none
Exchange 2010/2016 Coexistence - Problems with Exchange 2016 accessing Exchange 2010 mailboxes RRS feed

  • Question

  • Hi

    We are currently implementing an Exchange 2010 to 2016 migration/co-existence (3x2010 Ex2010 servers with Kemp load balancer and 3x2016 servers with separate kemp load balancer). We have followed the Deployment Assistant to the letter and are currently at the stage of changing DNS records to point our records to the new Exchange 2016 LB. However when this change is made all Outlook clients on the 2010 system prompt for credentials, which are then rejected. Creating a new profile also failes for 2010 users. Testing Autodiscover from Outlook fails when using credentials from mailboxes still on 2010, but works successfully when using credentials from a test 2016 mailbox. OWA fails similarly, 2016 mailbox will open, 2010 does not. From this we suspect that the credentials are not getting passed from 2016 to 2010 when trying to access resource on the old Exchange 2010 system. The client access array on Exchange 2010 is configured to use NTLM internally, Basic externally and Basic and NTLM for IIS. The 2016 system is configured for basic on all three. Outlook Anywhere is configured on the 2010 system and appears to be working correctly (its been in use for years)

    Any help or advice would be greatly appreciated!

    Tuesday, September 11, 2018 10:50 AM

Answers

  • We have managed with Microsoft's assistance to get to the bottom of the problem if anyone else has similar issues. The root cause were changes made to harden the Exchange 2016 servers, specifically disabling older versions of TLS other than 1.2.

    Thanks to all for the replies

    • Marked as answer by adamcolliss Thursday, September 20, 2018 11:12 AM
    Thursday, September 20, 2018 11:11 AM

All replies

  • Is Kerberos authentication is configured on your Exchange 2010 servers>

    Can you compare the output on both exch 2010 and 2016 servers

    Get-ClientAccessServer -Identity ServerName -IncludeAlternateServiceAccountCredentialStatus |fl 

    Check for alternate service account configuration.

    Get-mapivirtualdirectory -server "ServerName". Check IIS authentication method and compare on both exchange version.

     

    Tuesday, September 11, 2018 11:13 AM
  • Thanks for the reply.

    Alternate Service Account configuration shows latest:<not set> and previous:<not set> on Exchange 2010 and 2016.

    get-mapivirtualdirectory shows IISAuthentication methods Ntlm, OAuth, Negotiate on 2016. The command doesn't seem valid on 2010 and running it on 2016 against the 2010 servers shows no output?

    Tuesday, September 11, 2018 11:37 AM
  • What is the name of your 2010 cas? 

    Check out https://blogs.technet.microsoft.com/exchange/2013/05/23/ambiguous-urls-and-their-effect-on-exchange-2010-to-exchange-2013-migrations/

    Tuesday, September 11, 2018 12:42 PM
  • It was cas.<intdomain>.local but was changed a while back to FQDN mail.<extdomain>.com (and the 2010 databases updated to reflect this). Reading that article it seems to indicate we should change back to the .local or am I misreading it?
    Tuesday, September 11, 2018 2:22 PM
  • The article is about the name of the cas object. If the cas object is named the same as the urls of your services you can have a problem. So if the cas object of 2010 is for example cas.mail.com and if you configure the urls as cas.mail.com/owa etc then you have ambiguous urls and you should address this before co-existence
    Wednesday, September 12, 2018 6:45 AM
  • Hi adamcolliss,

    In a coexist environment, you don't need to change authentication for services virtual directory, request from Exchange 2016 could be proxy to Exchange 2010 by default.

    Here are settings about ECP and OWA in my environmnet:

    By the way, in a coexist environment, I would suggest you remove Exchange 2010 from load balance, just use a load balance for Exchange 2016, then switch all requests to Exchange 2016 load balance.

    I also want to confirm with you: Could you login mailbox which hosted on Exchange 2010 with https://Exchange2010/owa, if you login it with https://Exchange2016/owa, what phenomenon will occurs?

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, September 12, 2018 7:44 AM
    Moderator
  • Thanks for the replies.

    We have now put our cas FQDN back to cas.<intdomain>.local to avoid the ambiguous url issues, however we are still having proxy issues with authentication from the 2016 system to the 2010 system. - opening a 2016 mailbox or ECP from 2016 OWA works correctly, opening a 2010 mailbox or ECP using the 2016 OWA/ECP fails either with the browser hanging, a 503 error or the browser stopping on the url https://<ext domain>/owa/?bO=1#authRedirect=true

    We are testing by changing the hosts file on a internal PC to direct traffic to the 2016 LB.

    Our Internal authentication on the 2010 servers is set to basic,fba,ntlm and win integrated), on the 2016 servers it is set to basic and fba.

    Any help would be greatly appreciated!

    Thursday, September 13, 2018 9:47 AM
  • Just to clarify Exchange 2010 mailboxes open fine from Exchange 2010 OWA. Exchange 2016 mailboxes open fine from Exchange 2016 OWA. Its just 2010 mailboxes that won't open from 2016 OWA (and ECP etc) which makes me believe it has to be a proxy issue between 2016 and 2010.

    Thanks!

    Thursday, September 13, 2018 11:15 AM
  • It may be a red herring, but we are seeing the following error ID 3005 in he app log of our 2016 servers-

    [RpcHttp] Marking ClientAccess 2010 server <servername>.<domain>.local (https://<servername>.<domain>.local/rpc/rpcproxy.dll) as unhealthy due to exception: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
       at System.Net.HttpWebRequest.GetResponse()
       at Microsoft.Exchange.HttpProxy.ProtocolPingStrategyBase.Ping(Uri url)

    The website https://<servername>.<domain>.local/rpc/rpcproxy.dll does exist but is using our wildcard cert for 2010 (*.<extdomain>.com)

    Thursday, September 13, 2018 12:09 PM
  • This error points to the secure SSL/TLS communicationis not happening from Exchange 2016 to Exchange 2010. Are you using the same certificate for both CAS servers for webservices. Do they throw ay cert error?

    Please mark as an answer if this answers your question .

    PREM RANA

    MCSE Exchange 2013, MCSA 2012 Server MCTS Exchange 2007,

    2010, MCITP Exchange 2007, 2010 MCSE 2003 Server,

    MCSA Exchange 2003 ITIL V3 Foundation

    https://ranaprem.wordpress.com/

    This posting is provided AS IS with no warranties and confers no rights.

    Thursday, September 13, 2018 4:25 PM
  • Thanks for the reply. We are using the same wildcard certificate on the 2016 and 2010 load balancers/cas. The certificate is valid and no errors are shown browsing to 2016 owa or 2010 owa.
    Friday, September 14, 2018 6:41 AM
  • Hi,

    Can you increase the level of logging on both servers to high/expert for required services and see any useful logs.


    Please mark as an answer if this answers your question .

    PREM RANA

    MCSE Exchange 2013, MCSA 2012 Server MCTS Exchange 2007,

    2010, MCITP Exchange 2007, 2010 MCSE 2003 Server,

    MCSA Exchange 2003 ITIL V3 Foundation

    https://ranaprem.wordpress.com/

    This posting is provided AS IS with no warranties and confers no rights.

    Friday, September 14, 2018 8:26 AM
  • Hi

    Thanks for the replies. Increasing the logging level for MSExchange Front End HTTP Proxy on the 2016 servers indicates the health pings to the 2010 cas are all successful (ecp,autodiscover,ews,owa/calendar,microsoft-server-activesync,owa,powersheel and OAB), the only one failing is rpc/rpcproxy.dll. Additionally all the ping requests are going to https://<exch2010 server names>.<internal domain>.local so I don't believe it will be a certificate issue, otherwise they would all be failing?

    Monday, September 17, 2018 8:36 AM
  • I've been doing further testing and have found what I believe is the problem (though not the solution!)

    -Autodisover 2010 site will open with credentials from a 2010-located mailbox

    -Autodisover 2010 site will open with credentials from a 2016-located mailbox

    -Autodisover 2016 site will open with credentials from a 2016-located mailbox

    -Autodisover 2016 site FAILS with credentials from a 2010-located mailbox

    Any further advice/troubleshooting tips would be greatly appreciated!

    Wednesday, September 19, 2018 8:04 AM
  • We have managed with Microsoft's assistance to get to the bottom of the problem if anyone else has similar issues. The root cause were changes made to harden the Exchange 2016 servers, specifically disabling older versions of TLS other than 1.2.

    Thanks to all for the replies

    • Marked as answer by adamcolliss Thursday, September 20, 2018 11:12 AM
    Thursday, September 20, 2018 11:11 AM
  • Hi 

    I have the same problem. Can you give more details of its solution?

    Maciej


    Friday, October 26, 2018 8:39 PM
  • We are about to do the same upgrade, any update on the specifics of the solutions?
    Wednesday, November 28, 2018 10:56 PM