I’m in the middle of a migration from Exchange 2010 to Exchange 2013 at the moment. All was going well until I repointed the DNS records to the Exchange 2013 CAS servers.
In Exchange 2013 all client connectivity is now made using RPC over HTTPS (a.k.a Outlook Anywhere) unlike Exchange 2010 where only external clients use this and internal clients still use RPC over TCP as in the old days.
So the Microsoft approved method for migration is to setup your new Exchange 2013 CAS servers, then repoint all clients to use this. Your Exchange 2013 dwelling users will be proxied to the Exchange 2013 mailbox servers as expected (and as configured by the autodiscover DNS record). The Exchange 2010 dwelling users (who have yet to be moved) will be proxied through the Exchange 2013 CAS servers to the Exchange 2010 back-end if they are external to the organisation, or just redirected to the Exchange 2010 back-end if they are accessing internally.
So after redirecting the DNS the Exchange 2013 clients worked fine internally and externally. The Exchange 2010 clients worked fine internally, but externally, users started to complain about username/password boxes when using Outlook Anywhere from the laptops at home. Entering the username and password didn’t help, it would just keep prompting.
Problem
It turns out that Exchange 2013 will use NTLM as default, therefore the server to which it is proxying the RPC over HTTPS request must also support NTLM authentication too. If it doesn’t the clients trying to use it will connect and try to authenticate with Basic (plain) authentication to the Exchange 2013 CAS servers and be endlessly prompted for credentials.
Workaround / Proof
I took an external client with a user that was still on the Exchange 2010 server, outside the network the Outlook client attempted connection and failed prompting for password.
Check the RPC over HTTPS settings in Outlook, you’ll notice it says “Basic Authentication”, I changed this to NTLM authentication, re-started outlook, entered the password and hey presto I’m in. So this proves that the authentication mismatch between Exchange 2010 and Exchange 2013 is the issue. This isn’t the solution though because autodisover will correct this setting again as this is not what the server is configured to so we need a permanent fix.
Solution
1. Run the command: Get-OutlookAnywhere | fl from the Exchange 2013 server.
You are looking for the line “ExternalClientAuthenticationMethod” this should be set to NTLM, in my case it was set to Basic.
2. Logon to the Exchange 2010 server and use the Exchange Management Console to change the Outlook Anywhere setting to NTLM. You can find this under “Server Configuration”->”Client Access” then right click on the server object and select “Properties”, look for the “Outlook Anywhere” tab, and then change the radio button to NTLM under there.
3. You also need to go to IIS Manager on the Exchange 2010 server and then drill down to the “RPC” virtual directory and click on “Authentication” Under here Windows Authentication (i.e. NTLM) was not set. To correct it I had to click Enable, then on the right hand side click “Providers…” and move NTLM to the top of the list above “Negotiate” Save these settings.
Restart IIS On the Exchange 2010 server. Now try again, you should find that the client can connect.
4. You may well need to close and reopen the client after a few minutes; this is so it gives time for the Autodiscover service time to change the setting it puts out to clients. And so your External Outlook client can pick up that for Outlook Anywhere it is supposed to use NTLM rather than Basic (plain) authentication.