Home

Outlook Cannot Connect After Setting Up Exchange 2016 Coexistence with Exchange 2010

%3CLINGO-SUB%20id%3D%22lingo-sub-388770%22%20slang%3D%22en-US%22%3EOutlook%20Cannot%20Connect%20After%20Setting%20Up%20Exchange%202016%20Coexistence%20with%20Exchange%202010%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388770%22%20slang%3D%22en-US%22%3E%3CP%3ECurrently%20have%20Exchange%202010%20SP3%20environment%20with%20load%20balancers.%20Kerberos%20is%20enabled%20for%20Outlook%20connectivity.%20All%20SPNs%20are%20still%20pointing%20to%20the%20Exchange%202010%20exchangeASA%24%20account%20in%20AD.%20Outlook%20Anywhere%20is%20enabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInstalled%20Exchange%202016%20infrastructure%20in%20two%20different%20Active%20Directory%20sites%20(which%20are%20separate%20from%20the%20Exchange%202010%20AD%20site).%20Note%20we%20have%20not%20set%20up%20an%20additional%20ASA%20for%20Exchange%202016%2C%20nor%20have%20we%20applied%20an%20account%20in%20the%20Client%20Access%20Server%20settings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExchange%202016%20servers%20have%20the%20following%20settings%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMAPI%20Virtual%20Directory%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIdentity%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20EX16-DB-01%5Cmapi%20(Default%20Web%20Site)%3C%2FP%3E%3CP%3EIISAuthenticationMethods%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20%7BNtlm%2C%20OAuth%2C%20%3CEM%3ENegotiate%3C%2FEM%3E%7D%3C%2FP%3E%3CP%3EInternalAuthenticationMethods%20%3A%20%7BNtlm%2C%20OAuth%2C%20%3CEM%3ENegotiate%3C%2FEM%3E%7D%3C%2FP%3E%3CP%3EExternalAuthenticationMethods%20%3A%20%7BNtlm%2C%20OAuth%2C%20%3CEM%3ENegotiate%3C%2FEM%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAutodiscover%3A%3CBR%20%2F%3EInternalAuthenticationMethods%26nbsp%3B%26nbsp%3B%20%3A%20%7BBasic%2C%20Ntlm%2C%20WindowsIntegrated%2C%20WSSecurity%2C%20OAuth%7D%3C%2FP%3E%3CP%3EExternalAuthenticationMethods%26nbsp%3B%26nbsp%3B%20%3A%20%7BBasic%2C%20Ntlm%2C%20WindowsIntegrated%2C%20WSSecurity%2C%20OAuth%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEWS%20Virtual%20Directory%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIdentity%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20EX16-DB-01%5CEWS%20(Default%20Web%20Site)%3C%2FP%3E%3CP%3ECertificateAuthentication%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%3C%2FP%3E%3CP%3EInternalAuthenticationMethods%20%3A%20%7BNtlm%2C%20WindowsIntegrated%2C%20WSSecurity%2C%20OAuth%7D%3C%2FP%3E%3CP%3EExternalAuthenticationMethods%20%3A%20%7BNtlm%2C%20WindowsIntegrated%2C%20WSSecurity%2C%20OAuth%7D%3C%2FP%3E%3CP%3ELiveIdNegotiateAuthentication%20%3A%3C%2FP%3E%3CP%3EWSSecurityAuthentication%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20True%3C%2FP%3E%3CP%3ELiveIdBasicAuthentication%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20False%3C%2FP%3E%3CP%3EBasicAuthentication%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20False%3C%2FP%3E%3CP%3EDigestAuthentication%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20False%3C%2FP%3E%3CP%3EWindowsAuthentication%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20True%3C%2FP%3E%3CP%3EOAuthAuthentication%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20True%3C%2FP%3E%3CP%3EAdfsAuthentication%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20False%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20we%20change%20DNS%20to%20point%20to%20Exchange%202016%20servers%2C%20Exchange%202016%20and%20Exchange%202010%20mailbox%20users%20cannot%20create%20an%20Outlook%202016%20profile%20or%20access%20their%20mailboxes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20remove%20%E2%80%9CNegotiate%E2%80%9D%20from%20the%20MAPI%20Authentication%20Settings%20(in%20Italiacs%20above)%2C%20then%20Exchange%202016%20mailbox%20users%20can%20create%20profiles%20and%20access%20their%20mailboxes.%20However%2C%20Exchange%202010%20mailbox%20users%20still%20cannot%20access%20their%20mailboxes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestions%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EIf%20we%20add%20Negotiate%20to%20MAPI%20Virtual%20Directory%20authentication%2C%20are%20we%20required%20to%20have%20ASA%20for%20Exchange%202016%20set%20up%2C%20or%20will%20Outlook%20continue%20on%20and%20use%20NTLM%3F%20It%20appears%20from%20our%20issue%20that%20it%20MUST%20be%20set%20up.%20Is%20this%20true%3F%3C%2FLI%3E%3CLI%3EWhat%20are%20the%20proper%20authentication%20settings%20for%20the%20different%20virtual%20directories%20listed%20above%3F%20If%20we%20use%20Kerberos%20with%20Exchange%202016%20(which%20it%20appears%20may%20be%20the%20case)%2C%20what%20should%20be%20set%20to%20Negotiate%20and%20what%20should%20be%20set%20to%20NTLM%3F%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-388770%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2010%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECoexistence%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Craig Unterborn
Occasional Contributor

Currently have Exchange 2010 SP3 environment with load balancers. Kerberos is enabled for Outlook connectivity. All SPNs are still pointing to the Exchange 2010 exchangeASA$ account in AD. Outlook Anywhere is enabled.

 

Installed Exchange 2016 infrastructure in two different Active Directory sites (which are separate from the Exchange 2010 AD site). Note we have not set up an additional ASA for Exchange 2016, nor have we applied an account in the Client Access Server settings.

 

 

Exchange 2016 servers have the following settings:

 

 

MAPI Virtual Directory:

 

Identity                      : EX16-DB-01\mapi (Default Web Site)

IISAuthenticationMethods      : {Ntlm, OAuth, Negotiate}

InternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}

ExternalAuthenticationMethods : {Ntlm, OAuth, Negotiate}

 

 

Autodiscover:
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}

ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}

 

 

EWS Virtual Directory:

 

Identity                      : EX16-DB-01\EWS (Default Web Site)

CertificateAuthentication     :

InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}

ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}

LiveIdNegotiateAuthentication :

WSSecurityAuthentication      : True

LiveIdBasicAuthentication     : False

BasicAuthentication           : False

DigestAuthentication          : False

WindowsAuthentication         : True

OAuthAuthentication           : True

AdfsAuthentication            : False

 

When we change DNS to point to Exchange 2016 servers, Exchange 2016 and Exchange 2010 mailbox users cannot create an Outlook 2016 profile or access their mailboxes.

 

If we remove “Negotiate” from the MAPI Authentication Settings (in Italiacs above), then Exchange 2016 mailbox users can create profiles and access their mailboxes. However, Exchange 2010 mailbox users still cannot access their mailboxes.

 

Questions:

 

  1. If we add Negotiate to MAPI Virtual Directory authentication, are we required to have ASA for Exchange 2016 set up, or will Outlook continue on and use NTLM? It appears from our issue that it MUST be set up. Is this true?
  2. What are the proper authentication settings for the different virtual directories listed above? If we use Kerberos with Exchange 2016 (which it appears may be the case), what should be set to Negotiate and what should be set to NTLM?