Aug 13 2020 05:33 AM
Hello,
I have implemented a full hybrid solution with an exchange 2016 cu17 server.
I created the migexchange.it domain on o365 and synchronized the AD users via AAD connect.
The autodiscover records,autodiscover.migexchange.it, for both the lan and the internet points to my on premise server.
The automatic outlook configuration works correctly both from the LAN and from the internet for mailboxes on premises (with outlook 2010,2013 and 2016).
The autodiscover records will be moved to autodiscover.outlook.com after the mailboxes migration is complete.
I migrated, on exchange online, a test user who uses outlook 2016 and no problem.
I migrated, on exchange online, a test user with outlook 2010 and 2013 and I can't log in.
Outlook keeps asking for the password.
In my opinion it is outlook 2010 and 2013 not working properly with autodiscover in a hybrid solution but I can't find a solution that works.
The autodiscover service I imagine is configured correctly as with outlook 2016 everything works correctly (both from the LAN and from the internet).
I tried to do the solutions proposed by the articles https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/outlook-prompt-password-m... and https://docs.microsoft .com / en-us / outlook / troubleshoot / sign-in / continually-prompts-password-office-365 without success.
Unfortunately my customer cannot change all the old offices as it is quite a big expensive.
How can I solve my problem?
Thank you
Regards
Aug 13 2020 05:56 AM
Aug 13 2020 06:05 AM
Thanks for your answer.
The outlooks, both 2010 and 2013, have been updated with all the patches through windows updates.
Excuse my ignorance how do I check the Remote Routing Address or Target Address.
Thank you
Regards
Aug 13 2020 06:16 AM
I checked from ecp and the remote routing adress looks correct and is:
pizza@migexchange.mail.onmicrosoft.com
Where can I check the target address.
If they were wrong, shouldn't it not work with Outlook 2016?
Aug 13 2020 07:51 AM
Aug 13 2020 10:24 AM
Aug 13 2020 12:56 PM
Hello,
I entered the registry key but the problem persists.
I did an email autoconfiguration test with outlook and the result is autoconfiguration was unable to determine your settings!
Any other ideas?
Thank you
Aug 17 2020 08:59 AM
Aug 17 2020 10:25 AM
Yes, I tried the registry key obviously with outlook 2013.
This weekend I reproduced an identical environment in the laboratory (which works with outlook 2010 and 2013)
The difference is that in the environment that does not work is that I have enabled https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchan... MSDN it as HCW reported this warning:
warning HCW8064 The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration. If you need features that rely on OAuth, you can try running the HCW again or manually configure OAuth using these manual steps
In the test infrastructure I have not implemented that functionality and both outlook 2010 and 2013 works.
By running the Get-OrganizationConfig | ft name, * OAuth * both on premises and on exchange online I get (the results are the same on both the test environment that works and the environment that doesn't work)
[PS] C:\Windows\system32>Get-OrganizationConfig | ft name, *OAuth*
Name OAuth2ClientProfileEnabled
---- --------------------------
First Organization False
mentre sull’exchange online è abilitata
PS C:\Users\challancin> Get-OrganizationConfig | ft name, *OAuth*
Name OAuth2ClientProfileEnabled
---- --------------------------
migexchange.onmicrosoft.com True
So I'm pretty sure the problem is https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchan... MSDN
At this point I would like to understand how to disable it but I have not found any article.
I have already tried this article https://docs.microsoft.com/it-it/microsoft-365/enterprise/remove-or-disable-hybrid-modern-authentica...? view = o365-worldwide without success.
Thanks
Regards
Aug 17 2020 10:53 AM
Aug 18 2020 02:38 AM
Thanks for the reply
As previously written, I had already done that test (and it had given a negative result) however I made the change I waited 4 hours but the problem persists.
The weird thing as I wrote earlier that in a mirrored test environment (the only difference is that OAuth authentication between Exchange and Exchange Online organizations has not been enabled)
The speech of updating the Outlook clients is correct however 2010 and 2013 are supported until October and in the test environment they work ....
Thank you
Regards
Aug 18 2020 02:59 AM
@pazzoide76
Can you share the password prompt you are getting in Outlook 2010 client, I would like to see if it the basic authentication prompt or modern authentication one.
More details here
Aug 18 2020 03:04 AM - edited Aug 18 2020 03:05 AM
Aug 18 2020 04:14 AM - edited Aug 18 2020 04:16 AM
@pazzoide76 Hello, in addition to the previous suggestions (Modern Authentication/ADAL). Try using the ExcludeExplicitO365Endpoint registry key during the migration (and then remove it).
Exclude initial check to Office 365 Autodiscover URL
Registry Hive HKEY_CURRENT_USER
Registry Path software\policies\microsoft\office\16.0\outlook\autodiscover
Value Name excludeexplicito365endpoint
Value Type REG_DWORD
Default Value 0
True Value 1
False Value 0
Aug 18 2020 04:25 AM
The problem manifests itself with users migrated to exchange online (keep asking for login).
With users in the on-premises exchange everything works fine.
Anyway I tried the registry key but it keeps asking for the login.
I repeat that over the weekend I configured a mirror environment (in the test environment I did not enable https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchan...) and outlook 2010 and 2013 clients work.
I repeat the two environments are the same changes only OAuthauthentication between Exchange and Exchange Online organizations.
Aug 18 2020 04:33 AM
@pazzoide76 Ah, I understand. Could it be an incorrect autodiscover entry in the migrated mailbox that's causing this? Let me see if I can find an article describing this behavior.
Aug 18 2020 04:36 AM - edited Aug 18 2020 04:38 AM
If it was a badly configured autodiscover problem, why do Outlook 2016 clients work?
The problem occurs with all migrated mailboxesAug 18 2020 04:54 AM
@pazzoide76 I hear you, just trying to figure stuff out at the same time working 😉
It's difficult to fully understand your config and scenario, I just attached the previous info as I've heard about it before. As for ADAL and your Outlook clients, have you taken this into consideration?
Aug 18 2020 05:02 AM - edited Aug 18 2020 05:05 AM
My configuration is composed with exchange 2016 cu17 and a full hybrid has been configured via HCW.
Since at the end of the wizard the warning came out:
HCW8064 The HCW has completed, but was not able to perform the OAuth portion of your Hybrid configuration. If you need features that rely on OAuth, you can try running the HCW again or manually configure OAuth using these manual steps
I used the procedure described in the articlehttps://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchan... and in my opinion it is this configuration that causes authentication problems with outlook 2010/2013.
Is there a procedure to delete that configuration?
I haven't done anything else.
I repeat in the test environment that I installed over the weekend I did not enable that feature and outlook 2010 and 2013 work.
I have already tried the proposed keys without success.
Thank you
Regards
Aug 18 2020 05:09 AM
@pazzoide76 Well, as for Outlook 2010 you did see this?
And have you also tried AlwaysUseMSOAuthForAutoDiscover? (Outlook 2013+).
I sure someone with more experience from migrations will reply at some point.
Good luck!
Aug 19 2020 08:22 AM
Solution@pazzoide76 So it all came down to MFA via Security Defaults? That's not the first time I've heard it as I now recall another conversation with a similar issue, not identical, where I actually suggested that. It didn't struck me as a solution this time and I can only blame my six weeks vacation..
@harveer singh Good job!
@pazzoide76 Please mark the above reply with the solution as "Best response" for future reference.