest A and access mailboxes of forest C using linked account of forest D.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

AmitIT ArchitectCommented:
How ID's are replicating? Are you using any tool, like FIM?
Samimbadshah ShaikhAuthor Commented:
we are using unity sync tool between forest A and B

And forest C and D.

and those all 4 forest has trust among all.
Samimbadshah ShaikhAuthor Commented:
if I set external client authentication to basic ?  this will work ?

it will consider as external client because machine is not domain joined  to any current resources or account forest. ?
Jason CrawfordTransport NinjaCommented:
My go to settings for authentication are internal - NTLM, external - Basic, IIS  - Basic, NTLM.  Don't forget to configure the Autodiscover URL on the Cas Server and set the EXPR Outlook provider.
Samimbadshah ShaikhAuthor Commented:
Hello All,

Thanks for your comment and i would like to make some correction here in scenario i provided earlier as i was not having proper visibility of server.

We had enabled MAPI over HTTP on forest C where mailbox is migrated (Target) is Exchange 2016 CU 8 (My bad earlier i had told its Exchange 2013)

I was able to reproduce the like this :

When i am or any user connected to office LAN  is working fine and when user is connecting from home with office vpn also working fine.

Not working when user is trying to connect without VPN from external network (Cellular / ISP / Coffee shop)

What i had researched and found Exchange 2016 CU 8 having bugs or if upgraded recently from other CU to CU8.
AmitIT ArchitectCommented:
Any update?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.