Exchange 2016 - EWS 401 Unauthorized - Apple Mail and Safari Only RRS feed

  • Question

  • I'm preparing an Exchange 2016 upgrade from 2013 and am having a strange error when flipping my DNS entries from my 2013 servers to my 2016 servers. I'm following the always great guides at practical365.com. Here is where I am having issues. I'm at the point where I have my 2016 servers configured (Imported CA signed SSL cert from existing 2013 servers, set all the virtual directories, etc). I am able to connect from every client except for the Apple Mail client and Safari. I get a 401 unauthorized when attempted to connect from Apple Mail and when I try to hit the https://mail.domain.com/EWS/Exchange.asmx url from Safari. I am able to connect from the same computer using Outlook for Mac 2016 an Chrome. The only change I made (not in the guide) was to go to "Best Practices" on IIS for Protoctols and Ciphers using IIS Crypto. I've combed the logs and Wireshark (to the best of my ability) to try and see what is going on.

    I've tried username, domain\username, username@domain.com with no luck. I've tried moving NTLM above Negotiate on the EWS virtual directory without and luck either.

    Anybody have any ideas?

    EDIT: I created a mailbox on the 2016 server and see the same results. So I don't think it is an issue with the proxy between 2013 and 2016.

    Saturday, February 11, 2017 5:32 PM

All replies

  • Following ....

    we have the exact same problem - maybe Ssl/Tls settings by Crypto have something to do with it, although we see http requests

    Saturday, February 11, 2017 6:34 PM
  • For the record... what we tried:



    Cant really try that ... no load balancer


    EWS Urls


    Saturday, February 11, 2017 6:40 PM
  • Funny, I think I stumbled across the exact same sites without any luck on resolution. 
    Saturday, February 11, 2017 7:22 PM
  • i suspect the Crypto configuration - i know working Ex 2016 servers and the difference i stumbled upon is sssl/tls/cypher config.

    i try that on monday...

    Saturday, February 11, 2017 8:20 PM
  • Tested the standard SSL/TLS Crypto configuration on the exchange 2016 ... no difference
    Apple Mail and Safari are not able to authenticate.

    It may have nothing to do with the Crypto configuration...

    Monday, February 13, 2017 1:54 PM
  • Hi,

    So this issue only occur for Apple Mail client and Safari? It doesn't occur for windows PC and IE?

    What's the authentication for EWS virtual directory? Go to IIS -> Sites -> Default Web Site -> EWS -> Authentication. Is Basic Authentication set to enabled?

    Best Regards,

    TechNet Community Support

    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 15, 2017 9:33 AM
  • Hi!

    No it is not enabled.... on both variants ( Exchange 2013, Exchange 2016).

    Altough EX2013 is working with Macs.

    Should it be enabled on 2016 now?

    Wednesday, February 15, 2017 9:39 AM
  • I tried it on one of the ex2016 server and enabled Basic Auth.

    Sierra OSX Apple Mail was able to connect, El-Capitan versions not.

    Still, it should not be needed as far as i know ...

    Wednesday, February 15, 2017 9:54 AM
  • Maybe i am wrong here, but i do have an idea whats going wrong:

    In this post an programmer of an Apple App is complaining to an Apple developer that
    NTLM is not working against an windows server (i assume 2016).


    The Apple developer talks about the basic problem of NTLM auth in a HTTP2 enviroment.

    Guess what ... 

    Default 2012R2 IIS:

    Default IIS 2016

    I think I try to disable http2 on Server 2016 for a test ....

    Wednesday, February 15, 2017 12:58 PM
  • Did this work for you?
    Thursday, February 16, 2017 4:42 PM
  • I have not found a solution how to force the IIS 10 to http 1.1 yet ...

    Unfortunately ...

    There maybe another lead in NTLM, i found various posts that maybe NTLM Auth in server 2016
    may have changed.

    I am pretty sure, Apple has to solve the problem on there clients but ... until that, i need to "revert"
    the difference between server 2016/iis 10 and server 2012R2/IIS 8.5

    Thursday, February 16, 2017 4:49 PM
  • Did this not workto disable?


    EnableHttp2Tls REG_DWORD 0

    EnableHttp2Cleartext REG_DWORD 0

    The second of these is only necessary if the failure is with HTTP. The first is for HTTPS.

    Thursday, February 16, 2017 4:56 PM
  • Never tested that entries - for my understanding these are for the clients.

    But i can try it tomorrow...

    Thursday, February 16, 2017 5:29 PM
  • Ethan its official ... falling back to HTTP 1.1 works.

    Your reg-keys are working for server applications too, the IIS 10 machines are serving only http 1.1 and
    guess what ... our El Capitan and Sierra Machines are connecting again.

    I am routing the traffic to the EX2016 now and wait for other "complains" ...

    Friday, February 17, 2017 1:07 PM
  • I want to confirm this worked as well.  Was going crazy with the Apple Mail thing and turning off HTTP2.0 fixed the issue.  Thanks as this was killing me at my organization (mainly because im the sole Apple Mail user and the one doing the transition so it was unfortunate that I had to use Outlook for a few days).  
    Friday, February 17, 2017 6:00 PM
  • Its great that we could solve that ... but there is a "big but" left ...

    but i dont wont to loose the features http2 provides.

    Someone (Apple or Microsoft) has to dig into that topic and solve it to get http2 and
    the fallback http1.1 procedure to do NTLM back to work on apple clients too ....

    Unfortunately i have no idea where to start (it may be a combination of microsoft and apple needed)



    Friday, February 17, 2017 6:43 PM
  • Well in our case I dont need http2.  However, the answer is Apple needs to fix Apple Mail so that either it just accepts the 2.0 stuff or that it has a way to tell the server that no, I need you to send me 1.1.  I dont expect this to be fixed till probably the fall of this year with the new Apple OS unless it becomes a big thing (considering it took me a bit to find this thread and as of last week I wasn't finding much else anywhere else, I doubt it will get much attention).

    Basically most companies that are on Exchange aren't going to be moving to 2016 anytime soon cause if your on 2007 most are probably just going to move to 2013 (unless they want to do 2 migrations).  If they are on 2010 that doesn't expire till 2020.  We might see it more in a few months as some companies who have stuck with 2007 this long and buy 2016 will probably end up moving to it, but like I said my guess is Microsoft isn't going to do much about it and this is the type of thing that Apple usually doesn't address in a patch unless its affecting a lot of people.  

    However if you do find a way either to allow 2.0 to be on but get Apple Mail working without patch, that would be great.  

    Friday, February 17, 2017 8:56 PM
  • Maybe there is a way to disable http2 for a specific virtual folder and not for the whole IIS

    So the Macs will work with EWS (and http2 turned off) but the OWA will benefit and provide http2...

    Unfortunately I didnt find much documentation about http2 and IIS10

    Saturday, February 18, 2017 12:12 PM
  • Did this not workto disable?


    EnableHttp2Tls REG_DWORD 0

    EnableHttp2Cleartext REG_DWORD 0

    The second of these is only necessary if the failure is with HTTP. The first is for HTTPS.

    I can confirm, that after setting EnableHttp2Tls to 0 (only this one) Mac Mail can connect successfully to the new Exchange 2016 CU5 on Windows Server 2016.

    Thanks for pointing this out.



    Friday, March 24, 2017 3:26 PM
  • By the way...

    It's the same for Sharepoint on Server 2016.

    If you use Safari or even iOS OneDriveClient you will experience the same issues. 

    Looks like Apple doesn't like NTLM over HTTP2.

    Just set EnableHttp2Tls to 0 

    Thursday, May 4, 2017 8:38 AM
  • Do i need to restart IIS / Windows? 

    I have added the REG keys but the Mac users are still unable to connect, i have not restarted the Exchange servers yet

    Best Regards Bjørn Olav Vangen Aure

    Tuesday, September 12, 2017 10:02 AM
  • As far as I know ... yes

    Tuesday, September 12, 2017 10:04 AM
  • I'm the CEO of SmarterTools.  An individual in this thread referenced our product SmarterMail which is an alternative to Microsoft Exchange Server.

    We have been aware of an issue with iOS 11 and the native Mail client connecting to SmarterMail (using EAS), Outlook.com (using EAS) and even Exchange Servers (using EAS).

    We have been hoping with the BETA releases of iOS 11 that this issue would be resolved.  The GM release of iOS 11 has been released and still has an issue when sending messages or forwarding messages with attachments. This problem is related to HTTP/2 introduce in Windows 2016 or the implementation of HTTP/2 in IOS!

    Windows 2016 / Windows 10 and IIS 10.0 introduces HTTP/2.

    Windows 2012 and IIS 8.0 uses HTTP/1.1

    Customers of SmarterMail or Microsoft Exchange running Windows 2012 will not see this issue.

    The following keys:

    EnableHttp2Tls REG_DWORD 0
    EnableHttp2Cleartext REG_DWORD 0

    will force Windows 2016 to act as Windows 2012 and will tell iOS 11 to use HTTP/1.1.

    There are many advantages to HTTP/2 and we are still trying to determine whether its Microsoft's or Apple's implementation that needs to be fixed.  At the moment, we believe it is an iOS issue.  We are opening cases with both Microsoft and Apple to help resolve the problem.

    We hope this helps SmarterMail customers but also Microsoft Exchange Server customers as well.


    Tim Uzzanti

    • Edited by Tuzzanti Wednesday, September 13, 2017 7:53 PM
    Wednesday, September 13, 2017 7:45 PM
  • Any news about this issue? Could Apple help? We are facing the same problem 😫
    Wednesday, September 20, 2017 3:12 PM
  • We also have this issue. Using MacOS 10.13 High Sierra. The Apple Mail client still fails to connect to Exchange Server 2016 running on Windows Server 2016.

    I wish Apple would apply the same patch to MacOS that was applied to iOS.

    Luckily Outlook for Mac is used by most of our Mac users.

    Also be aware that proxies can interfere and makes log tracking difficult.
    • Edited by dm394994 Tuesday, October 24, 2017 2:12 AM
    Tuesday, October 24, 2017 2:10 AM
  • Microsoft mentioned this at Ignite


    Best Regards Bjørn Olav Vangen Aure

    Tuesday, October 24, 2017 10:04 AM
  • We had the same issue in our environment using Exchange Server 2016 CU8 on Windows Server 2016.

    As client we had Mac OSX 10.12.6 which was not working using EWS or Safari/Firefox and OWA.

    We updated to Mac OSX 10.13.3 and now everything works without problems.

    Friday, March 9, 2018 1:57 PM