Mar 26 2019 07:09 AM - edited Mar 26 2019 07:11 AM
Currently have Exchange 2010 SP3 environment with load balancers. Kerberos is enabled for Outlook connectivity. All SPNs are still pointing to the Exchange 2010 exchangeASA$ account in AD. Outlook Anywhere is enabled.
Installed Exchange 2016 infrastructure in two different Active Directory sites (which are separate from the Exchange 2010 AD site). Note we have not set up an additional ASA for Exchange 2016, nor have we applied an account in the Client Access Server settings.
Exchange 2016 servers have the following settings:
MAPI Virtual Directory:
Identity : EX16-DB-01\mapi (Default Web Site)
IISAuthenticationMethods : {Ntlm, OAuth, Negotiate}
InternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}
ExternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}
Autodiscover:
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
EWS Virtual Directory:
Identity : EX16-DB-01\EWS (Default Web Site)
CertificateAuthentication :
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
When we change DNS to point to Exchange 2016 servers, Exchange 2016 and Exchange 2010 mailbox users cannot create an Outlook 2016 profile or access their mailboxes.
If we remove “Negotiate” from the MAPI Authentication Settings (in Italiacs above), then Exchange 2016 mailbox users can create profiles and access their mailboxes. However, Exchange 2010 mailbox users still cannot access their mailboxes.
Questions: