Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, April 16, 2018 8:47 PM
Hello Experts, In my staging env, i have Exchange 2013 CU18, with AD 2012 R2. I have setup Exchange Hybrid configuration with centralized mailflow, and setup AAD synchronization. I am testing, allowing MAPI connection to our Exchange on-prem server. currently users Outlooks are able to connect via RPC over HTTP using NTLM auth successfully for staging environment. I have enabled MAPI over HTTP for a few users in my on-prem staging Exchange server using PS command: Set-CasMailbox -identity "[email protected]" -MapiHttpEnabled $true. for the users that have MAPIHttpEnabled set to true, their Outlook is able to connect via MAPI over HTTP using negotiate auth, but when domain joined machine is not connected to VPN, then Outlook prompts for creds when it is opened. I need outlook to use NTLM auth
I found these 2 articles:
So, to have Outlook use NTLM auth for both internal and external connections, i had to remove Negotiate as one of the providers for Windows authentication under the Autodiscover, EWS, and MAPI virtual directories in IIS authentication, leaving only NTLM. Now, Outlook is able to connect via MAPI over HTTP using NTLM* auth, without prompting for password.
The issue now is, because i've removed negotiate as windows auth from EWS virtual directory, O365 is not able to make a successful connection to my MRS Proxy endpoint (CAS Server), so I cannot perform any migrations to O365.
Please let me know if there is another way of going about this... if i place 'negotiate' back for EWS virtual directory, in IIS authentication, and a windows authentication provider, then MAPI over http will not use NTLM, and instead use negotiate, which will result in cred prompt from Outlook, but if i leave it as i've set it, then I am not able to do O365 migrations.
Thanks in advance.
All replies (4)
Tuesday, April 17, 2018 9:15 AM
Hi,
To achieve mailbox migration between On-premise Exchange and Exchange Online, we need enable Negotiate and NTLM for EWS service on IIS Manager.
For your current situation, we can consider to set NTLM as top of Providers in IIS Manager. Figure as below:
Best Regards,
Allen Wang
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.
Monday, April 23, 2018 2:37 PM
Any further concern about your question?
If the above suggestion helps, please be free to mark it as answer. Thanks for your cooperation.
Best Regards,
Allen Wang
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.
Thursday, May 3, 2018 3:32 PM
Hi,
Sorry to interrupt your again.
I just want to check the current status of your question.
Is there any update or any other assistance I could provide on this issue?
Please feel free to mark responses as the answer and/or vote them helpful as appropriate.
Thank you for your understanding and patience!
Best Regards,
Allen Wang
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.
Tuesday, June 5, 2018 12:39 PM
Changing the order only, so that NTLM is in the top does not work. It will prompt when I do that, so I need to remove Negotiate completely for MAPI, EWS and Autodiscover.