locked
Outlook 2016, Exchange on-prem, MAPI over HTTP, Cached Exchange Mode = repeated prompt for credentials RRS feed

  • Question

  • Hello,

    We are running Exchange Server 2013 SP1 CU10 and are in the process of testing Outlook 2016.

    When setting up a new Outlook profile we have discovered that if Outlook connects via MAPI over HTTP and Cached Exchange Mode is enabled, Outlook constantly asks for credentials. Here's the steps taken:

    1. Start Outlook with no existing profiles

    2. Create a new profile and connect to Exchange using auto discovery - everything is discovered fine

    3. Outlook starts as normal and prompts for credentials

    4. Enter credentials and Outlook is then connected and works fine

    5. Close Outlook

    6. Re-open Outlook and when prompted for credentials, enter them - immediately another credential prompt appears

    You can sit and enter credentials all day long but Outlook never connects. The credentials are 100% correct and the username is being entered in the form of the users UPN as we always do for OWA, Outlook, ActiveSync etc.

    Now, if you edit the profile and untick Cached Exchange Mode, relaunch Outlook and when prompted, enter the credentials once, everything works fine.

    Likewise if we set the MapiHttpDisabled registry key to 1, delete the existing Outlook profile and recreate it exactly using the above steps, everything works as expected even with Cached Exchange Mode enabled.

    Has anyone else been able to use Outlook 2016 against Exchange Server 2013 with MAPI over HTTP and Cached Exchange Mode together?

    Just to confirm, these same steps work fine with Outlook 2013 SP1 and MAPI over HTTP and Cached Exchange Mode work together.

    Thanks,

    Andy


    • Edited by Andy Doyle Wednesday, October 7, 2015 10:09 AM
    Wednesday, October 7, 2015 9:23 AM

Answers

  • Hi Andi,

    Have you managed to get anywhere with this?

    I opened a paid case with Microsoft to get it resolved as I ran out of ideas. It turned out that while we had been running perfectly well for a long time with Outlook 2013, we weren't using the recommended authentication settings on the MAPI virtual directory.

    While Outlook 2013 would work with our settings, something has changed in Outlook 2016 and it appears less flexible when it comes to MAPI authentication.

    As soon as we changed the MAPI authentication back to the recommended settings Outlook 2016 came to life and luckily Outlook 2013 carried on as normal.

    To check if you could be facing the same issue try running this in the EMS on your Exchange Server:

    Get-MapiVirtualDirectory | fl *auth*

    Microsoft recommend the three values be set to Negotiate, so if you see any of them show a different value (we were using Basic for ours originally) the fix is this:

    1. Make a note of the current authentication methods from the above command (in case you need to revert)

    2. Run the following to change the authentication method:

    Set-MapiVirtualDirectory -Identity "(VALUE FROM IDENTITY FROM ABOVE COMMAND)" -IISAuthenticationMethods Negotiate

    3. In IIS Manager, locate the MSExchangeMapiFrontEndAppPool and MSExchangeMapiMailboxAppPool app pools and restart them.

    Step 3 is the key one here as it will disconnect all current MAPI clients, so obviously pick a suitable time for this. It only takes a minute to restart them and users probably won't notice, but best to be safe!

    Once we did this we were able to setup Outlook 2016 perfectly and it would continue to work after restarts.

    I hope this helps solve your problem,

    Andy

    Monday, November 2, 2015 8:08 PM

All replies

  • Hi,

    I have the exact same issue with an EX 2016, it drive me crazy already.
    I published it over a TMG, and the only i can trace is. If i close Outlook after set up my account the first time and reopen it, than the Connection only try it anonymous.

    The TMG doesn´t receive any credentials, from the Pop Up credential Window of Outlook 2016.

    This don´t help you, but you are not alone.

    Greetings
    Andi

    Wednesday, October 28, 2015 6:05 PM
  • Hi Andi,

    Have you managed to get anywhere with this?

    I opened a paid case with Microsoft to get it resolved as I ran out of ideas. It turned out that while we had been running perfectly well for a long time with Outlook 2013, we weren't using the recommended authentication settings on the MAPI virtual directory.

    While Outlook 2013 would work with our settings, something has changed in Outlook 2016 and it appears less flexible when it comes to MAPI authentication.

    As soon as we changed the MAPI authentication back to the recommended settings Outlook 2016 came to life and luckily Outlook 2013 carried on as normal.

    To check if you could be facing the same issue try running this in the EMS on your Exchange Server:

    Get-MapiVirtualDirectory | fl *auth*

    Microsoft recommend the three values be set to Negotiate, so if you see any of them show a different value (we were using Basic for ours originally) the fix is this:

    1. Make a note of the current authentication methods from the above command (in case you need to revert)

    2. Run the following to change the authentication method:

    Set-MapiVirtualDirectory -Identity "(VALUE FROM IDENTITY FROM ABOVE COMMAND)" -IISAuthenticationMethods Negotiate

    3. In IIS Manager, locate the MSExchangeMapiFrontEndAppPool and MSExchangeMapiMailboxAppPool app pools and restart them.

    Step 3 is the key one here as it will disconnect all current MAPI clients, so obviously pick a suitable time for this. It only takes a minute to restart them and users probably won't notice, but best to be safe!

    Once we did this we were able to setup Outlook 2016 perfectly and it would continue to work after restarts.

    I hope this helps solve your problem,

    Andy

    Monday, November 2, 2015 8:08 PM
  • Hi Andy,

    i want answer this thread a lot earlier but forget it. 
    I do a lot of testing my self and the following steps is what i have done.

    1. Enable split brain DNS in my environment because it is recommended for EX16 (no success)

    2. Set-MapiVirtualDirectory -IISAuthenticationMethods to Negotiate (first success)
    Because I use the good old and wonderfull TMG, I always put webservices to Basic Authentication (like you do on Exchange side). But this is apparently not good in EX16.

    3. And the final success was to make a TMG rule, which not delegate the authentication and also forward the credentials with Basic auth to EX16.
    The Rule that function is like:
    Users = All Users
    Authentication delgation = No Delegation, but Client can authenticate directly.
    Path = /mapi/*

    Thank you that you share the information of your Microsoft Case, i think this is the best solution to solve the problem. On my side, the final trick was also the TMG rule.

    All the best!

    Andi


    • Edited by Andi E Monday, November 9, 2015 5:08 PM
    Monday, November 9, 2015 5:05 PM